Cisco 2 factor authentication
Tom Smyth
tom.smyth at wirelessconnect.eu
Mon Jun 27 01:36:10 UTC 2016
The radius protocol traffic can be encrypted with ipsec policies...if
confidentiality of the radius traffic is a concern ( particularly if
traversing untrusted networks)
On 26 Jun 2016 3:48 a.m., "Jimmy Hess" <mysidia at gmail.com> wrote:
> On Wed, Jun 22, 2016 at 9:38 PM, Chris Lawrence
> <clawrence at dovefire.co.uk> wrote:
> > Any radius based auth works well I've used a solution by secure envoy I
> the past which seems to work well they also have soft token apps, hard
> tokens plus SMS based.
>
> However, a cautionary note there is that RADIUS protocol itself uses
> only weak cryptography and is not secure on the wire.
>
> That is, in the absence of AES Keywrap proprietary extension Or when
> the method of credential used is not authentication using a
> Client-side Certificate (PKI) as in *EAP.
>
> Specifically: if RADIUS is used for the Authentication stage of AAA
> with a code sent by SMS or OATH token [User types Normal password +
> One Time Password], then when traffic between RADIUS server and VPN
> device is captured: The user credentials may be exposed with the
> extremely weak crypto protection RADIUS or NTLM provides for the
> user password.
>
> If a user re-uses their same password somewhere else on a device not
> requiring 2FA, then capturing RADIUS traffic could be an effective
> privilege escalation By copying victim's password from a sniffed
> RADIUS exchange.
>
> --
> -JH
>
More information about the NANOG
mailing list