Re: [saag] RADIUS is deprecating MD5

Peter Gutmann <pgut001@cs.auckland.ac.nz> Mon, 01 April 2024 13:05 UTC

From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Alan DeKok <aland@deployingradius.com>
CC: "saag@ietf.org" <saag@ietf.org>
Thread-Topic: [saag] RADIUS is deprecating MD5
Thread-Index: AQHafhhYd6Pp6wDrq0CYMT6Bf16QJrFRtYpBgABGhQCAAASugIAABbGAgAAFHYCAAAmYgIAA8+79gABYsACAAAN3w4AAAZAAgAAGxBs=
Date: Mon, 01 Apr 2024 13:05:09 +0000
Message-ID: <ME0P300MB0713DE85687893610B7E6CBFEE3F2@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM>
References: <755BC73B-B981-4986-B45A-E9796DCC66BC@deployingradius.com> <ME0P300MB0713122730DC9574730AC816EE382@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM> <Zgl6ejdpJNOyUja0@chardros.imrryr.org> <E1B4CCB5-202F-4087-8B56-9E7F3D73D1D0@deployingradius.com> <ZgmDLfNxV2RKSA5o@chardros.imrryr.org> <21309D5A-E824-42C7-8BAB-366AD568E9F4@deployingradius.com> <ZgmPg0qgA9stSeUo@chardros.imrryr.org> <ME0P300MB07133F7BB2C11FA027143127EE3F2@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM> <B57C85E4-D0A1-4E93-999B-12F712AA46E1@deployingradius.com> <ME0P300MB0713FE22A714258C5F2D95F6EE3F2@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM> <B51C0F05-020C-486B-8DFC-3FC94D42A776@deployingradius.com>
In-Reply-To: <B51C0F05-020C-486B-8DFC-3FC94D42A776@deployingradius.com>
Accept-Language: en-NZ, en-US
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: ME0P300MB0713:EE_|SY8P300MB0308:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: 5/8noaZCHAfIvYAR6tVOl+/Rh5ap1xf990pRi5KuNUoKcZEVganM1R1mmoWWFBzRWbU0HhJU/0U23cg3NXJz9kF+KgPi2YOY4JUG+lTl/F5UImKSGfkz4D64w0p7OqZXyk8PWodXgheZE+TlvQpbg+5v2gyT4A5b9drOhwqcGQkTBfX6X8ZObXK9GwlcGFYGrm8a7PF2bzFLKsmOZE3g7CtJ2R8uKvUeM13YwTXePYwVSfivMvIG2XuqWtIGrD6XAvi0YhQ5faGuf/lmBR6ZKMYSU9WUmfVRNxw8wVeUb0iqJP6oSw2cLomaG3ytLLe3IQUE/4xyr5S5MHc1667W9bKS5QD5zILdluYwSmxXiRGnHAifz2awTYMnZ57nWFZDrOVRoK+qeVK35yd7T+fqMnVOsQd8TF5s47Wds9iKjT6DA8xktbA8qsZPblJ27UlPYXaKwwGcAl7KrkdmvlUg7QSlBVQlbgBS/zAzg0UKG7OX8EapTXgWgs2C1DTpOrhui1vkENeiLtv45aUVRYeHjDtqbdokpX0rv46RQsudS3JEagSyof+YT/cWi2xdf4z1XPQvuxz02U4AeaXUNwKMyo/xL5MKHh49/LcKKNlOVRaWgKfYfV8NtiQT7SuatGEn/u/qCxapUnVrodC0xH4zfe0j0vhQnpPQC52Hg084oPM=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(376005)(366007)(1800799015); DIR:OUT; SFP:1102
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Kbae1ce2d6VhJ+/KciHmmiQrCTztywaIysg0GbbkkV+Va8INnXlTYwErxmR55Y1EjNKgU2A29JoEU+vTwk2hJyedBODt2ma7ac8ZKQ6s2IHU8cTGFsMejYUwUdmwgcaKQx84ltXkmfyqdpDfYqtvemp5ON1CZOeHFYvERs/hxx0vZYe9IlUEAvQGBTYCOi26vWnlTRQMrKQ/rVhvwuxVWif7U/g+gXF8wiAndeHQVGKJ+VfAI1SVWrk9m/P3DE1YVJ9r0fUma18TVxwMiu7qRpO9EF6Dm2QMK2j2Rac+6eEZeJ9/wHjoCI79UfIjUpYdkCwxtvPhIwZTptQ8rhDmGi8kJ8mctjD7/LsvF+jqj4SWweQ767qKhjBE+ILFhdNiCPzbYP7EMdIJtuN124jbB+R3SjZAsRaYCmpqUmxf7CbpyHlAqa9xXY72yDhl4kSuXSHCfgSB1EsYWre2GBwR8PHuV970LBbKU0HAa0jEY4Usr4NMEbryJzm9xkbpT1n+dN3K3aa6LUi+mzurLW+TRXDsDE8sFfi9+yvTKtkAP721TUKXRmuPbFRuJe5f3azFl5ykdavPLR5MtYrX9bzh1OcOWG+WBYx/6lavY1+k7Gb+hwgC+BNUIdgos1BFa5Ib3kkKmJfLHQiKSA31AvG7/VBoheVsrIuyYhiE4bfHXi2P6vb11j/1gc2h6GJsRUh01XJp29SkoGySxzCLuADObUyUkZgMVrmBx4+KYZ9lAlYapzORNXHc4epyKpW4Gv3v0xeMAqQW6tam3aMscWrr570bO0Uv/lLObgMeDzAZcEHFubkBAn40tiz9EYN2Ew66XfjJt5sR9i/lt3bRlli0lLJyGn15Y6qnW4fhz25MxavZa/LvOQcda3STVfk2bcUvIFQQEgM3RE/3BUBptOV2wM+6lpwkZxQdRSVHay0Se8FeY6B1AM/yciD6HfwLFVFqUuSR2Ds1JYyRA2TvhbdC+lf1e6fUhvuQitS1qc9fPX67Icib6zvosjlhcr0WRPXBPGKxUovdSqUhGXBD9J9NEoDxIeWQAfsGzkinGhm56KnMkcmBkRsdEZzOO7b1P/U6Ggf04wXcd9+tmHcE0pZo/PBJLKXo/RCXprZaRwjeGZFf+W8bYAiBduVY70C2QHh4ihHBcbbwI5nqTWBwDJt/CqD/bjIXiJCpqvVVY8cIhKsHX78k4s+BZQfgFY5F1p1Ixi7VTpxJdtB4kjm7txP5Z/LwigzW2Zlm98reJpuYRIa0J2tpuDUsqf7r5eFQbjR2QkXfYPpP2LgvR2+E0RrmS+AjABlOp6raNMis8nQm49aG7Ik1yCIjGkhe7OtDX3F2OEFcTPv+ifIVBFwFLGTaq3Mqj+gkH0uGz3EeY29NdHvjXV3DoyqHi2Ze2sGzNCl6omb/z22HKD3kyOht0hxLAcuRPhTVfhTQ7k+FmwduxPxjjvlCwgEcsiCj12DgLBpPdjuR4nHjLN88rqpU7IP3q6sdTgyRHQrTV1xv/sAOoFCuVo0KoktPT+M3z5W5eJABM1A0deFcCkI6la3KDZKFzPbdjUPJJzFFhDx8Xw7k2BcKDv78lqI7aH4b5X19uzbgBk4xuyI/R9B2ISe1nF9WGA==
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 3468e120-d06d-47ae-958a-08dc524c5bd5
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Apr 2024 13:05:09.0914 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 9znsaQmNSno9puySaSeQGTG7jeTqA22X9pthRMW7GP/0lZlw84k2fhlbKrBp0FKei6d992sWE0fShA7lsPpI7mj143PeDs2nADQxuvl5nI0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SY8P300MB0308
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/5w7d9Q7fNoGe03cwXNdPq5ozLBA>
Subject: Re: [saag] RADIUS is deprecating MD5
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2024 13:05:17 -0000

