cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1270
Views
0
Helpful
5
Replies

ACS Auth: Using group data for user authentication -> Security issue?

martinwicher
Level 1
Level 1

Im using an VPN-installation (Router, ACS, Cisco VPN Client) and I noticed that the group name and decrypted group password can also be used in the second step of authentication (the extended authentication or user authentication), which is a big security concern. What is wrong in my configuration.

For testing I set up a VPN config like it is described in cisco documents. There it also works. The group credentials work in the user authentication, too, which is absolutely logical because the group credentials are also an user in the ACS database. Of course this user can be authenticated in the user authentication process.

Whats wrong? How do other admins solve this? Am I wrong in my approach??

Thanks!


1 Accepted Solution

Accepted Solutions

Yes,  authorization will require password for "cisco", at least for isakmp and pki. The group will send it's name and password of cisco to receive the av-pairs (ASA has a feature to create a different "common-password" but it's not there on IOS, AFAIR)

It's a known restriction - you should not use same server for authentication and authorization, both with IOS and ASA.

Have you give this a though (either/or):

- local isakmp authorization

- certificate authentication (group)

- splitting authentication and authorization functions between servers.

I don't believe we can do much configuration wise to prohibit this behavior.

edit: corrected spelling.

View solution in original post

5 Replies 5

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Snapshots of config and ACS config would be useful.

"Normally" group authentication is local while user authentication is done is ACS.

To avoid the whole business alltogether you can use certificates for group authentication.

CONFIG VPN_ROUTER:

...

aaa authentication login userauthen group radius
aaa authorization network groupauthor group radius
!
...

!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip access-group 100 in
crypto map clientmap
!
interface FastEthernet0/1
ip address 172.18.124.159 255.255.255.0
!
ip local pool ippool 172.18.130.0 172.18.130.200

....

ACS-USERS:

User: vpn_group, PW: cisco, av-pairs: ike, preshared-key=cisco123, addr-pool, inacl

User: vpn_user, PW: xxx

My problem is that it is possible to read out the User vpn_group. The password is known, too, because (when Im right) it is necessary that the group_pw is cisco.

An attacker can use this combination in the user authentication, too, and does not need to know the user-credentials. He can use the combination of User vpn_group and standard-PW cisco.

What is wrong?

It is right, that the group_pw must be cisco? When I change it the connection doesn't work.

Yes,  authorization will require password for "cisco", at least for isakmp and pki. The group will send it's name and password of cisco to receive the av-pairs (ASA has a feature to create a different "common-password" but it's not there on IOS, AFAIR)

It's a known restriction - you should not use same server for authentication and authorization, both with IOS and ASA.

Have you give this a though (either/or):

- local isakmp authorization

- certificate authentication (group)

- splitting authentication and authorization functions between servers.

I don't believe we can do much configuration wise to prohibit this behavior.

edit: corrected spelling.

Yes,  authorization will require password for "cisco", at least for isakmp and pki. The group will send it's name and password of cisco to receive the av-pairs (ASA has a feature to create a different "common-password" but it's not there on IOS, AFAIR)

It's a known restriction - you should not use same server for authentication and authorization, both with IOS and ASA.

Have you give this a though (either/or):

- local isakmp authorization

- certificate authentication (group)

- splitting authentication and authorization functions between servers.

I don't believe we can do much configuration wise to prohibit this behavior.

edit: corrected spelling.

It's a known restriction - you should not use same server for authentication and authorization, both with IOS and ASA.

Have you give this a though (either/or):

- local isakmp authorization

- certificate authentication (group)

- splitting authentication and authorization functions between servers.


ok, its good to know that my config is not totally wrong.

I think i will use the local isakmp authorization like this way:

aaa authentication login userauthen group radius

aaa authorization network groupauthor local

Your suggestions are very good, thanks for your help.


I think this topic is solved. For me it is ;-)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: