cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3603
Views
6
Helpful
3
Replies

Using EAP(PEAP) or EAP-MSCHAPv2 cisco switch 2960-X and Radius

DexterRoot
Level 1
Level 1

Hi everyone, 

I have configured a Radius server and want to manage my switches (Catalyst 2960-X) with users in AD. It works fine but the only way I can do the authentication is when I choose "unencrypted authentication (PAP,SPAP)" in Radiusgrupp properties. 

Now the question is, how can I use a more secure authentication method? For example EAP (PEAP) or EAP-MSCHAP 2?

I searched everywhere but can't find any guide for this.

I have Cisco IOS version 15.2(2)E5 and my configuration on the Cisco switch and Radius are:
aaa new-model
aaa authentication login default group radius local

radius server (name_radius_server)
address ipv4 xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646
key xxxxxxxx


2019-01-18_16h00_37.jpg

 

 

 

Thank you in advance.

1 Accepted Solution

Accepted Solutions

Arne Bier
VIP
VIP

The Radius password is already hashed and you can decode it if you know the Radius shared secret.  It's not super secure, I agree.  I think one alternative would be to encrypt the entire Radius UDP session using DTLS.  ISE supports this, and the NAS should too.

Remember that EAP methods are still likely to expose the username in clear text because the supplicant copies the username into the Radius User-Name attribute.  So using EAP will not obfuscate the user's identity. But if will of course create a secure TLS tunnel in which to exchange the password.  Technically the Radius User-Name and the EAP User Identity are not related and in theory the radius User-Name could/should be randomized - but in practice it never is.  One example where I know this IS done, is with EAP-SIM/AKA where a pseudonym is used in the username to protect the user.

View solution in original post

3 Replies 3

Arne Bier
VIP
VIP

The Radius password is already hashed and you can decode it if you know the Radius shared secret.  It's not super secure, I agree.  I think one alternative would be to encrypt the entire Radius UDP session using DTLS.  ISE supports this, and the NAS should too.

Remember that EAP methods are still likely to expose the username in clear text because the supplicant copies the username into the Radius User-Name attribute.  So using EAP will not obfuscate the user's identity. But if will of course create a secure TLS tunnel in which to exchange the password.  Technically the Radius User-Name and the EAP User Identity are not related and in theory the radius User-Name could/should be randomized - but in practice it never is.  One example where I know this IS done, is with EAP-SIM/AKA where a pseudonym is used in the username to protect the user.

Thank you Arne,

I will try DTLS and see how it works. We will extend the radius authentication over the entire network with multi-vendor devices. Is DTLS suitable for a multi-vendor environment (Cisco, Dell, HP, MikroTik)? Or there is a better protocol for encryption?

I think it's a fairly common standard these days and goes by the name radsec or DTLS.  Cisco seems to call it DTLS but the TCP port is the same as radsec (TCP/2083) - I think radsec is an implementation of the generic principle of DTLS.

RadSec RFC below

https://tools.ietf.org/html/rfc6614

It's Radius over TLS.  It means messing around with certs etc. - I have not done it myself.  You'd have to check each vendor in turn to see whether they support it.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: