Page MenuHomeVyOS Platform

EAP-TTLS-PAP support for RADIUS
Open, NormalPublicFEATURE REQUEST

Description

The current RADIUS implementation in VyOS only supports PAP, which uses a combination of techniques to hash the user's password. Unfortunately this relies on (among other outdated techniques) MD5, a hashing algorithm that is now quite weak.

As long as the RADIUS server you're authenticating from is "internal" (or connected via secure tunnels) this doesn't present a problem. However, if you want to centralize authentication for devices out in the field, this presents a problem.

Some reading materials on the subject are available at:
https://www.untruth.org/~josh/security/radius/radius-auth.html
http://lms.uni-mb.si/~meolic/ptk-seminarske/radius.pdf

I'd recommend implementing EAP-TTLS-PAP and make it a configuration option under the "set system login radius-server" option set. An easy way to test compatibility is use of the FoxPass service (www.foxpass.com), they offer a free trial.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close

Event Timeline

syncer triaged this task as Normal priority.
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.
Viacheslav edited projects, added VyOS 1.5 Circinus; removed VyOS 1.3 Equuleus (1.3.6).
Viacheslav added subscribers: UnicronNL, Viacheslav.

@amcmillen Do you have any examples of how to deploy it on Linux / Debian, etc?
Without live examples, we'll mark it as wont fix and task will be closed.