EAP-PEAP how is password hash transferred from WLC to RADIUS Server Securely?
I have implemented a Wifi Network where I am hosting my RADIUS server externally and I have some concerns are regarding the communication between our WLC and the external RADIUS server.
1 - I am finding that the RADIUS server certificate always appears and the user is required to explicitly trust the server certificate, even when properly signed by a public CA.
How can I ensure that the connecting device always trusts the RADIUS server certificate?
Does the CN of the cert need to match the SSID name and thus does the SSID name need to be a public DNS domain?
2 - I know EAP-PEAP uses TLS to create an encrypted tunnel to protect user passwords, however I can see via packet tracing that that tunnel is from CLIENT --> AP and not from AP to RADIUS server. The traffic from WLC to RADIUS are 4 UDP packets which are the Access Request packets.
I can see the TLS tunnel being setup when capturing packets from user device however from our firewall edge I only see the RADIUS Access-Request and Challenge packets from WLC and RADIUS.
These packets are UDP and not encrypted, they hold the WLC internal IP and host name along with the username in cleartext. How is the actual password transmitted to the RADIUS server at this stage? i.e under which RADIUS attribute is the password held and how is the hash calculated?
Join us live on Tuesday, March 9 at 10 am PT (and on demand after) as we take a closer look at the WAN architecture innovations that Cisco has to offer.
We'll take your questions live during the broadcast (and after), so post them below in the comments.
Hello everybody,I am newbies with setting cisco switch.I downloaded Catalyst 2960-X Switch Getting Started Guide but I can't access to Device Manager - Express Setup according to guide.If you follow the instructions and try to keep all LEDs (exc...
To participate in this event, please use the button to ask your questions
Ask questions from Monday, March 8 to Friday, March 19, 2021
All the knowledge of these four experts at your disposal!
Cisco Software-Defined Wide Area Network (SD-WAN) provid...
Community Live- ISR1100X-4G and ISR1100X-6G Platform Overview and Architecture
(Live event - Tuesday, 23 March, 2021 at 10:00 am Pacific/ 1:00 pm Eastern / 7:00 pm Paris)-
This event will have place on Tuesday 23rd, March 2021 at 10:00 hrs PDT&...