North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Cable Modem [really more about PPPoE]
On Mon, 25 Jun 2001 17:09:24 -0500 Chris Parker wrote: > >2) To balance this one special case advantage, radius auth has a > > number of flaws: > > i) it is an older protocol designed for a different model of > > networking and thus is missing many features of DHCP. In > > particular, clean mechanisms for setting an arbitrary number of > > client configuration values. > > Removing radius-auth from PPPoE for a second, I would hazzard that > with the use of the defined radius VSA format, the number of client > configuration values is not limited in practical applications. You know, I started down that path once. Good luck trying to get Microsoft and Apple to support radius VSA for configuring clients. Can you imagine what Microsoft would do? > > ii) public networks, it uses username/password authentication. > > This is a flawed mechanism for auth. It is insecure[1] and > > generates a fair amount of support traffic. > > You failed to include your [1] reference, so I'm not sure what you > are refuting here. I would suggest that relying on username/password > auth via CHAP is less susceptible to spoofing than a MAC address. I'm > definitely open for other means of authenticating yourself on the > network. Sorry about that missing footnote. [1] Radius is auth mechanism independent. There are probably more than a dozen currently supported by one implemenation or another. However, for large, public access networks, the only one I know of in use is username/password. Username/password is weak authorization. If you don't agree, please see "Secrets and Lies : Digital Security in a Networked World" by Bruce Schneir, [John Wiley & Sons, August 2000 ; ISBN: 0471253111 ]. It is an accessable discussion of the issues by an expert.
|