[RADIATOR] Password/certificate security seems next to none on Radiator server

[A.L.M.Buxey at lboro.ac.uk]

Hi,

> These passwords are the ones I think should be protected since they are usually long-term and sensitive. Migrating every NAS to Active Directory defeats the separation of system administration from network administration, each time a new NAS has to be configured you would have a system admin create it for you under the correct OU and he would be the one to manage it in the future. If you want to have a AAA server for network admins only, you'd have to keep the passwords in cleartext.

..so...you're talking about the shared secret password?  how people deploy their RADIUS server is down
to them - but in most cases its the network team that run the RADIUS server (from what I've seen) with
the system admin looking after the OS.... as for 'defeating the seperation'  - hello?  its 2015 - we're all
supposed to be working together and avoiding living in silos...all unified and not a tribal thing
(indeed, virtualisation systems such as VMware and HyperV are defeating you too - the system admins
now look after their network....

> Assuming you kept all NAS credentials on the server (unencrypted), you would in fact be providing any user with local admin on the server permission to access credentials which shouldn't concern them. I'd imagine in this day and age that big companies would want something like that mitigated. 

dont let people onto the system who shouldnt be on there. the people going on there know the shared secret
anyway.

> I'm interested in hearing if other users feel that these security measures are a worthy enhancement for future versions. At the very least it would help to be less dependent on existing system architecture for securing credentials.

if other servers didnt do the same thing, i would think RADIATOR was wrong.  but FreeRADIUS and radsecproxy
both do to.  they expect the admin to be running secure servers (maybe ones not used for ANY other purpose
as a minimum)

alan