06-19-2010 04:38 PM
Im using an VPN-installation (Router, ACS, Cisco VPN Client) and I noticed that the group name and decrypted group password can also be used in the second step of authentication (the extended authentication or user authentication), which is a big security concern. What is wrong in my configuration.
For testing I set up a VPN config like it is described in cisco documents. There it also works. The group credentials work in the user authentication, too, which is absolutely logical because the group credentials are also an user in the ACS database. Of course this user can be authenticated in the user authentication process.
Whats wrong? How do other admins solve this? Am I wrong in my approach??
Thanks!
Solved! Go to Solution.
06-20-2010 04:52 AM
Yes, authorization will require password for "cisco", at least for isakmp and pki. The group will send it's name and password of cisco to receive the av-pairs (ASA has a feature to create a different "common-password" but it's not there on IOS, AFAIR)
It's a known restriction - you should not use same server for authentication and authorization, both with IOS and ASA.
Have you give this a though (either/or):
- local isakmp authorization
- certificate authentication (group)
- splitting authentication and authorization functions between servers.
I don't believe we can do much configuration wise to prohibit this behavior.
edit: corrected spelling.
06-20-2010 03:18 AM
Snapshots of config and ACS config would be useful.
"Normally" group authentication is local while user authentication is done is ACS.
To avoid the whole business alltogether you can use certificates for group authentication.
06-20-2010 04:37 AM
CONFIG VPN_ROUTER:
...
aaa authentication login userauthen group radius
aaa authorization network groupauthor group radius
!
...
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip access-group 100 in
crypto map clientmap
!
interface FastEthernet0/1
ip address 172.18.124.159 255.255.255.0
!
ip local pool ippool 172.18.130.0 172.18.130.200
....
ACS-USERS:
User: vpn_group, PW: cisco, av-pairs: ike, preshared-key=cisco123, addr-pool, inacl
User: vpn_user, PW: xxx
My problem is that it is possible to read out the User vpn_group. The password is known, too, because (when Im right) it is necessary that the group_pw is cisco.
An attacker can use this combination in the user authentication, too, and does not need to know the user-credentials. He can use the combination of User vpn_group and standard-PW cisco.
What is wrong?
It is right, that the group_pw must be cisco? When I change it the connection doesn't work.
06-20-2010 04:52 AM
Yes, authorization will require password for "cisco", at least for isakmp and pki. The group will send it's name and password of cisco to receive the av-pairs (ASA has a feature to create a different "common-password" but it's not there on IOS, AFAIR)
It's a known restriction - you should not use same server for authentication and authorization, both with IOS and ASA.
Have you give this a though (either/or):
- local isakmp authorization
- certificate authentication (group)
- splitting authentication and authorization functions between servers.
I don't believe we can do much configuration wise to prohibit this behavior.
edit: corrected spelling.
06-20-2010 04:52 AM
Yes, authorization will require password for "cisco", at least for isakmp and pki. The group will send it's name and password of cisco to receive the av-pairs (ASA has a feature to create a different "common-password" but it's not there on IOS, AFAIR)
It's a known restriction - you should not use same server for authentication and authorization, both with IOS and ASA.
Have you give this a though (either/or):
- local isakmp authorization
- certificate authentication (group)
- splitting authentication and authorization functions between servers.
I don't believe we can do much configuration wise to prohibit this behavior.
edit: corrected spelling.
06-20-2010 07:23 AM
It's a known restriction - you should not use same server for authentication and authorization, both with IOS and ASA.
Have you give this a though (either/or):
- local isakmp authorization
- certificate authentication (group)
- splitting authentication and authorization functions between servers.
ok, its good to know that my config is not totally wrong.
I think i will use the local isakmp authorization like this way:
aaa authentication login userauthen group radius
aaa authorization network groupauthor local
Your suggestions are very good, thanks for your help.
I think this topic is solved. For me it is ;-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide