[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ISAKMP performance
> Another way to solve this is to realize that the NAS doesn't store
> the user authentication database locally either. The long term SA
> (spi+keys) can be stored in the radius/tacacs server. This is
> desirable, since the user may login to different NAS servers each
> day. Clearly, the keys need to be protected in transit. IPsec between
> the NAS and authentication server should provide that (or a physically
> secure wire may be appropriate).
I think its been shown that RADIUS, in particular, isn't anywhere near
secure enough for this.
--
Jim Thompson / Smallworks, Inc. / jim@smallworks.com
512 338 0619 phone / 512 338 0625 fax
"Hiroshima '45, Chernobyl '86, Windows '95"
References: