[RADIATOR] Password/certificate security seems next to none on Radiator server

Sami Keski-Kasari samikk at open.com.au
Thu Oct 1 14:49:16 CDT 2015


Hello Nadav,

On 10/01/2015 08:52 PM, Nadav Hod wrote:

> And keep in mind that not just private keys need to be kept secure. 
> To authenticate phones with EAP-TLS I needed the Cisco call manager's
> CA to be stored locally on Radiator. The certificate was self-signed
and not
> exportable without a cisco admin account. If anyone else were to have
access
> to that certificate they could impersonate my server. Same goes for
any other
> supplicant with a CA which isn't made public.

In public key cryptography only private key is needed to be kept secure.
For example certificate is a public key that you can give to anyone in
order to verify you.

CA is signing certificates with it's private key and CA certificate is
used to validate certificates CA has signed.
So it is not possible to impersonate your server with CA certificate.
CA's private key is needed to do that.

Best Regards,
 Sami

-- 
Sami Keski-Kasari <samikk at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list