Re: Cisco 2 factor authentication

[Tom Smyth]

The radius protocol traffic can be encrypted with ipsec policies...if
confidentiality of the radius traffic is a concern ( particularly if
traversing untrusted networks)
On 26 Jun 2016 3:48 a.m., "Jimmy Hess"  wrote:

> On Wed, Jun 22, 2016 at 9:38 PM, Chris Lawrence
>  wrote:
> > Any radius based auth works well I've used a solution by secure envoy I
> the past which seems to work well they also have soft token apps, hard
> tokens plus SMS based.
>
> However, a cautionary note there is that RADIUS protocol itself uses
> only weak cryptography and is not  secure on the wire.
>
> That is, in the absence of AES Keywrap proprietary extension  Or when
> the method of credential used is not authentication using a
> Client-side Certificate (PKI)  as  in  *EAP.
>
> Specifically:  if RADIUS is used for the Authentication stage of AAA
> with a code sent by SMS or OATH token [User types Normal password +
> One Time Password],  then when traffic between RADIUS server and  VPN
> device is captured:   The user credentials may be exposed  with the
> extremely weak crypto protection  RADIUS   or NTLM provides for the
> user password.
>
> If a user re-uses their same password somewhere else on a device not
> requiring 2FA,  then capturing RADIUS traffic could be an effective
> privilege escalation  By copying victim's password from a sniffed
> RADIUS exchange.
>
> --
> -JH
>

Re: NANOG67 - Tipping point of community and sponsor bashing?

[Stephen Sprunk]

On 2016-06-18 12:54, Brandon Ross wrote:

On Fri, 17 Jun 2016, Eric Kuhnke wrote:

What Randy just wrote is exactly the point I was trying to make in my 
last
email. Some real estate facility owners/managers have got into the 
mistaken
mindset that they can get the greatest value and the most monthly 
revenue
from the square-footage of their building by charging additional MRC 
XC

fees to the tenants of the building.


There are some VERY sucessful companies that would strongly disagree 
with you.


When in fact the opposite is true, and we need a concerted community 
effort
to lobby every IX real estate owner with this fact: Your real estate 
will

be MORE valuable and will attract a greater critical mass of carriers,
eyeball networks, CDNs, huge hosting providers/colo/VM, etc if you 
make the

crossconnects free.


But then why would we want to do that?  If you are correct and doing
so would raise the value of the real esatate, doesn't that mean that
the building managers would be able to charge operators a whole lot
more than they are able to today, in aggregate?


If the price of XC drops to ~zero, then tenants are going to do a lot 
more of it and thereby get more value from the IX, which means people 
will be _willing_ to pay more for that real estate, rather than 
complaining about XC price-gouging.  It's as much perception as it is 
math.


OTOH, if prices climb to unreasonable levels, then more space will 
(eventually) be made available, e.g. by pushing non-IX tenants out of 
the building, by laying ample dark fiber to a nearby building for 
expansion (but still ~free XC) or by a competitor appearing.


The problems come with expansion that is _not_ nearby, i.e. XC can no 
longer be ~free, yet the operator still tries to pretend it's a single 
facility.  There are plenty of folks in the business of transporting 
bits over long distances; IMHO, an IX shouldn't be one of them.


S

--
Stephen Sprunk  "Those people who think they know everything
CCIE #3723 are a great annoyance to those of us who do."
K5SSS --Isaac Asimov

Re: Cisco 2 factor authentication

[Alan Buxey]

As per other statements of such seen elsewhere online, do you have examples or 
code which will allow the recovery of passwords in a radius exchange? Yes,  the 
shared secret mechanism is widely stated as 'weak' but actively attacked?  

alan