[RADIATOR] Radius and TACACS+ password obfuscation

Nadav Hod nadav.hod at comm-it.co.il
Thu Sep 22 04:53:32 CDT 2016


Thanks for the quick reply Heikki,

>From the looks of things, this requires certain Linux primitives (for lack of better term) such as rcrypt. This could just be a misunderstanding. Is there a supported solution for Windows Server deployments? 

________________________________________
From: radiator-bounces at open.com.au [radiator-bounces at open.com.au] on behalf of Heikki Vatiainen [hvn at open.com.au]
Sent: Thursday, September 22, 2016 10:01 AM
To: radiator at open.com.au
Subject: Re: [RADIATOR] Radius and TACACS+ password obfuscation

On 21.9.2016 18.13, Nadav Hod wrote:

> I read this in the Radiator 4.17 release notes:
>
> "Added initial support for encrypting and obfuscating TACACS+ keys in
> the configuration file. This is similar to the recently added RADIUS
> client shared secret obfuscation. Client and ServerTACACASPLUS now
> support EncryptedTACACSPLUSKey and EncryptedKey, respectively. Examples
> in the tacacsplusserver.cfg sample configuration file."
>
> I haven't seen anything regarding radius shared secret obfuscation in
> the documentation. Can anyone give a short example of this?

See, for example,
https://www.open.com.au/radiator/ref/EncryptedSecret_Client.html#EncryptedSecret_Client

What's available now is supported for encrypted secrets using a fixed
key. What will follow is method to specify the encryption key so that it
does not need to be static but can be set, for example, when the process
starts up.

There are some Radiator users that require that this type of information
is not stored in clear text, as we discussed on this list earlier :),
and what we now have in Radiator is the foundation for this.

To summarise: Using a non-cleartext secret or TACACSC+ key is now
possible but managing the encryption keys will be enhanced in the future
releases.

Thanks,
Heikki

--
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator


More information about the radiator mailing list