Re: Cable Modem [really more about PPPoE]

[Fletcher E Kittredge <fkittred () gwi net>]

On Mon, 25 Jun 2001 17:09:24 -0500  Chris Parker wrote:
> > 2) To balance this one special case advantage,  radius auth has a
> >    number of flaws:
> >    i) it is an older protocol designed for a different model of
> >       networking and thus is missing many features of DHCP.  In
> >       particular, clean mechanisms for setting an arbitrary number of
> >       client configuration values.
>
> Removing radius-auth from PPPoE for a second, I would hazzard that
> with the use of the defined radius VSA format, the number of client
> configuration values is not limited in practical applications.

You know, I started down that path once.

Good luck trying to get Microsoft and Apple to support radius VSA for
configuring clients.  Can you imagine what Microsoft would do?

> >    ii) public networks, it uses username/password authentication.
> >       This is a flawed mechanism for auth.  It is insecure[1] and
> >       generates a fair amount of support traffic.
>
> You failed to include your [1] reference, so I'm not sure what you
> are refuting here.  I would suggest that relying on username/password
> auth via CHAP is less susceptible to spoofing than a MAC address.  I'm
> definitely open for other means of authenticating yourself on the
> network.

Sorry about that missing footnote.

[1] Radius is auth mechanism independent.  There are probably more
than a dozen currently supported by one implemenation or another.
However, for large, public access networks, the only one I know of in
use is username/password.

Username/password is weak authorization.  If you don't agree, please
see "Secrets and Lies : Digital Security in a Networked World" by
Bruce Schneir, [John Wiley & Sons, August 2000 ; ISBN: 0471253111 ].
It is an accessable discussion of the issues by an expert.