Re: RADIUS/IAS Requests to Active Directory
- From: Jeremy Revitch <JeremyRevitch@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 2 Jan 2007 12:53:00 -0800
The RADIUS client device is a KVM over IP and the only thing I want to secure
is the transmission of the user credentials between the client and the IAS
server. The challenge is that the RADIUS client only supports PAP or CHAP
(not v2). Since using CHAP requires the use of reversibly encrypted passwords
across the domain I am less than inclined to do that.
From what I understand if I configure the RADIUS client device to use PAPthen the password is transmitted MD5/PAP which is fairly secure. Since all of
this is inside our firewall and on a private server VLAN I am just looking
for some level of security...
Can someone confirm that the passwords are transmitted MD5/PAP?
"James McIllece [MS]" wrote:
=?Utf-8?B?SmVyZW15IFJldml0Y2g=?=.
<JeremyRevitch@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
news:7B83769F-16B2-483F-A58A-FF67BF3C5BCD@xxxxxxxxxxxxx:
The RADIUS device is configured to send requests PAP. The RADIUS
request to IAS is MD5/PAP since it is RADIUS at all right? I thought
the the PAP/MD5 combination resulted in a higher level of security.
snip<
Keep in mind that the RADIUS protocol is used only between RADIUS clients
and RADIUS servers/proxies.
In other words, the RADIUS protocol is *not* used between the access client
and the network access server/RADIUS client, so traffic between the two is
not protected by RADIUS.
The other poster is correct that authentication methods that use
certificates are the most secure. If you are deploying wireless, PEAP-MS-
CHAP v2 is recommended, if VPN or 802.1x wired, EAP-TLS is recommended.
Here are some documentation resources for you if you are interested:
"Enterprise Deployment of Secure 802.11 Networks Using Microsoft Windows"
at
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx
"Deployment of IEEE 802.1X for Wired Networks Using Microsoft Windows" at
http://www.microsoft.com/downloads/details.aspx?FamilyID=05951071-6b20-
4cef-9939-47c397ffd3dd&DisplayLang=en
"The Advantages of Protected Extensible Authentication Protocol (PEAP): A
Standard Approach to User Authentication for IEEE 802.11 Wireless Network
Access" http://www.microsoft.com/downloads/details.aspx?familyid=05951071-
6b20-4cef-9939-47c397ffd3dd&displaylang=en
"Step-by-Step Guide for Secure Wireless Deployment for Small Office/Home
Office or Small Organization Networks" at
http://www.microsoft.com/downloads/details.aspx?familyid=269902e8-fc41-
4eb1-9374-44612e64f0fb&displaylang=en
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
- References:
- Re: RADIUS/IAS Requests to Active Directory
- From: James McIllece [MS]
- Re: RADIUS/IAS Requests to Active Directory
- Prev by Date: Re: RADIUS/IAS Requests to Active Directory
- Next by Date: ias clients
- Previous by thread: Re: RADIUS/IAS Requests to Active Directory
- Next by thread: ias clients
- Index(es):
Relevant Pages
|
Loading
