Thanks for the feedback Sami,

1) Securing information via TPM is suitable for integrity and encryption should 
the HD or VM be removed from the organization, but not suitable for 
confidentiality within the organization. Whoever has admin access to the server 
will have access to all keys, credentials and passwords necessary for Radiator 
(if those entities exist on the server, of course). My understanding of the 
merits of TPM is that it solves different attack vectors than what I'm 
referring to. 

And keep in mind that not just private keys need to be kept secure. To 
authenticate phones with EAP-TLS I needed the Cisco call manager's CA to be 
stored locally on Radiator. The certificate was self-signed and not exportable 
without a cisco admin account. If anyone else were to have access to that 
certificate they could impersonate my server. Same goes for any other 
supplicant with a CA which isn't made public.

2) Hashing passwords explicitly is possible, but difficult to manage especially 
if users have to change their passwords periodically.  Regarding this 
particular case I think AuthBy  LDAP2 is good enough.

3) Radsec in general is a great solution if deployed (kudos to OSC for its 
invention), but I'm fairly sure most radius deployments for network devices are 
stuck with PAP. Besides, not all NASes support Radsec and I'm sure many would 
prefer PAP because it's easier to manage if you're using different credentials 
per device.
These passwords are the ones I think should be protected since they are usually 
long-term and sensitive. Migrating every NAS to Active Directory defeats the 
separation of system administration from network administration, each time a 
new NAS has to be configured you would have a system admin create it for you 
under the correct OU and he would be the one to manage it in the future. If you 
want to have a AAA server for network admins only, you'd have to keep the 
passwords in cleartext.

Assuming you kept all NAS credentials on the server (unencrypted), you would in 
fact be providing any user with local admin on the server permission to access 
credentials which shouldn't concern them. I'd imagine in this day and age that 
big companies would want something like that mitigated. 

I'm interested in hearing if other users feel that these security measures are 
a worthy enhancement for future versions. At the very least it would help to be 
less dependent on existing system architecture for securing credentials.

________________________________________
From: radiator-boun...@open.com.au [radiator-boun...@open.com.au] on behalf of 
Sami Keski-Kasari [sam...@open.com.au]
Sent: Thursday, October 01, 2015 7:21 PM
To: radiator@open.com.au
Subject: Re: [RADIATOR] Password/certificate security seems next to none on 
Radiator server

Hello Nadav,

I don't want to control the discussion too much, but since this is
public list I think that I need to clarify couple of things.

1. Certificates are public information. They are sent in clear text over
network for example during EAP-TLS/TTLS/PEAP conversation. So you don't
need to protect them.

What you need to protect is the sever private key.

If you have defined password for private key it means that it is
encrypted. In order to use it, you need to provide the password in order
to decrypt the private key.
If you want that process can start automatically you need to have access
to the private key encryption password.
I agree with Nick that external chip is the only way to provide strong
protection for the private key.

2. Radiator support hashed and encrypted user passwords.
For example if you are authenticating users from file, you can have
there for example:
User-Password={SSHA512}<hash> or User-Password={PBKDF2}
please see more in section 13.1.2 in reference manual.

Hashed passwords does not work with all authentication methods. For
example MSCHAPv2 that is used with PEAP requires to have access to clear
text or nt-hash format of password.

3. NAS shared secrets

It is possible to include NAS clients to SQL or LDAP database and use
their encryption mechanisms to protect shared secrets. Again you need to
define encryption key somewhere if you want Radiator to run autonomously.

NAS shared secrets are not user passwords. If you are using plain PAP
authentication it is used to protect User-Password but the protection is
not very strong. When you are using EAP-TLS/TTLS/PEAP then the TLS
tunnel is protecting user credentials and it offers much better protection.

Radiator supports also RADSEC that moves RADIUS traffic over TLS tunnel
and then you will get good protection for messages and you don't need to
define shared secrets since certificates are used.

Best Regards,
 Sami

On 10/01/2015 04:36 PM, Nadav Hod wrote:
> Hi Nick,
>
> Specific hardware for securing files on your server shouldn't be necessary 
> for the use cases I'm suggesting. I've just integrated Radiator for the first 
> time and I was shocked that for each NAS I had to keep the password in 
> plaintext.
> Radiator is installed on servers worldwide whether physical or VM, I believe 
> that each of them (regardless of hardware) should be provided with at least 
> the same security as NPS which knows how to accept user passwords in 
> plaintext and then obfuscate them (whether encrypted, hashed or otherwise).
>
> A solution can be integrated via software, and my suggestions use perl and 
> openssl to secure sensitive information. Therefore only integration is 
> necessary without new environments.
> ________________________________________
> From: Nick Lowe [nick.l...@lugatech.com]
> Sent: Thursday, October 01, 2015 4:23 PM
> To: Nadav Hod
> Cc: radiator@open.com.au
> Subject: Re: [RADIATOR] Password/certificate security seems next to none on 
> Radiator server
>
> If you wanted robust protection here, you would likely want to go down
> the route of a TPM or equivalent.
>
> Nick
> _______________________________________________
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>


--
Sami Keski-Kasari <sam...@open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Reply via email to