Limitations of the Module
Of course, opening any sort of private system to the Web presents a smorgasbord of security concerns. While Chapter 8 serves to detail the inherent problems and limitations of the RADIUS protocol, these limitations are still present using mod_auth_radius and should be considered.
First, using static passwords over the Web is not secure. The password from the end user to the web server is sent in plain text (“in the clear,” that is) and is open to sniffing by anyone with the proper tools. This problem is exacerbated when the RADIUS server exists on the same machine as the web server. RADIUS was not designed to be directly exposed, and with script kiddies and crackers roaming about, it’s a problem you simply don’t want to have.
Second, using the same server for Web and dial-up users isn’t the best idea, either. The problem lies in this: if the cracker manages to gain access to your web site using a sniffed password, he would have no trouble actually dialing up and gaining access to your system. He can pose as anyone and this becomes a serious threat to the integrity of your network. You might say that this seems almost a direct opposite to the benefits I was preaching about previously.
However, there are ways to work around these limitations:
Use secure sockets layer (SSL) to protect the password.
If you must open the web server to the Internet, protect the site with a secure server certificate (https) and purchase an SSL certificate from one of the many providers. ...