RADIUS Security and Best Practices

[Alan DeKok]

  This message is a reminder to ensure best practices for RADIUS security.  i.e. RADIUS traffic should always go over an administrative VLAN, and not over a public network.

  For one reason why, see: https://datatracker.ietf.org/doc/html/draft-ietf-radext-deprecating-radius-00#section-7.4

  Anyone who sees the MS-CHAP data can trivially crack the password.  And not just user passwords.

  Many switches support MS-CHAP authentication for administrative logins or VPN authentication.  A quick search of the net found at least these two:

https://community.extremenetworks.com/t5/extremeswitching-exos-switch/mschapv2-configuration-in-5520-amp-x440-series-switches-for/m-p/99047

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_chapter_0111.html

https://www.sonicwall.com/support/knowledge-base/configuring-radius-authentication-for-global-vpn-clients-with-network-policy-and-access-server/170505788908370/&sa=U/#:~:text=When%20using%20RADIUS%20to%20authenticate,expired%20passwords%20at%20login%20time.

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/217437-configure-ftd-remote-access-vpn-with-msc.html

  It is *highly recommended* to disable MS-CHAP everywhere.  And similarly, *always* put RADIUS traffic into a management VLAN.

 Alan DeKok.