Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1419
Views
0
Helpful
8
Replies

Encrypt traffic between 2800 router and radius server

xtech
Level 1
Level 1

‎02-24-2005 03:29 PM - edited ‎03-10-2019 02:02 PM

Hi,

I am using a 2811 for VPN clients, and have instituted AAA using a windows radius server. How can I encrypt the traffic between the 2811 and the radius server when it is authenticating the users? I am pretty sure it is using PAP now. Can I enforce CHAP or something?

Thanks - Wayne

Labels:
0 Helpful
8 Replies 8

paddyxdoyle
Level 6
Level 6

‎02-25-2005 02:59 AM

Hi,

I believe your PAP will terminate on the 2811 router and the router then passes the username and password (learned via PAP) via RADUIS to your AAA server.

This can be encrypted using a shared secret both on the router and on the AAA server

e.g.

radius-server host auth-port 1645 acct-port 1646 key

When you add the 2811 to your AAA server as a RADIUS client you also need specify the secret key here too.

Hope this is what you want?

Paddy

0 Helpful

xtech
Level 1
Level 1
In response to paddyxdoyle

‎02-25-2005 07:15 AM

Hi Paddy,

Thanks for the info. I have the router and radius server set up fine. My question - Does the router pass the user name and password of a VPN client to the radius server in plain text, and if so, can I specify one of the encryption methods listed on the radius server such as Chap, MS-Chap, MS-Chap v2? When I did not specify PAP on the radius server I could not authenticate users.

Thanks - Wayne

0 Helpful

paddyxdoyle
Level 6
Level 6
In response to xtech

‎02-25-2005 07:28 AM

Hi,

All RADUIS traffic between your router and AAA server will be encrypted.

I think if you try and use an encryption method other than PAP, the actual users password is not sent across the wire, just a hash of various bit and pieces so in normaly circumstances authentication will fail.

HTH

Paddy

0 Helpful

xtech
Level 1
Level 1
In response to paddyxdoyle

‎02-25-2005 07:32 AM

Thanks,

How can I document this for my pain in the *** SOX guy?

- Wayne

0 Helpful

paddyxdoyle
Level 6
Level 6
In response to xtech

‎02-25-2005 08:05 AM

What does SOX mean?

I just pulled this from the RFC, does it help?

Transactions between the client and RADIUS server are

authenticated through the use of a shared secret, which is never sent over the network. In addition, any user passwords are sent encrypted between the client and RADIUS server, to eliminate the possibility that someone snooping on an unsecure network could determine a user's password.

At the bottom you could put.. for further information please refer to RFC 2138 :)

Paddy

0 Helpful

xtech
Level 1
Level 1
In response to paddyxdoyle

‎02-25-2005 08:15 AM

Thanks That is all I need

- Wayne

0 Helpful

xtech
Level 1
Level 1
In response to paddyxdoyle

‎02-25-2005 08:22 AM

SOX - Sarbanes Oxley - Public companies have to jump through hoops now thanks to worldcom. This is a fuzzy guide that really does not give specific guidelines, more like "suggestions". However they must "comply" with the guidelines.

0 Helpful

Brendan White
Level 1
Level 1
In response to paddyxdoyle

‎02-05-2015 08:36 AM

I wouldn't consider cyphering text using a shared secret real encryption.

The only benefit is that the password is hash'd with the shared key. In the end, it's a short string typically 'cisco123'. Symmetrical encryption isn't encryption.

The only way to really take care of this problem would be with IPSec, create a network security policy on your NPS server to talk IPSec to the router/switch, and carry your radius traffic over the IPSec connection - which uses asymmetric encryption, public key technology.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents