Implementing RADIUS with local Linux authentication
This example shows the simplest RADIUS configuration, where the UserID and Password values are all locally defined in a configuration file. This is not recommended for any production environment for several reasons, detailed as follows:
- The passwords are stored as clear-text strings, so in the event of a compromise, all RADIUS passwords can be collected by a malicious actor.
- The passwords are entered by the administrator rather than the user. This means that the key security concept of "non-repudiation" is lost—if an event is tied to such an account, the affected user can always say "the administrator also knows my password—it must have been them."
- Also related to the administrator-entered password—the user cannot change their password, which also means that in most cases, this RADIUS password will be different from other passwords that the user uses, making it more difficult...
