cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1099
Views
0
Helpful
8
Replies

Encrypt traffic between 2800 router and radius server

xtech
Beginner
Beginner

Hi,

I am using a 2811 for VPN clients, and have instituted AAA using a windows radius server. How can I encrypt the traffic between the 2811 and the radius server when it is authenticating the users? I am pretty sure it is using PAP now. Can I enforce CHAP or something?

Thanks - Wayne

8 Replies 8

paddyxdoyle
Frequent Contributor
Frequent Contributor

Hi,

I believe your PAP will terminate on the 2811 router and the router then passes the username and password (learned via PAP) via RADUIS to your AAA server.

This can be encrypted using a shared secret both on the router and on the AAA server

e.g.

radius-server host auth-port 1645 acct-port 1646 key

When you add the 2811 to your AAA server as a RADIUS client you also need specify the secret key here too.

Hope this is what you want?

Paddy

Hi Paddy,

Thanks for the info. I have the router and radius server set up fine. My question - Does the router pass the user name and password of a VPN client to the radius server in plain text, and if so, can I specify one of the encryption methods listed on the radius server such as Chap, MS-Chap, MS-Chap v2? When I did not specify PAP on the radius server I could not authenticate users.

Thanks - Wayne

paddyxdoyle
Frequent Contributor
Frequent Contributor

Hi,

All RADUIS traffic between your router and AAA server will be encrypted.

I think if you try and use an encryption method other than PAP, the actual users password is not sent across the wire, just a hash of various bit and pieces so in normaly circumstances authentication will fail.

HTH

Paddy

Thanks,

How can I document this for my pain in the *** SOX guy?

- Wayne

paddyxdoyle
Frequent Contributor
Frequent Contributor

What does SOX mean?

I just pulled this from the RFC, does it help?

Transactions between the client and RADIUS server are

authenticated through the use of a shared secret, which is never sent over the network. In addition, any user passwords are sent encrypted between the client and RADIUS server, to eliminate the possibility that someone snooping on an unsecure network could determine a user's password.

At the bottom you could put.. for further information please refer to RFC 2138 :)

Paddy

Thanks That is all I need

- Wayne

SOX - Sarbanes Oxley - Public companies have to jump through hoops now thanks to worldcom. This is a fuzzy guide that really does not give specific guidelines, more like "suggestions". However they must "comply" with the guidelines.

I wouldn't consider cyphering text using a shared secret real encryption.

The only benefit is that the password is hash'd with the shared key. In the end, it's a short string typically 'cisco123'. Symmetrical encryption isn't encryption.

The only way to really take care of this problem would be with IPSec, create a network security policy on your NPS server to talk IPSec to the router/switch, and carry your radius traffic over the IPSec connection - which uses asymmetric encryption, public key technology.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers