Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1300
Views
1
Helpful
7
Replies

Using PEAP) or EAP-MSCHAPv2 cisco switch 2960-X and Radius

Nenday
Level 1
Level 1

‎08-17-2024 11:52 PM

dear friend, 

lately I see a CVE that talking about Radius security issue with cisco running IOS software 

(RADIUS Protocol Spoofing Vulnerability (Blast-RADIUS): July 2024)

so I try  to change the authentication Methods in my radius server to Encrypted (CHAP) ou Microsoft Encrypted Authentication v2 MS-Chap V2 but I cannot log to switch when I change

I used self signed certificate using open SSL for PEAP (installed in server and client using to manage switches)

any one please success to do it or any tips 

 

thanks a lot

Nenday_0-1723963747762.png

Nenday_1-1723963793326.png

 

 

Labels:
0 Helpful
7 Replies 7

Amine ZAKARIA
Spotlight
Spotlight

‎08-18-2024 02:09 AM

Hello @Nenday ,

The reason behind that the Cisco IOS ssh use PAP ASCII as authentication method and AFAIK there is no other option for SSH except the x509 certificate based authentication or you need to use TACACS which is not supported by NPS.

Microsoft Actions to take for this vulnerability : 
https://support.microsoft.com/en-us/topic/kb5040268-how-to-manage-the-access-request-packets-attack-vulnerability-associated-with-cve-2024-3596-a0e2f0b1-f200-4a7b-844f-48d1d5ab9e66

HTH!

 

Nenday
Level 1
Level 1
In response to Amine ZAKARIA

‎08-18-2024 06:13 AM

Thank you Amine for your response, it's a little clear right now, i did
some update on my radius server and i see new request form in the log file,
But when i update the radius client side i can't log to the switch without
any error message .
Is there a thing that i must update on switch configuration or it's must
work with the same configuration.

Thanks a lot
0 Helpful

Nenday
Level 1
Level 1
In response to Amine ZAKARIA

‎08-18-2024 09:23 AM

@Amine ZAKARIA 

here is the Debug log what I get exactly from Switch when I Enable the checkbox : 


Access-Request messages must contain the message-authenticator attribute

 

Aug 18 10:25:49.935: RADIUS/ENCODE(00000014):Orig. component type = EXEC
Aug 18 10:25:49.935: RADIUS:  AAA Unsupported Attr: interface         [174] 5
Aug 18 10:25:49.939: RADIUS:   74 74 79                                         [tty]
Aug 18 10:25:49.939: RADIUS/ENCODE(00000014): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
Aug 18 10:25:49.939: RADIUS(00000014): Config NAS IP: 192.168.174.132
Aug 18 10:25:49.943: RADIUS/ENCODE(00000014): acct_session_id: 20
Aug 18 10:25:49.943: RADIUS(00000014): sending
Aug 18 10:25:49.947: RADIUS(00000014): Send Access-Request to 192.168.174.130:1645 id 1645/28, len 96
QUBC1SW01#
Aug 18 10:25:49.951: RADIUS:  authenticator 02 2F 01 A0 42 56 CB 4F - A7 2C B3 2A E7 41 4F C8
Aug 18 10:25:49.951: RADIUS:  User-Name           [1]   18  "agrm909@kaya.lab"
Aug 18 10:25:49.951: RADIUS:  User-Password       [2]   18  *
Aug 18 10:25:49.951: RADIUS:  NAS-Port            [5]   6   98
Aug 18 10:25:49.955: RADIUS:  NAS-Port-Id         [87]  7   "tty98"
Aug 18 10:25:49.955: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
Aug 18 10:25:49.955: RADIUS:  Calling-Station-Id  [31]  15  "192.168.174.1"
Aug 18 10:25:49.959: RADIUS:  NAS-IP-Address      [4]   6   192.168.174.132
QUBC1SW01#
Aug 18 10:25:54.795: RADIUS: Retransmit to (192.168.174.130:1645,1646) for id 1645/28
QUBC1SW01#
Aug 18 10:25:59.131: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.174.130:1645,1646 is not responding.
Aug 18 10:25:59.135: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.174.130:1645,1646 is being marked alive.
QUBC1SW01#
Aug 18 10:25:59.139: RADIUS: Retransmit to (192.168.174.130:1645,1646) for id 1645/28
QUBC1SW01#
Aug 18 10:26:03.619: RADIUS: Retransmit to (192.168.174.130:1645,1646) for id 1645/28
QUBC1SW01#
Aug 18 10:26:07.987: RADIUS: Fail-over to (192.168.174.130:1812,1813) for id 1645/28
QUBC1SW01#
Aug 18 10:26:12.431: RADIUS: Retransmit to (192.168.174.130:1812,1813) for id 1645/28
QUBC1SW01#
Aug 18 10:26:17.963: RADIUS: Retransmit to (192.168.174.130:1812,1813) for id 1645/28
QUBC1SW01#
Aug 18 10:26:22.567: RADIUS: Retransmit to (192.168.174.130:1812,1813) for id 1645/28
QUBC1SW01#
Aug 18 10:26:27.143: RADIUS: No response from (192.168.174.130:1812,1813) for id 1645/28
Aug 18 10:26:27.147: RADIUS/DECODE: No response from radius-server; parse response; FAIL
Aug 18 10:26:27.147: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
QUBC1SW01#
Aug 18 10:26:29.223: AAA/AUTHEN/LOGIN (00000014): Pick method list 'default'
Aug 18 10:26:29.231: RADIUS/ENCODE(00000014): ask "Password: "
Aug 18 10:26:29.231: RADIUS/ENCODE(00000014): send packet; GET_PASSWORD
QUBC1SW01#

 

0 Helpful

Amine ZAKARIA
Spotlight
Spotlight
In response to Nenday

‎08-18-2024 06:09 PM

Hello @Nenday ,

If you check event viewer on NPS it will show that the switch did not send Message Authenticator, and based on what i read on the RFC it is sent in EAP or CHAP authentication method which not in your case, unfortunately last time i tried to change it from PAP to other method i found it's not possible on IOS.

You can uncheck that option, and make sure atleast the switch management network/NPS network not accessible by other users and the communication between network devices management network and the NPS separated from user traffic logically. or as i said you can use tacacs.

Regards!

--

Don't forget to rate helpful posts.

 

 

0 Helpful

ccieexpert
VIP
VIP

‎08-19-2024 02:04 PM

This bug may sound serious, but for most enterprise network, this is not possible until a attacker ha s access to network path from switch to radius server. If somebody has access to that, then you have more serious issues you need to worry than this vulnerability

some have radius servers in the cloud or go over the internet, there may be chance if ISP etc can glean into it.

my 2 cents

**Please rate as useful if this was helpful*

0 Helpful

Nenday
Level 1
Level 1

‎08-20-2024 10:35 AM

thank you  @ccieexpert   & @Amine ZAKARIA  for your response, 

I think I have a serious issue because my network is not secured and many person can see the Radius server, 
I try to apply what Microsoft suggest to do on the Radius server but I didn't work, In radius server I capture packets and I didn't see the authenticator message send by the client, 
do I need to do something on the switch or another side !!!!! 
I feel that I turn around the solution but can't touch it  

sinc 1 week now and I can't see the light in the whole darkness !!!

 

0 Helpful

Nenday
Level 1
Level 1

‎08-27-2024 07:14 AM

Hello, 

When I enable the message authenticator on the client configuration on NPS 

Nenday_0-1724767949581.png

I cannot connect using SSH and when I check my Radius log I found that the switch didn't send the message authenticator in the paquet, 

Any one can help me to correct this issue, at least it will resolve a part of problem

0 Helpful
Customers Also Viewed These Support Documents