This message is a reminder to ensure best practices for RADIUS security. i.e. RADIUS traffic should always go over an administrative VLAN, and not over a public network. For one reason why, see: https://datatracker.ietf.org/doc/html/draft-ietf-radext-deprecating-radius-0... Anyone who sees the MS-CHAP data can trivially crack the password. And not just user passwords. Many switches support MS-CHAP authentication for administrative logins or VPN authentication. A quick search of the net found at least these two: https://community.extremenetworks.com/t5/extremeswitching-exos-switch/mschap... https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/s... https://www.sonicwall.com/support/knowledge-base/configuring-radius-authenti.... https://www.cisco.com/c/en/us/support/docs/security/firepower-management-cen... It is *highly recommended* to disable MS-CHAP everywhere. And similarly, *always* put RADIUS traffic into a management VLAN. Alan DeKok.
participants (1)
-
Alan DeKok