Cisco 2 factor authentication

Jimmy Hess mysidia at gmail.com
Sun Jun 26 02:46:22 UTC 2016


On Wed, Jun 22, 2016 at 9:38 PM, Chris Lawrence
<clawrence at dovefire.co.uk> wrote:
> Any radius based auth works well I've used a solution by secure envoy I the past which seems to work well they also have soft token apps, hard tokens plus SMS based.

However, a cautionary note there is that RADIUS protocol itself uses
only weak cryptography and is not  secure on the wire.

That is, in the absence of AES Keywrap proprietary extension  Or when
the method of credential used is not authentication using a
Client-side Certificate (PKI)  as  in  *EAP.

Specifically:  if RADIUS is used for the Authentication stage of AAA
with a code sent by SMS or OATH token [User types Normal password +
One Time Password],  then when traffic between RADIUS server and  VPN
device is captured:   The user credentials may be exposed  with the
extremely weak crypto protection  RADIUS   or NTLM provides for the
user password.

If a user re-uses their same password somewhere else on a device not
requiring 2FA,  then capturing RADIUS traffic could be an effective
privilege escalation  By copying victim's password from a sniffed
RADIUS exchange.

--
-JH



More information about the NANOG mailing list