Page MenuHomePhabricator

EAP-TTLS-PAP support for RADIUS
Open, NormalPublicFEATURE REQUEST

Description

The current RADIUS implementation in VyOS only supports PAP, which uses a combination of techniques to hash the user's password. Unfortunately this relies on (among other outdated techniques) MD5, a hashing algorithm that is now quite weak.

As long as the RADIUS server you're authenticating from is "internal" (or connected via secure tunnels) this doesn't present a problem. However, if you want to centralize authentication for devices out in the field, this presents a problem.

Some reading materials on the subject are available at:
https://www.untruth.org/~josh/security/radius/radius-auth.html
http://lms.uni-mb.si/~meolic/ptk-seminarske/radius.pdf

I'd recommend implementing EAP-TTLS-PAP and make it a configuration option under the "set system login radius-server" option set. An easy way to test compatibility is use of the FoxPass service (www.foxpass.com), they offer a free trial.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close

Event Timeline

syncer assigned this task to UnicronNL.Feb 5 2019, 2:22 PM
syncer triaged this task as Normal priority.
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.
pasik added a subscriber: pasik.Feb 5 2019, 7:43 PM
ekim added a subscriber: ekim.Jun 14 2019, 1:56 PM