[RADIATOR] Radius and TACACS+ password obfuscation
Heikki Vatiainen
hvn at open.com.au
Thu Sep 22 02:01:09 CDT 2016
On 21.9.2016 18.13, Nadav Hod wrote:
> I read this in the Radiator 4.17 release notes:
>
> "Added initial support for encrypting and obfuscating TACACS+ keys in
> the configuration file. This is similar to the recently added RADIUS
> client shared secret obfuscation. Client and ServerTACACASPLUS now
> support EncryptedTACACSPLUSKey and EncryptedKey, respectively. Examples
> in the tacacsplusserver.cfg sample configuration file."
>
> I haven't seen anything regarding radius shared secret obfuscation in
> the documentation. Can anyone give a short example of this?
See, for example,
https://www.open.com.au/radiator/ref/EncryptedSecret_Client.html#EncryptedSecret_Client
What's available now is supported for encrypted secrets using a fixed
key. What will follow is method to specify the encryption key so that it
does not need to be static but can be set, for example, when the process
starts up.
There are some Radiator users that require that this type of information
is not stored in clear text, as we discussed on this list earlier :),
and what we now have in Radiator is the foundation for this.
To summarise: Using a non-cleartext secret or TACACSC+ key is now
possible but managing the encryption keys will be enhanced in the future
releases.
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list