Re: Using certificates for authentication

ankitsharma6517 · ‎03-09-2020

HI

I am looking for documentation for certificate based authentication on Cisco ASR where the CA is a Microsoft based deployment. Can someone please tell me how this is done or provide a link to a document for the same?

The basic idea is to use EAP-TLS instead of MSCHAP v2 based radius authentication.

Thanks

Arne Bier · ‎03-09-2020

Hi @ankitsharma6517

Are you talking about 802.1X network authentication on the ASR?

The concepts of wired 802.1X authentication are well covered in the excellent Prescriptive Guide document.

ankitsharma6517 · ‎03-09-2020

Hi

The idea here is to use a radius server in the provider environment to authenticate devices on customer site. So lets assume the scenario is:

Radius server - - - - - - - - - - -- > Onsite edge device - - - - Onsite access device

Provider Network <--------------Customer Site ------------->

I set this up using windows nps services for radius. The authentication request from the customer edge device can be encrypted using ipsec. This I have tested and it works.

The problem is when there is a device behind the edge device. One option is to setup tunnels from all device but its not scalable. Moreover using MSCHAP v2 introduces a vulnerability that it is somewhat susceptible to man in the middle attack. I know this is hard to do and man is middle has to mainly happen with physical access to the device and sniffing all the traffic.

One of the solutions I found while searching online was to use EAP TLS. That is what I am trying to do. So the basic requirement is that any communication regarding user authentication from the access/core layer devices should be protected from any man in the middle attack.

In essence I am trying to do dot1x. Hope that makes it a bit clearer.

Arne Bier · ‎03-09-2020

Have a look at the prescriptive guide. The theory of operation for wired and wireless is mostly the same, but the implementation details for wired are more complex in my opinion. Having the RADIUS server hosted off-site is a common deployment methodology. All you need to do (as you already pointed out) is to ensure that the RADIUS traffic is encapsulated/tunneled to protect the contents (i.e. don't send it over the internet in plain text!). But apart from that it's not rocket science. Another common deployment scenario is to have the primary RADIUS server on premise, and only have the backup server in a central location. The main benefit is site survivability if the WAN fails, and better response times (lower latency).

And finally, yes, EAP-TLS (certificate based authentication) is the best method we have for authenticating clients because there is no (easy) way to intercept the cert and play man in the middle attack. Getting certs onto the client devices is probably the most difficult part of this entire game. And then managing those certs (ongoing renewals, PKI changes, revocations, etc.)

Cristian Matei · ‎03-10-2020

Hi,

Why don't you make use of the existing IPsec tunnel in order to secure the additional RADIUS flows?

Regards,

Cristian Matei.

ankitsharma6517 · ‎03-11-2020

Hi Cristian

The current ipsec tunnel terminates on the edge firewall. When the traffic from a device behind the firewall reaches it, it will be encrypted to the radius server. My concern here is not the communication to the radius server. I am concerned about the local traffic that can be sniffed. Consider this:

Switch ---- > Edge FW ===========>Radius server

Not encrypted Encrypted

The concern is to protect the traffic between the switch and the edge firewall from being sniffed by someone onsite.

Thanks

Ankit

Cristian Matei · ‎03-13-2020

Hi,

Do you use the RADIUS server for 802.1x user/machine authentication (users attached to the switch) or for administrative access (access to the routers, switches for management)?

Regards,

Cristian Matei.