The radius protocol traffic can be encrypted with ipsec policies...if confidentiality of the radius traffic is a concern ( particularly if traversing untrusted networks) On 26 Jun 2016 3:48 a.m., "Jimmy Hess" <mysi...@gmail.com> wrote:
> On Wed, Jun 22, 2016 at 9:38 PM, Chris Lawrence > <clawre...@dovefire.co.uk> wrote: > > Any radius based auth works well I've used a solution by secure envoy I > the past which seems to work well they also have soft token apps, hard > tokens plus SMS based. > > However, a cautionary note there is that RADIUS protocol itself uses > only weak cryptography and is not secure on the wire. > > That is, in the absence of AES Keywrap proprietary extension Or when > the method of credential used is not authentication using a > Client-side Certificate (PKI) as in *EAP. > > Specifically: if RADIUS is used for the Authentication stage of AAA > with a code sent by SMS or OATH token [User types Normal password + > One Time Password], then when traffic between RADIUS server and VPN > device is captured: The user credentials may be exposed with the > extremely weak crypto protection RADIUS or NTLM provides for the > user password. > > If a user re-uses their same password somewhere else on a device not > requiring 2FA, then capturing RADIUS traffic could be an effective > privilege escalation By copying victim's password from a sniffed > RADIUS exchange. > > -- > -JH >