RADIUS Security and Best Practices
Alan DeKok
aland at deployingradius.com
Tue Feb 6 13:38:17 UTC 2024
This message is a reminder to ensure best practices for RADIUS security. i.e. RADIUS traffic should always go over an administrative VLAN, and not over a public network.
For one reason why, see: https://datatracker.ietf.org/doc/html/draft-ietf-radext-deprecating-radius-00#section-7.4
Anyone who sees the MS-CHAP data can trivially crack the password. And not just user passwords.
Many switches support MS-CHAP authentication for administrative logins or VPN authentication. A quick search of the net found at least these two:
https://community.extremenetworks.com/t5/extremeswitching-exos-switch/mschapv2-configuration-in-5520-amp-x440-series-switches-for/m-p/99047
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_chapter_0111.html
https://www.sonicwall.com/support/knowledge-base/configuring-radius-authentication-for-global-vpn-clients-with-network-policy-and-access-server/170505788908370/&sa=U/#:~:text=When%20using%20RADIUS%20to%20authenticate,expired%20passwords%20at%20login%20time.
https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/217437-configure-ftd-remote-access-vpn-with-msc.html
It is *highly recommended* to disable MS-CHAP everywhere. And similarly, *always* put RADIUS traffic into a management VLAN.
Alan DeKok.
More information about the Freeradius-Users
mailing list