Alan DeKok <aland@deployingradius.com> writes:

>It *is* being used to control network access.  Unauthenticated devices can't
>get network access until the RADIUS client lets them onto the network.  i.e.
>switch, access point, VPN concentrator, etc.

The devices are already on the network, RADIUS isn't doing any access control,
or in fact anything at all as far as I can tell.  In fact at least one
"RADIUS" implementation I've seen used in this situation is nothing more than
some code to add the necessary wrappers on send and strip them on receive.
Same with the "EAP" implementation.  The only bit that has any effect is the
auth inside the TLS tunnel, and whether you get back an "OK" or "not-OK"
response to that.

Peter.

[saag] RADIUS is deprecating MD5 Alan DeKok
Re: [saag] RADIUS is deprecating MD5 Peter Gutmann
Re: [saag] RADIUS is deprecating MD5 Alan DeKok
Re: [saag] RADIUS is deprecating MD5 Jan-Frederik Rieckers
Re: [saag] RADIUS is deprecating MD5 Bernard Aboba
Re: [saag] RADIUS is deprecating MD5 Peter Gutmann
Re: [saag] RADIUS is deprecating MD5 Alan DeKok
Re: [saag] RADIUS is deprecating MD5 Viktor Dukhovni
Re: [saag] RADIUS is deprecating MD5 Alan DeKok
Re: [saag] RADIUS is deprecating MD5 Viktor Dukhovni
Re: [saag] RADIUS is deprecating MD5 Alan DeKok
Re: [saag] RADIUS is deprecating MD5 Viktor Dukhovni
Re: [saag] RADIUS is deprecating MD5 Jan-Frederik Rieckers
Re: [saag] RADIUS is deprecating MD5 Alan DeKok
Re: [saag] RADIUS is deprecating MD5 Viktor Dukhovni
Re: [saag] RADIUS is deprecating MD5 Eliot Lear
Re: [saag] RADIUS is deprecating MD5 Peter Gutmann
Re: [saag] RADIUS is deprecating MD5 Paul Hoffman
Re: [saag] RADIUS is deprecating MD5 Jan-Frederik Rieckers
Re: [saag] RADIUS is deprecating MD5 Jan-Frederik Rieckers
Re: [saag] RADIUS is deprecating MD5 Alan DeKok
Re: [saag] RADIUS is deprecating MD5 Alan DeKok
Re: [saag] RADIUS is deprecating MD5 Bernard Aboba
Re: [saag] RADIUS is deprecating MD5 Peter Gutmann
Re: [saag] RADIUS is deprecating MD5 Alan DeKok
Re: [saag] RADIUS is deprecating MD5 Peter Gutmann
Re: [saag] RADIUS is deprecating MD5 Alan DeKok
Re: [saag] RADIUS is deprecating MD5 Peter Gutmann
Re: [saag] RADIUS is deprecating MD5 Jan-Frederik Rieckers
Re: [saag] RADIUS is deprecating MD5 Paul Wouters
Re: [saag] RADIUS is deprecating MD5 Peter Gutmann
Re: [saag] RADIUS is deprecating MD5 Alan DeKok