Re: Cisco 2 factor authentication

[Tom Smyth <tom.smyth () wirelessconnect eu>]

The radius protocol traffic can be encrypted with ipsec policies...if
confidentiality of the radius traffic is a concern ( particularly if
traversing untrusted networks)
On 26 Jun 2016 3:48 a.m., "Jimmy Hess" <mysidia () gmail com> wrote:

> On Wed, Jun 22, 2016 at 9:38 PM, Chris Lawrence
> <clawrence () dovefire co uk> wrote:
> > Any radius based auth works well I've used a solution by secure envoy I
> the past which seems to work well they also have soft token apps, hard
> tokens plus SMS based.
>
> However, a cautionary note there is that RADIUS protocol itself uses
> only weak cryptography and is not  secure on the wire.
>
> That is, in the absence of AES Keywrap proprietary extension  Or when
> the method of credential used is not authentication using a
> Client-side Certificate (PKI)  as  in  *EAP.
>
> Specifically:  if RADIUS is used for the Authentication stage of AAA
> with a code sent by SMS or OATH token [User types Normal password +
> One Time Password],  then when traffic between RADIUS server and  VPN
> device is captured:   The user credentials may be exposed  with the
> extremely weak crypto protection  RADIUS   or NTLM provides for the
> user password.
>
> If a user re-uses their same password somewhere else on a device not
> requiring 2FA,  then capturing RADIUS traffic could be an effective
> privilege escalation  By copying victim's password from a sniffed
> RADIUS exchange.
>
> --
> -JH