Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

User knows radius key


I wanted to know what are the hazards of an end-user knowing the key with which a switch authenticates with the ACS?

Hall of Fame Super Silver

Re: User knows radius key


I would not regard this as very much of a hazzard. The switch uses a key to authenticate with the radius server as it gets ready to authenticate user sessions, and (depending on how you have configured your devices) possibly to prepare to do authorization requests, or possibly to prepare to send accounting records to the server.

Since the remote devices do not create user records on the radius server or alter records on the server it does not pose much threat to the integrity of the radius server. Probably worst case, if an end user knew the key it might allow the user to spoof communications to the server and appear to be a device requesting authentication. Perhaps it might be part of doing a dictionary attack to find passwords for known user IDs. But since the radius server associates particular keys with particular device addresses the spoofing would have to send the transaction to the server and have a way to get the server response sent to it and not to the real device. And the dictionary attach could just as well be mounted by attempting access to real network devices.

So I do not see a lot of threat if an end user did happen to know the key used between the device and the server.




Re: User knows radius key

Knowing a shared secret would allow a man-in-the-middle attacker to harvest usernames and passwords for non-chap-like protocols.

It also allows a MitM to collect wep session keys by simply acting as a RADIUS proxy - with LEAP.

With new EAP protocols its not an issue because the authentication is protected via an end-to-end tunnel (client <-> aaa server)

However, if a malicious user knows where the AAA servers are, I'd worry more about a DoS attack bringing down the AAA server (and therefore preventing anyone getting access to perhaps your entire WLAN & possibily LAN)