I'm also working on this topic. With the password revealer you can easily decrypt the group password. The group name is configured in plain text in the profile, too.
So my additional question is following: How it can be prevented that an attacker uses this combination of group name and group password during the user authentication. In my configuration this is recently working. The group combination works in the user authentication process, too. I haven't managed it to prevent this. This is a big security issue.
Any ideas? How do other admins configure this?
I use radius authentication and authorization by ACS. It tried to group-lock feature, but in this scenario it don't help.
Thanks for your help.