0

This seems like an obvious question, but I can't easily find a clear answer.

I'm setting up a FreeRADIUS server on my LAN just for curiosity's sake, but I want to know if the packets are encrypted at all by default, and, if so, how?

I know requests are sent with a shared secret that acts as a password. I would hope that even by default some form of encryption is applied to keep that safe over the wire.

Tim Morris
  • 103
  • 1
  • 3
  • What is the application domain? If you are using RADIUS for 802.1X authentication (sometimes known as "Wi-Fi Enterprise"), the answer to the question would be very different. – Lekensteyn Aug 31 '19 at 20:57

1 Answers1

0

RADIUS by itself provides no encryption of all traffic. It protects only a small part of the traffic, notably the passwords. To cite from Wikipedia: Radius - Security:

The RADIUS protocol transmits obfuscated passwords using a shared secret and the MD5 hashing algorithm. ... additional protection, such as IPsec tunnels or physically secured data-center networks, should be used ... the user's security credentials are the only part protected by RADIUS itself, ... The RadSec protocol claims to solve aforementioned security issues.

RadSec is supported by FreeRADIUS. But to actually use it you of course need to configure it with the necessary certificates (i.e. no "encrypted ... by default") and your (unknown) radius client must support RadSec too.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • 1
    So a more accurate response would be that RADIUS as defined by RFC 2865 provides only confidentiality and integrity for certain attributes, but these deficiencies were addressed in enhancements to the protocol described in RFC 6614 and RFC 7360 allowing RADIUS to be transported using TCP/TLS and UDP/DTLS, providing confidentiality and integrity for the entire RADIUS packet contents. – Arran Cudbard-Bell Aug 31 '19 at 20:55