01-18-2019 07:10 AM - edited 01-18-2019 07:13 AM
Hi everyone,
I have configured a Radius server and want to manage my switches (Catalyst 2960-X) with users in AD. It works fine but the only way I can do the authentication is when I choose "unencrypted authentication (PAP,SPAP)" in Radiusgrupp properties.
Now the question is, how can I use a more secure authentication method? For example EAP (PEAP) or EAP-MSCHAP 2?
I searched everywhere but can't find any guide for this.
I have Cisco IOS version 15.2(2)E5 and my configuration on the Cisco switch and Radius are:
aaa new-model
aaa authentication login default group radius local
radius server (name_radius_server)
address ipv4 xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646
key xxxxxxxx
Thank you in advance.
Solved! Go to Solution.
01-20-2019 01:55 PM - edited 01-20-2019 01:55 PM
The Radius password is already hashed and you can decode it if you know the Radius shared secret. It's not super secure, I agree. I think one alternative would be to encrypt the entire Radius UDP session using DTLS. ISE supports this, and the NAS should too.
Remember that EAP methods are still likely to expose the username in clear text because the supplicant copies the username into the Radius User-Name attribute. So using EAP will not obfuscate the user's identity. But if will of course create a secure TLS tunnel in which to exchange the password. Technically the Radius User-Name and the EAP User Identity are not related and in theory the radius User-Name could/should be randomized - but in practice it never is. One example where I know this IS done, is with EAP-SIM/AKA where a pseudonym is used in the username to protect the user.
01-20-2019 01:55 PM - edited 01-20-2019 01:55 PM
The Radius password is already hashed and you can decode it if you know the Radius shared secret. It's not super secure, I agree. I think one alternative would be to encrypt the entire Radius UDP session using DTLS. ISE supports this, and the NAS should too.
Remember that EAP methods are still likely to expose the username in clear text because the supplicant copies the username into the Radius User-Name attribute. So using EAP will not obfuscate the user's identity. But if will of course create a secure TLS tunnel in which to exchange the password. Technically the Radius User-Name and the EAP User Identity are not related and in theory the radius User-Name could/should be randomized - but in practice it never is. One example where I know this IS done, is with EAP-SIM/AKA where a pseudonym is used in the username to protect the user.
01-21-2019 12:39 AM
Thank you Arne,
I will try DTLS and see how it works. We will extend the radius authentication over the entire network with multi-vendor devices. Is DTLS suitable for a multi-vendor environment (Cisco, Dell, HP, MikroTik)? Or there is a better protocol for encryption?
01-21-2019 04:39 AM
I think it's a fairly common standard these days and goes by the name radsec or DTLS. Cisco seems to call it DTLS but the TCP port is the same as radsec (TCP/2083) - I think radsec is an implementation of the generic principle of DTLS.
RadSec RFC below
https://tools.ietf.org/html/rfc6614
It's Radius over TLS. It means messing around with certs etc. - I have not done it myself. You'd have to check each vendor in turn to see whether they support it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide