topic Re: Using PEAP) or EAP-MSCHAPv2 cisco switch 2960-X and Radius in Network Access Control

Using PEAP) or EAP-MSCHAPv2 cisco switch 2960-X and Radius

Nenday — Sun, 18 Aug 2024 06:52:16 GMT

dear friend,

lately I see a CVE that talking about Radius security issue with cisco running IOS software

(RADIUS Protocol Spoofing Vulnerability (Blast-RADIUS): July 2024)

so I try to change the authentication Methods in my radius server to Encrypted (CHAP) ou Microsoft Encrypted Authentication v2 MS-Chap V2 but I cannot log to switch when I change

I used self signed certificate using open SSL for PEAP (installed in server and client using to manage switches)

any one please success to do it or any tips

thanks a lot

Re: Using PEAP) or EAP-MSCHAPv2 cisco switch 2960-X and Radius

Amine ZAKARIA — Sun, 18 Aug 2024 09:09:48 GMT

Hello @Nenday ,

The reason behind that the Cisco IOS ssh use PAP ASCII as authentication method and AFAIK there is no other option for SSH except the x509 certificate based authentication or you need to use TACACS which is not supported by NPS.

Microsoft Actions to take for this vulnerability :
https://support.microsoft.com/en-us/topic/kb5040268-how-to-manage-the-access-request-packets-attack-vulnerability-associated-with-cve-2024-3596-a0e2f0b1-f200-4a7b-844f-48d1d5ab9e66

HTH!

Re: Using PEAP) or EAP-MSCHAPv2 cisco switch 2960-X and Radius

Nenday — Sun, 18 Aug 2024 13:13:44 GMT

Thank you Amine for your response, it's a little clear right now, i did
some update on my radius server and i see new request form in the log file,
But when i update the radius client side i can't log to the switch without
any error message .
Is there a thing that i must update on switch configuration or it's must
work with the same configuration.

Thanks a lot

Re: Using PEAP) or EAP-MSCHAPv2 cisco switch 2960-X and Radius

Nenday — Sun, 18 Aug 2024 16:23:27 GMT

@Amine ZAKARIA

here is the Debug log what I get exactly from Switch when I Enable the checkbox :

Access-Request messages must contain the message-authenticator attribute

Aug 18 10:25:49.935: RADIUS/ENCODE(00000014):Orig. component type = EXEC Aug 18 10:25:49.935: RADIUS: AAA Unsupported Attr: interface [174] 5 Aug 18 10:25:49.939: RADIUS: 74 74 79 [tty] Aug 18 10:25:49.939: RADIUS/ENCODE(00000014): dropping service type, "radius-server attribute 6 on-for-login-auth" is off Aug 18 10:25:49.939: RADIUS(00000014): Config NAS IP: 192.168.174.132 Aug 18 10:25:49.943: RADIUS/ENCODE(00000014): acct_session_id: 20 Aug 18 10:25:49.943: RADIUS(00000014): sending Aug 18 10:25:49.947: RADIUS(00000014): Send Access-Request to 192.168.174.130:1645 id 1645/28, len 96 QUBC1SW01# Aug 18 10:25:49.951: RADIUS: authenticator 02 2F 01 A0 42 56 CB 4F - A7 2C B3 2A E7 41 4F C8 Aug 18 10:25:49.951: RADIUS: User-Name [1] 18 "agrm909@kaya.lab" Aug 18 10:25:49.951: RADIUS: User-Password [2] 18 * Aug 18 10:25:49.951: RADIUS: NAS-Port [5] 6 98 Aug 18 10:25:49.955: RADIUS: NAS-Port-Id [87] 7 "tty98" Aug 18 10:25:49.955: RADIUS: NAS-Port-Type [61] 6 Virtual [5] Aug 18 10:25:49.955: RADIUS: Calling-Station-Id [31] 15 "192.168.174.1" Aug 18 10:25:49.959: RADIUS: NAS-IP-Address [4] 6 192.168.174.132 QUBC1SW01# Aug 18 10:25:54.795: RADIUS: Retransmit to (192.168.174.130:1645,1646) for id 1645/28 QUBC1SW01# Aug 18 10:25:59.131: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.174.130:1645,1646 is not responding. Aug 18 10:25:59.135: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.174.130:1645,1646 is being marked alive. QUBC1SW01# Aug 18 10:25:59.139: RADIUS: Retransmit to (192.168.174.130:1645,1646) for id 1645/28 QUBC1SW01# Aug 18 10:26:03.619: RADIUS: Retransmit to (192.168.174.130:1645,1646) for id 1645/28 QUBC1SW01# Aug 18 10:26:07.987: RADIUS: Fail-over to (192.168.174.130:1812,1813) for id 1645/28 QUBC1SW01# Aug 18 10:26:12.431: RADIUS: Retransmit to (192.168.174.130:1812,1813) for id 1645/28 QUBC1SW01# Aug 18 10:26:17.963: RADIUS: Retransmit to (192.168.174.130:1812,1813) for id 1645/28 QUBC1SW01# Aug 18 10:26:22.567: RADIUS: Retransmit to (192.168.174.130:1812,1813) for id 1645/28 QUBC1SW01# Aug 18 10:26:27.143: RADIUS: No response from (192.168.174.130:1812,1813) for id 1645/28 Aug 18 10:26:27.147: RADIUS/DECODE: No response from radius-server; parse response; FAIL Aug 18 10:26:27.147: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL QUBC1SW01# Aug 18 10:26:29.223: AAA/AUTHEN/LOGIN (00000014): Pick method list 'default' Aug 18 10:26:29.231: RADIUS/ENCODE(00000014): ask "Password: " Aug 18 10:26:29.231: RADIUS/ENCODE(00000014): send packet; GET_PASSWORD QUBC1SW01#

