Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

[OTP] How can we protect password in RADIUS packets?

Hi,

I use this architecture:

Client --- ASA 9.1 --- ACS 5.4 (RADIUS) --- OTP Server (RADIUS)

  • Client connects with login/OTP.
  • ASA transmits Access-Request and credentials to ACS 5.4 using PAP protocol
  • ACS 5.4 transmits Access-Request and credentials to OTP Server using PAP protocol.

With PAP protocol, password is only secured by RADIUS (hash and xor with shared secret)

How could I get a stronger encryption?

Thanks for your help,

Patrick

4 REPLIES
Hall of Fame Super Silver

[OTP] How can we protect password in RADIUS packets?

Switch to TACACS+ with a strong encryption key.

If you're really interested security without changing the use of RADIUS protocol, you could secure the packets in transit with MACsec (assuming the intervening network supports it)

New Member

[OTP] How can we protect password in RADIUS packets?

Thanks for your answer, Marvin.

Unfortunately, OTP Server dont support TACACS so this solution would solve half of the problem.

MACSec is complicated to configure in our environment... (hundreds of switch and routers...)

Cisco Employee

[OTP] How can we protect password in RADIUS packets?

Patrick,

AFAIU password-managment will allow you to use mschapv2. I have not been checking this for a while, but I found some articles e.g.

http://www.islandearth.com/articles/2013/5/2/mschap-v2-for-cisco-asa-vpn-connections-using-radius-on-wind.html

that seem to confirm this.

This will take care of the path ASA->ACS . Now to be honest I'm not sure what will happen when you need to "proxy" the auth to another server.

M.

New Member

[OTP] How can we protect password in RADIUS packets?

Hi Marcin,

Thanks for your advice.

I already tried to enable mschapv2.

Unfortunately, ACS dont support mschapv2 with other RADIUS Server

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/eap_pap_phase.html#wp1014889

Patrick

219
Views
4
Helpful
4
Replies
CreatePlease to create content