galynazholtkevych
commented
12 months ago I've got the answers to my questions, so closing this thread for now
Closed galynazholtkevych closed 12 months ago
galynazholtkevych
commented
12 months ago I've got the answers to my questions, so closing this thread for now
Hello,
I am quite new to RADIUS and I have recently been exploring how RADIUS and the pyrad library work with different authentication methods.
I have a question about PAP. According to the RFC PAP specification, the password is sent to the server in plain-text form. However, in many implementations, I have noticed that the password is encoded with md5 before being sent in the request.
I'm wondering if encoding the password in PAP with md5 is spec-compliant. I am asking here, because in the pyrad documentation I found an example of sending a packet with PAP auth_type (default) and an md5 encoded password, using the PwCrypt function (you can find the example here: https://pyrad.readthedocs.io/en/latest/#introduction).
To make an informed decision, I need answers to the following questions:
I also want to mention that if we use md5 for PAP, we may face challenges with authentication in FIPS (Federal Information Processing Standards) environments since md5 is not FIPS-approved (but there are some use cases that PAP could be used securely in the environment and this method could still be FIPS-approved). Based on my research, it appears that using md5 in RADIUS might make it non-compliant, as indicated by my findings on Google so far. If RADIUS is not FIPS-compliant, perhaps, you know how this can be fixed, as well and does pyrad have plans to support RADSEC or something more secure than md5-based auth methods, that could be FIPS approved?
Thank you in advance.