Re: Using PEAP) or EAP-MSCHAPv2 cisco switch 2960-X and Radius

Amine ZAKARIA — Mon, 19 Aug 2024 01:09:29 GMT

Hello @Nenday ,

If you check event viewer on NPS it will show that the switch did not send Message Authenticator, and based on what i read on the RFC it is sent in EAP or CHAP authentication method which not in your case, unfortunately last time i tried to change it from PAP to other method i found it's not possible on IOS.

You can uncheck that option, and make sure atleast the switch management network/NPS network not accessible by other users and the communication between network devices management network and the NPS separated from user traffic logically. or as i said you can use tacacs.

Regards!

--

Don't forget to rate helpful posts.

Re: Using PEAP) or EAP-MSCHAPv2 cisco switch 2960-X and Radius

ccieexpert — Mon, 19 Aug 2024 21:04:10 GMT

This bug may sound serious, but for most enterprise network, this is not possible until a attacker ha s access to network path from switch to radius server. If somebody has access to that, then you have more serious issues you need to worry than this vulnerability 🙂 🙂

some have radius servers in the cloud or go over the internet, there may be chance if ISP etc can glean into it.

my 2 cents 🙂

**Please rate as useful if this was helpful*

Re: Using PEAP) or EAP-MSCHAPv2 cisco switch 2960-X and Radius

Nenday — Tue, 20 Aug 2024 17:35:33 GMT

thank you @ccieexpert & @Amine ZAKARIA for your response,

I think I have a serious issue because my network is not secured and many person can see the Radius server,
I try to apply what Microsoft suggest to do on the Radius server but I didn't work, In radius server I capture packets and I didn't see the authenticator message send by the client,
do I need to do something on the switch or another side !!!!!
I feel that I turn around the solution but can't touch it 😞

sinc 1 week now and I can't see the light in the whole darkness !!!

Re: Using PEAP) or EAP-MSCHAPv2 cisco switch 2960-X and Radius

Nenday — Tue, 27 Aug 2024 14:14:20 GMT

Hello,

When I enable the message authenticator on the client configuration on NPS

I cannot connect using SSH and when I check my Radius log I found that the switch didn't send the message authenticator in the paquet,

Any one can help me to correct this issue, at least it will resolve a part of problem