02-24-2005 03:29 PM - edited 03-10-2019 02:02 PM
Hi,
I am using a 2811 for VPN clients, and have instituted AAA using a windows radius server. How can I encrypt the traffic between the 2811 and the radius server when it is authenticating the users? I am pretty sure it is using PAP now. Can I enforce CHAP or something?
Thanks - Wayne
02-25-2005 02:59 AM
Hi,
I believe your PAP will terminate on the 2811 router and the router then passes the username and password (learned via PAP) via RADUIS to your AAA server.
This can be encrypted using a shared secret both on the router and on the AAA server
e.g.
radius-server host
When you add the 2811 to your AAA server as a RADIUS client you also need specify the secret key here too.
Hope this is what you want?
Paddy
02-25-2005 07:15 AM
Hi Paddy,
Thanks for the info. I have the router and radius server set up fine. My question - Does the router pass the user name and password of a VPN client to the radius server in plain text, and if so, can I specify one of the encryption methods listed on the radius server such as Chap, MS-Chap, MS-Chap v2? When I did not specify PAP on the radius server I could not authenticate users.
Thanks - Wayne
02-25-2005 07:28 AM
Hi,
All RADUIS traffic between your router and AAA server will be encrypted.
I think if you try and use an encryption method other than PAP, the actual users password is not sent across the wire, just a hash of various bit and pieces so in normaly circumstances authentication will fail.
HTH
Paddy
02-25-2005 07:32 AM
Thanks,
How can I document this for my pain in the *** SOX guy?
- Wayne
02-25-2005 08:05 AM
What does SOX mean?
I just pulled this from the RFC, does it help?
Transactions between the client and RADIUS server are
authenticated through the use of a shared secret, which is never sent over the network. In addition, any user passwords are sent encrypted between the client and RADIUS server, to eliminate the possibility that someone snooping on an unsecure network could determine a user's password.
At the bottom you could put.. for further information please refer to RFC 2138 :)
Paddy
02-25-2005 08:15 AM
Thanks That is all I need
- Wayne
02-25-2005 08:22 AM
SOX - Sarbanes Oxley - Public companies have to jump through hoops now thanks to worldcom. This is a fuzzy guide that really does not give specific guidelines, more like "suggestions". However they must "comply" with the guidelines.
02-05-2015 08:36 AM
I wouldn't consider cyphering text using a shared secret real encryption.
The only benefit is that the password is hash'd with the shared key. In the end, it's a short string typically 'cisco123'. Symmetrical encryption isn't encryption.
The only way to really take care of this problem would be with IPSec, create a network security policy on your NPS server to talk IPSec to the router/switch, and carry your radius traffic over the IPSec connection - which uses asymmetric encryption, public key technology.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide