ACS Auth: Using group data for user authentication -> Security issue?

Answered Question
Jun 19th, 2010
User Badges:

Im using an VPN-installation (Router, ACS, Cisco VPN Client) and I noticed that the group name and decrypted group password can also be used in the second step of authentication (the extended authentication or user authentication), which is a big security concern. What is wrong in my configuration.


For testing I set up a VPN config like it is described in cisco documents. There it also works. The group credentials work in the user authentication, too, which is absolutely logical because the group credentials are also an user in the ACS database. Of course this user can be authenticated in the user authentication process.


Whats wrong? How do other admins solve this? Am I wrong in my approach??


Thanks!


Correct Answer by Marcin Latosiewicz about 6 years 11 months ago

Yes,  authorization will require password for "cisco", at least for isakmp and pki. The group will send it's name and password of cisco to receive the av-pairs (ASA has a feature to create a different "common-password" but it's not there on IOS, AFAIR)


It's a known restriction - you should not use same server for authentication and authorization, both with IOS and ASA.


Have you give this a though (either/or):

- local isakmp authorization

- certificate authentication (group)

- splitting authentication and authorization functions between servers.



I don't believe we can do much configuration wise to prohibit this behavior.


edit: corrected spelling.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Marcin Latosiewicz Sun, 06/20/2010 - 03:18
User Badges:
  • Cisco Employee,

Snapshots of config and ACS config would be useful.


"Normally" group authentication is local while user authentication is done is ACS.


To avoid the whole business alltogether you can use certificates for group authentication.

martinwicher Sun, 06/20/2010 - 04:37
User Badges:

CONFIG VPN_ROUTER:

...

aaa authentication login userauthen group radius
aaa authorization network groupauthor group radius
!
...

!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip access-group 100 in
crypto map clientmap
!
interface FastEthernet0/1
ip address 172.18.124.159 255.255.255.0
!
ip local pool ippool 172.18.130.0 172.18.130.200

....




ACS-USERS:


User: vpn_group, PW: cisco, av-pairs: ike, preshared-key=cisco123, addr-pool, inacl


User: vpn_user, PW: xxx



My problem is that it is possible to read out the User vpn_group. The password is known, too, because (when Im right) it is necessary that the group_pw is cisco.

An attacker can use this combination in the user authentication, too, and does not need to know the user-credentials. He can use the combination of User vpn_group and standard-PW cisco.


What is wrong?


It is right, that the group_pw must be cisco? When I change it the connection doesn't work.

Correct Answer
Marcin Latosiewicz Sun, 06/20/2010 - 04:52
User Badges:
  • Cisco Employee,

Yes,  authorization will require password for "cisco", at least for isakmp and pki. The group will send it's name and password of cisco to receive the av-pairs (ASA has a feature to create a different "common-password" but it's not there on IOS, AFAIR)


It's a known restriction - you should not use same server for authentication and authorization, both with IOS and ASA.


Have you give this a though (either/or):

- local isakmp authorization

- certificate authentication (group)

- splitting authentication and authorization functions between servers.



I don't believe we can do much configuration wise to prohibit this behavior.


edit: corrected spelling.

Correct Answer
Marcin Latosiewicz Sun, 06/20/2010 - 04:52
User Badges:
  • Cisco Employee,

Yes,  authorization will require password for "cisco", at least for isakmp and pki. The group will send it's name and password of cisco to receive the av-pairs (ASA has a feature to create a different "common-password" but it's not there on IOS, AFAIR)


It's a known restriction - you should not use same server for authentication and authorization, both with IOS and ASA.


Have you give this a though (either/or):

- local isakmp authorization

- certificate authentication (group)

- splitting authentication and authorization functions between servers.



I don't believe we can do much configuration wise to prohibit this behavior.


edit: corrected spelling.

martinwicher Sun, 06/20/2010 - 07:23
User Badges:

It's a known restriction - you should not use same server for authentication and authorization, both with IOS and ASA.


Have you give this a though (either/or):

- local isakmp authorization

- certificate authentication (group)

- splitting authentication and authorization functions between servers.



ok, its good to know that my config is not totally wrong.


I think i will use the local isakmp authorization like this way:


aaa authentication login userauthen group radius

aaa authorization network groupauthor local


Your suggestions are very good, thanks for your help.


I think this topic is solved. For me it is ;-)

Actions

This Discussion