topic Re: Radius AAA authentication in Network Access Control

Radius AAA authentication

Badgerpoo — Mon, 11 Mar 2019 00:35:41 GMT

I couldn't find anything relevant, but apologies if it has already been answered.

Is there any way of encrypting the traffic between a switch and a radius server when using radius to authenticate switch logins? As far as I can tell the traffic is passed between the switch and the radius server in plain text by default.

Re: Radius AAA authentication

Nicolas Darchis — Fri, 19 Nov 2010 17:07:09 GMT

Radius over IPSec is supported by devices like the Wireless controller but I have no ideas for switches ...

Conceptually, it exists.

Nicolas

===

Don't forget to rate answers that you find useful

Re: Radius AAA authentication

Badgerpoo — Thu, 25 Nov 2010 10:18:54 GMT

I've not been able to find anything to suggest it is configurable on a switch, seems to render the whole thing useless unless you like sending authentication data in the clear over the network. Doesn't seem like a good idea to me!

Re: Radius AAA authentication

Tiago Antunes — Thu, 25 Nov 2010 10:45:29 GMT

Hi,

Please bear in mind that it is not the RADIUS protocol that bings security, but rather the authentication method inside it.

Example, if you use PEAP or EAP-TLS, the authentication is all carried inside a TLS tunnel.

You can sniff the RADIUS packets but you will not be able to get any critical information from the client.

Think on the RADIUS as a transport mechanism for EAP authentication.

HTH,

Tiago

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Re: Radius AAA authentication

Badgerpoo — Thu, 25 Nov 2010 12:50:51 GMT

Can a switch be configured to use PEAP or TLS? This is pretty much what I meant to ask

in the op.

Re: Radius AAA authentication

Nicolas Darchis — Thu, 25 Nov 2010 13:33:41 GMT

It is the client that has to be configured to do any of these methods.

To summarize : the client does an EAP method and the switch forwards those eap packets inside radius to the authentication server.

Radius is usually not secure but since methods like PEAP or EAP-TLS build a secure tunnel, you can't pull much information out of the radius packets (as far as user information are concerned). Radius is encrypted with a shared key so it's already something as well

Hope this helps.

Nicolas

Re: Radius AAA authentication

Badgerpoo — Thu, 25 Nov 2010 14:26:53 GMT

I think we're talking at cross purposes. I want to use Radius for the switch logins themselves as well as for dot1x via an end user client. I'm looking a for a method of confiuguring the switch to use Radius to check logins to the switch, but for this process to be secured via TLS or PEAP.

Re: Radius AAA authentication

Nicolas Darchis — Thu, 25 Nov 2010 14:38:13 GMT

That clarifies.

the switch authentication doesn't use EAP methods. It's PAP or CHAP over RADIUS I believe. So we go back to my first answer. It's Radius over IPSec or nothing I'm afraid 🙂

Nicolas

Re: Radius AAA authentication

Herbert Baerten — Tue, 30 Nov 2010 21:04:32 GMT

Agree with Nicolas, but not many switches will support IPsec I'm afraid.

Just wanted to add that Radius actually does encrypt the password so if you sniff the radius packets you will see the username, ip address etc but not the password.

If this is still a concern, you could opt to use Tacacs+ instead, since that will encrypt the entire payload.

hth

Herbert