https://community.cisco.com/t5/network-access-control/using-windows-nps-for-cisco-router-aaa-authentication-is-this/m-p/2630412#M74318 <P>Ok i think that clears it up. I looked at the RFC and guess RADIU just uses&nbsp;MD5 which is perfectly fine. But I have one more question: if a preshared radius key gets compromised I need to reissue a new key to all my clients correct? If a hacker knew the key they could decrypt the traffic right?</P> Wed, 25 Feb 2015 14:20:12 GMT red red 2015-02-25T14:20:12Z https://community.cisco.com/t5/network-access-control/using-windows-nps-for-cisco-router-aaa-authentication-is-this/m-p/2630410#M74315 <P>I'm very confused about how all this works and was hoping someone could help me out.</P> <P>I followed&nbsp;a bunch of online tutorials to setup RADIUS authentication on a Cisco router and pointed it to a Windows NPS. I can now ssh into the router my with AD account.</P> <P style="margin-bottom: 1em; padding: 0px; border: 0px; font-size: 13.6960000991821px; vertical-align: baseline; clear: both; color: rgb(0, 0, 0); font-family: Arial, 'Liberation Sans', 'DejaVu Sans', sans-serif; line-height: 17.8048000335693px; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;">Now that I got it working I'm going over the settings to make sure everything is secure.</P> <P style="margin-bottom: 1em; padding: 0px; border: 0px; font-size: 13.6960000991821px; vertical-align: baseline; clear: both; color: rgb(0, 0, 0); font-family: Arial, 'Liberation Sans', 'DejaVu Sans', sans-serif; line-height: 17.8048000335693px; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;">On my router the config is pretty simple:</P> <PRE style="padding: 5px; border: 0px; font-size: 13.6960000991821px; vertical-align: baseline; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Courier New', monospace, serif; overflow: auto; width: auto; max-height: 600px; word-wrap: normal; color: rgb(0, 0, 0); line-height: 17.8048000335693px; background: rgb(238, 238, 238);"> <CODE style="margin: 0px; font-size: 13.6960000991821px; vertical-align: baseline; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Courier New', monospace, serif; white-space: inherit; background: rgb(238, 238, 238);">aaa new-model aaa group server radius WINDOWS_NPS server-private 123.123.123.123 auth-port 1812 acct-port 1813 key mykey aaa authentication login default local group WINDOWS_NPS ip domain-name MyDom crypto key generate rsa (under vty and console)# login authentication default</CODE> </PRE> <P>&nbsp;&nbsp;On the Windows NPS:</P> <UL style="margin-bottom: 1em; margin-left: 30px; border: 0px; font-size: 13.6960000991821px; vertical-align: baseline; color: rgb(0, 0, 0); font-family: Arial, 'Liberation Sans', 'DejaVu Sans', sans-serif; line-height: 17.8048000335693px; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;"><LI style="margin: 0px; padding: 0px; border: 0px; font-size: 13.6960000991821px; vertical-align: baseline; background: transparent;">I created a new RADIUS client for the router.</LI><LI style="margin: 0px; padding: 0px; border: 0px; font-size: 13.6960000991821px; vertical-align: baseline; background: transparent;">Created a shared secret and specified Cisco as Vendor Name.</LI><LI style="margin: 0px; padding: 0px; border: 0px; font-size: 13.6960000991821px; vertical-align: baseline; background: transparent;">Created a new Network Policy with my desired conditions.</LI><LI style="margin: 0px; padding: 0px; border: 0px; font-size: 13.6960000991821px; vertical-align: baseline; background: transparent;">And now the part of the Network Policy config that worries me:</LI></UL> <P style="margin: 0px; padding: 0px; border: 0px; font-size: 13.6960000991821px; vertical-align: baseline; background: transparent;"><IMG alt="NPS config" class="image-style-none media-element file-default" data-file_info="%7B%22fid%22:%221109861%22,%22view_mode%22:%22default%22,%22fields%22:%7B%22format%22:%22default%22,%22field_file_image_alt_text%5Bund%5D%5B0%5D%5Bvalue%5D%22:%22NPS%20config%22,%22field_file_image_title_text%5Bund%5D%5B0%5D%5Bvalue%5D%22:%22NPS%20config%22,%22field_media_description%5Bund%5D%5B0%5D%5Bvalue%5D%22:%22NPS%20config%22%7D,%22type%22:%22media%22%7D" src="https://community.cisco.com/legacyfs/online/media/zzzzzz.jpg" title="NPS config" typeof="foaf:Image" /></P> <P style="margin: 0px; padding: 0px; border: 0px; font-size: 13.6960000991821px; vertical-align: baseline; background: transparent;">&nbsp;</P> <P style="margin: 0px; padding: 0px; border: 0px; font-size: 13.6960000991821px; vertical-align: baseline; background: transparent;">So initially I thought my AD credentials were being sent over the wire in plain text, but I did a capture and saw this:</P> <P style="margin: 0px; padding: 0px; border: 0px; font-size: 13.6960000991821px; vertical-align: baseline; background: transparent;"><IMG src="https://community.cisco.com/legacyfs/online/media/capture_36.jpg" class="migrated-markup-image" /></P> <P style="margin: 0px; padding: 0px; border: 0px; font-size: 13.6960000991821px; vertical-align: baseline; background: transparent;">How is my password being encrypted and how strong is the encryption?</P> <P style="margin: 0px; padding: 0px; border: 0px; font-size: 13.6960000991821px; vertical-align: baseline; background: transparent;">&nbsp;</P> <P style="margin: 0px; padding: 0px; border: 0px; font-size: 13.6960000991821px; vertical-align: baseline; background: transparent;">Another thing is how can I configure aaa authentication with mschapv2? The documentation I saw for mschapv2 uses the "ppp authentication ms-chap-v2" command, but I'm not using ppp I'm using aaa with a radius server.</P> <P>&nbsp;</P> Mon, 11 Mar 2019 05:29:33 GMT https://community.cisco.com/t5/network-access-control/using-windows-nps-for-cisco-router-aaa-authentication-is-this/m-p/2630410#M74315 red red 2019-03-11T05:29:33Z https://community.cisco.com/t5/network-access-control/using-windows-nps-for-cisco-router-aaa-authentication-is-this/m-p/2630411#M74317 <P>Hi,</P><P>Radius encrypts the password but sends the user name in the clear. Tacacs encrypts both username and password.</P><P>You can find the encryption scheme used by Radius in the RFC:</P><P>https://tools.ietf.org/html/rfc2865#page-27</P><P>MS-Chap-V2 is used for user authentication like dial-in and vpn and not for switch management</P><P>&nbsp;</P><P>Thanks</P><P>John</P> Wed, 25 Feb 2015 03:42:49 GMT https://community.cisco.com/t5/network-access-control/using-windows-nps-for-cisco-router-aaa-authentication-is-this/m-p/2630411#M74317 johnd2310 2015-02-25T03:42:49Z https://community.cisco.com/t5/network-access-control/using-windows-nps-for-cisco-router-aaa-authentication-is-this/m-p/2630412#M74318 <P>Ok i think that clears it up. I looked at the RFC and guess RADIU just uses&nbsp;MD5 which is perfectly fine. But I have one more question: if a preshared radius key gets compromised I need to reissue a new key to all my clients correct? If a hacker knew the key they could decrypt the traffic right?</P> Wed, 25 Feb 2015 14:20:12 GMT https://community.cisco.com/t5/network-access-control/using-windows-nps-for-cisco-router-aaa-authentication-is-this/m-p/2630412#M74318 red red 2015-02-25T14:20:12Z