Hiya,
I was hoping to get people's opinions and experience with this.
We're in the process of configuring JRS for home users (visitor access
already works) and we know how to do achieve it but there are been some
comments regarding security.
A little background is necessary, unfortunately. We're using FreeRADIUS with
Novell eDirectory as the backend directory. To make PEAP work it means
configuring eDirectory with all sorts of Universal Password magic to make it
expose a plain text password to FreeRADIUS for comparison.
If someone gained access to the FreeRADIUS system then it's feasible they
could request/sniff user passwords in plain text. Our Directory team is
justifiably concerned and I'm wondering how to placate them. The
communication between RADIUS system and LDAP is an authenticated and
encrypted one and the RADIUS system will be protected in the usual ways
virtual linux boxes would be. I see the risk as worthwhile compared to the
benefits. I don't need to explain added complexities of supporting TTLS on
this list.
They've asked me how do other academic institutions do this; I've not had a
good answer.
So, do other people have this setup and thus the same issues? If not, how
does yours work? If so, how have you addressed the potential security issue?
I welcome answers in private, with confidentiality assured, if you don't
wish to air your security issues on an archived mailing list :-) Just
remember that this might be a 'reply-to-list' mailing list.
Thanks,
Mike
--
Mike Richardson
Networks
IT Services, University of Manchester
*Plain text only please - attachments stripped on arrival*
|