I recently wrote this piece of code:
$radius = radius_auth_open();
radius_add_server($radius, $serverIP, $port_no, 'secret', 5, 3);
radius_create_request($radius, RADIUS_ACCESS_REQUEST);
radius_put_attr($radius, RADIUS_USER_NAME, $username);
radius_put_attr($radius, RADIUS_USER_PASSWORD, $password);
$result = radius_send_request($radius);
switch ($result)
{
case RADIUS_ACCESS_ACCEPT:
// etc...
And my var $password is not encrypted at all, in fact, if I encrypt it with password_hash() radius won't recognize it.
Thus my question is:
Can a sniffer pick up that password? Or does radius_send_request already scramble it because of the parameter RADIUS_USER_PASSWORD?
EDIT:
I confused the terms hash and encrypt.
Radius does obfuscate the password when given the parameter attribute RADIUS_USER_PASSWORD. That is enough security for my system.
Thanks!
Radius does obfuscate the password when given the parameter attribute RADIUS_USER_PASSWORD.
So nobody should be able to sniff your radius authentication