On Mon, 25 Jun 2001 17:09:24 -0500 Chris Parker wrote:
2) To balance this one special case advantage, radius auth has a number of flaws: i) it is an older protocol designed for a different model of networking and thus is missing many features of DHCP. In particular, clean mechanisms for setting an arbitrary number of client configuration values.
Removing radius-auth from PPPoE for a second, I would hazzard that with the use of the defined radius VSA format, the number of client configuration values is not limited in practical applications.
You know, I started down that path once. Good luck trying to get Microsoft and Apple to support radius VSA for configuring clients. Can you imagine what Microsoft would do?
ii) public networks, it uses username/password authentication. This is a flawed mechanism for auth. It is insecure[1] and generates a fair amount of support traffic.
You failed to include your [1] reference, so I'm not sure what you are refuting here. I would suggest that relying on username/password auth via CHAP is less susceptible to spoofing than a MAC address. I'm definitely open for other means of authenticating yourself on the network.
Sorry about that missing footnote. [1] Radius is auth mechanism independent. There are probably more than a dozen currently supported by one implemenation or another. However, for large, public access networks, the only one I know of in use is username/password. Username/password is weak authorization. If you don't agree, please see "Secrets and Lies : Digital Security in a Networked World" by Bruce Schneir, [John Wiley & Sons, August 2000 ; ISBN: 0471253111 ]. It is an accessable discussion of the issues by an expert.