Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
576
Views
0
Helpful
2
Replies

User knows radius key

commteam100
Level 1
Level 1

‎09-05-2006 12:09 AM - edited ‎03-10-2019 02:44 PM

hello,

I wanted to know what are the hazards of an end-user knowing the key with which a switch authenticates with the ACS?

Labels:
0 Helpful
2 Replies 2

Richard Burts
Hall of Fame
Hall of Fame

‎09-05-2006 07:34 AM

Jonathan

I would not regard this as very much of a hazzard. The switch uses a key to authenticate with the radius server as it gets ready to authenticate user sessions, and (depending on how you have configured your devices) possibly to prepare to do authorization requests, or possibly to prepare to send accounting records to the server.

Since the remote devices do not create user records on the radius server or alter records on the server it does not pose much threat to the integrity of the radius server. Probably worst case, if an end user knew the key it might allow the user to spoof communications to the server and appear to be a device requesting authentication. Perhaps it might be part of doing a dictionary attack to find passwords for known user IDs. But since the radius server associates particular keys with particular device addresses the spoofing would have to send the transaction to the server and have a way to get the server response sent to it and not to the real device. And the dictionary attach could just as well be mounted by attempting access to real network devices.

So I do not see a lot of threat if an end user did happen to know the key used between the device and the server.

HTH

Rick

HTH

Rick
0 Helpful

darpotter
Level 5
Level 5

‎09-05-2006 10:11 AM

Knowing a shared secret would allow a man-in-the-middle attacker to harvest usernames and passwords for non-chap-like protocols.

It also allows a MitM to collect wep session keys by simply acting as a RADIUS proxy - with LEAP.

With new EAP protocols its not an issue because the authentication is protected via an end-to-end tunnel (client <-> aaa server)

However, if a malicious user knows where the AAA servers are, I'd worry more about a DoS attack bringing down the AAA server (and therefore preventing anyone getting access to perhaps your entire WLAN & possibily LAN)

0 Helpful
Customers Also Viewed These Support Documents