Cable Modem [really more about PPPoE]
Fletcher E Kittredge
fkittred at gwi.net
Tue Jun 26 13:38:38 UTC 2001
On Mon, 25 Jun 2001 17:09:24 -0500 Chris Parker wrote:
> >2) To balance this one special case advantage, radius auth has a
> > number of flaws:
> > i) it is an older protocol designed for a different model of
> > networking and thus is missing many features of DHCP. In
> > particular, clean mechanisms for setting an arbitrary number of
> > client configuration values.
>
> Removing radius-auth from PPPoE for a second, I would hazzard that
> with the use of the defined radius VSA format, the number of client
> configuration values is not limited in practical applications.
You know, I started down that path once.
Good luck trying to get Microsoft and Apple to support radius VSA for
configuring clients. Can you imagine what Microsoft would do?
> > ii) public networks, it uses username/password authentication.
> > This is a flawed mechanism for auth. It is insecure[1] and
> > generates a fair amount of support traffic.
>
> You failed to include your [1] reference, so I'm not sure what you
> are refuting here. I would suggest that relying on username/password
> auth via CHAP is less susceptible to spoofing than a MAC address. I'm
> definitely open for other means of authenticating yourself on the
> network.
Sorry about that missing footnote.
[1] Radius is auth mechanism independent. There are probably more
than a dozen currently supported by one implemenation or another.
However, for large, public access networks, the only one I know of in
use is username/password.
Username/password is weak authorization. If you don't agree, please
see "Secrets and Lies : Digital Security in a Networked World" by
Bruce Schneir, [John Wiley & Sons, August 2000 ; ISBN: 0471253111 ].
It is an accessable discussion of the issues by an expert.
More information about the NANOG
mailing list