11-19-2010 08:54 AM - edited 03-10-2019 05:35 PM
I couldn't find anything relevant, but apologies if it has already been answered.
Is there any way of encrypting the traffic between a switch and a radius server when using radius to authenticate switch logins? As far as I can tell the traffic is passed between the switch and the radius server in plain text by default.
11-19-2010 09:07 AM
Radius over IPSec is supported by devices like the Wireless controller but I have no ideas for switches ...
Conceptually, it exists.
Nicolas
===
Don't forget to rate answers that you find useful
11-25-2010 02:18 AM
I've not been able to find anything to suggest it is configurable on a switch, seems to render the whole thing useless unless you like sending authentication data in the clear over the network. Doesn't seem like a good idea to me!
11-25-2010 02:45 AM
Hi,
Please bear in mind that it is not the RADIUS protocol that bings security, but rather the authentication method inside it.
Example, if you use PEAP or EAP-TLS, the authentication is all carried inside a TLS tunnel.
You can sniff the RADIUS packets but you will not be able to get any critical information from the client.
Think on the RADIUS as a transport mechanism for EAP authentication.
HTH,
Tiago
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
11-25-2010 04:50 AM
Can a switch be configured to use PEAP or TLS? This is pretty much what I meant to ask
in the op.
11-25-2010 05:33 AM
It is the client that has to be configured to do any of these methods.
To summarize : the client does an EAP method and the switch forwards those eap packets inside radius to the authentication server.
Radius is usually not secure but since methods like PEAP or EAP-TLS build a secure tunnel, you can't pull much information out of the radius packets (as far as user information are concerned). Radius is encrypted with a shared key so it's already something as well
Hope this helps.
Nicolas
11-25-2010 06:26 AM
I think we're talking at cross purposes. I want to use Radius for the switch logins themselves as well as for dot1x via an end user client. I'm looking a for a method of confiuguring the switch to use Radius to check logins to the switch, but for this process to be secured via TLS or PEAP.
11-25-2010 06:38 AM
That clarifies.
the switch authentication doesn't use EAP methods. It's PAP or CHAP over RADIUS I believe. So we go back to my first answer. It's Radius over IPSec or nothing I'm afraid :-)
Nicolas
11-30-2010 01:04 PM
Agree with Nicolas, but not many switches will support IPsec I'm afraid.
Just wanted to add that Radius actually does encrypt the password so if you sniff the radius packets you will see the username, ip address etc but not the password.
If this is still a concern, you could opt to use Tacacs+ instead, since that will encrypt the entire payload.
hth
Herbert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide