[strongSwan] eap-radius
Dmitry Korzhevin
dmitry.korzhevin at stidia.com
Tue Nov 6 13:54:22 CET 2012
Thank you, Martin
I'm just searching for most secure way to store ipsec users credentials.
So, in worst case, if server is hacked, hacker cant see passwords in
cleartext.
06.11.2012 11:12, Martin Willi пишет:
> Hi Dimitry,
>
>> Please tell - if i will use strongswan + eap-radius + freeradius - all
>> user passwords will be stored encrypted in mysql database?
>
> This does not depend on strongSwan, but on your clients and your RADIUS
> installation. If you connect Windows 7 clients with EAP-MSCHAPv2, your
> RADIUS backend has to provide at least the NT hashes of your passwords.
> That's not really safe, and a non-reversible encryption is not possible
> with that protocol.
>
> If you use other clients, or even our xauth-eap bridge, it depends on
> the used EAP method. Our EAP-GTC for example exchanges passwords (in the
> safely encrypted tunnel) in the clear, hence you can apply any hashing
> function to verify them against your hashed database entries.
>
> Regards
> Martin
>
Best Regards,
Dmitry
---
Dmitry KORZHEVIN
System Administrator
STIDIA S.A. - Luxembourg
e: dmitry.korzhevin at stidia.com
m: +38 093 874 5453
w: http://www.stidia.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4488 bytes
Desc: ���������������������������������� �������������� S/MIME
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121106/88435054/attachment.bin>
More information about the Users
mailing list