cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1049
Views
0
Helpful
8
Replies

Radius AAA authentication

Badgerpoo
Level 1
Level 1

I couldn't find anything relevant, but apologies if it has already been answered.

Is there any way of encrypting the traffic between a switch and a radius server when using radius to authenticate switch logins? As far as I can tell the traffic is passed between the switch and the radius server in plain text by default.

8 Replies 8

Nicolas Darchis
Cisco Employee
Cisco Employee

Radius over IPSec is supported by devices like the Wireless controller but I have no ideas for switches ...

Conceptually, it exists.

Nicolas

===

Don't forget to rate answers that you find useful

I've not been able to find anything to suggest it is configurable on a switch, seems to render the whole thing useless unless you like sending authentication data in the clear over the network. Doesn't seem like a good idea to me!

Hi,

Please bear in mind that it is not the RADIUS protocol that bings security, but rather the authentication method inside it.

Example, if you use PEAP or EAP-TLS, the authentication is all carried inside a TLS tunnel.

You can sniff the RADIUS packets but you will not be able to get any critical information from the client.

Think on the RADIUS as a transport mechanism for EAP authentication.

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Can a switch be configured to use PEAP or TLS? This is pretty much what I meant to ask

in the op.

It is the client that has to be configured to do any of these methods.

To summarize : the client does an EAP method and the switch forwards those eap packets inside radius to the authentication server.

Radius is usually not secure but since methods like PEAP or EAP-TLS build a secure tunnel, you can't pull much information out of the radius packets (as far as user information are concerned). Radius is encrypted with a shared key so it's already something as well

Hope this helps.

Nicolas

I think we're talking at cross purposes. I want to use Radius for the switch logins themselves as well as for dot1x via an end user client. I'm looking a for a method of confiuguring the switch to use Radius to check logins to the switch, but for this process to be secured via TLS or PEAP.

That clarifies.

the switch authentication doesn't use EAP methods. It's PAP or CHAP over RADIUS I believe. So we go back to my first answer. It's Radius over IPSec or nothing I'm afraid :-)

Nicolas

Agree with Nicolas, but not many switches will support IPsec I'm afraid.


Just wanted to add that Radius actually does encrypt the password so if you sniff the radius packets you will see the username, ip address etc but not the password.

If this is still a concern, you could opt to use Tacacs+ instead, since that will encrypt the entire payload.

hth

Herbert

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: