I am using a 2811 for VPN clients, and have instituted AAA using a windows radius server. How can I encrypt the traffic between the 2811 and the radius server when it is authenticating the users? I am pretty sure it is using PAP now. Can I enforce CHAP or something?
Thanks - Wayne
I believe your PAP will terminate on the 2811 router and the router then passes the username and password (learned via PAP) via RADUIS to your AAA server.
This can be encrypted using a shared secret both on the router and on the AAA server
When you add the 2811 to your AAA server as a RADIUS client you also need specify the secret key here too.
Hope this is what you want?
Thanks for the info. I have the router and radius server set up fine. My question - Does the router pass the user name and password of a VPN client to the radius server in plain text, and if so, can I specify one of the encryption methods listed on the radius server such as Chap, MS-Chap, MS-Chap v2? When I did not specify PAP on the radius server I could not authenticate users.
Thanks - Wayne
All RADUIS traffic between your router and AAA server will be encrypted.
I think if you try and use an encryption method other than PAP, the actual users password is not sent across the wire, just a hash of various bit and pieces so in normaly circumstances authentication will fail.
What does SOX mean?
I just pulled this from the RFC, does it help?
Transactions between the client and RADIUS server are
authenticated through the use of a shared secret, which is never sent over the network. In addition, any user passwords are sent encrypted between the client and RADIUS server, to eliminate the possibility that someone snooping on an unsecure network could determine a user's password.
At the bottom you could put.. for further information please refer to RFC 2138 :)
SOX - Sarbanes Oxley - Public companies have to jump through hoops now thanks to worldcom. This is a fuzzy guide that really does not give specific guidelines, more like "suggestions". However they must "comply" with the guidelines.
I wouldn't consider cyphering text using a shared secret real encryption.
The only benefit is that the password is hash'd with the shared key. In the end, it's a short string typically 'cisco123'. Symmetrical encryption isn't encryption.
The only way to really take care of this problem would be with IPSec, create a network security policy on your NPS server to talk IPSec to the router/switch, and carry your radius traffic over the IPSec connection - which uses asymmetric encryption, public key technology.