topic Re: Encrypt traffic between 2800 router and radius server in Network Access Control

Encrypt traffic between 2800 router and radius server

xtech — Sun, 10 Mar 2019 21:02:05 GMT

Hi,

I am using a 2811 for VPN clients, and have instituted AAA using a windows radius server. How can I encrypt the traffic between the 2811 and the radius server when it is authenticating the users? I am pretty sure it is using PAP now. Can I enforce CHAP or something?

Thanks - Wayne

Re: Encrypt traffic between 2800 router and radius server

paddyxdoyle — Fri, 25 Feb 2005 10:59:43 GMT

Hi,

I believe your PAP will terminate on the 2811 router and the router then passes the username and password (learned via PAP) via RADUIS to your AAA server.

This can be encrypted using a shared secret both on the router and on the AAA server

e.g.

radius-server host auth-port 1645 acct-port 1646 key

When you add the 2811 to your AAA server as a RADIUS client you also need specify the secret key here too.

Hope this is what you want?

Paddy

Re: Encrypt traffic between 2800 router and radius server

xtech — Fri, 25 Feb 2005 15:15:25 GMT

Hi Paddy,

Thanks for the info. I have the router and radius server set up fine. My question - Does the router pass the user name and password of a VPN client to the radius server in plain text, and if so, can I specify one of the encryption methods listed on the radius server such as Chap, MS-Chap, MS-Chap v2? When I did not specify PAP on the radius server I could not authenticate users.

Thanks - Wayne

Re: Encrypt traffic between 2800 router and radius server

paddyxdoyle — Fri, 25 Feb 2005 15:28:23 GMT

Hi,

All RADUIS traffic between your router and AAA server will be encrypted.

I think if you try and use an encryption method other than PAP, the actual users password is not sent across the wire, just a hash of various bit and pieces so in normaly circumstances authentication will fail.

HTH

Paddy

Re: Encrypt traffic between 2800 router and radius server

xtech — Fri, 25 Feb 2005 15:32:21 GMT

Thanks,

How can I document this for my pain in the *** SOX guy?

- Wayne

Re: Encrypt traffic between 2800 router and radius server

paddyxdoyle — Fri, 25 Feb 2005 16:05:04 GMT

What does SOX mean?

I just pulled this from the RFC, does it help?

Transactions between the client and RADIUS server are

authenticated through the use of a shared secret, which is never sent over the network. In addition, any user passwords are sent encrypted between the client and RADIUS server, to eliminate the possibility that someone snooping on an unsecure network could determine a user's password.

At the bottom you could put.. for further information please refer to RFC 2138 🙂

Paddy

Re: Encrypt traffic between 2800 router and radius server

xtech — Fri, 25 Feb 2005 16:15:28 GMT

Thanks That is all I need

- Wayne

Re: Encrypt traffic between 2800 router and radius server

xtech — Fri, 25 Feb 2005 16:22:45 GMT

SOX - Sarbanes Oxley - Public companies have to jump through hoops now thanks to worldcom. This is a fuzzy guide that really does not give specific guidelines, more like "suggestions". However they must "comply" with the guidelines.

I wouldn't consider cyphering

Brendan White — Thu, 05 Feb 2015 16:36:17 GMT

I wouldn't consider cyphering text using a shared secret real encryption.

The only benefit is that the password is hash'd with the shared key. In the end, it's a short string typically 'cisco123'. Symmetrical encryption isn't encryption.

The only way to really take care of this problem would be with IPSec, create a network security policy on your NPS server to talk IPSec to the router/switch, and carry your radius traffic over the IPSec connection - which uses asymmetric encryption, public key technology.