When does encryption start with RADIUS and Certificate authentication

Solved
JordanCN
Getting noticed

When does encryption start with RADIUS and Certificate authentication

Quick question on when or if the encryption starts when using the RADIUS authentication option with Certificates.  In the setup article:

 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Authentication

 

The Network Policy configuration steps for RADIUS say "Deselect all checkboxes and select Unencrypted authentication (PAP, SPAP)". So is this connection method unencrypted?

1 Accepted Solution
CptnCrnch
Kind of a big deal
Kind of a big deal

With certificate authentication, only public certificates are transferred. There's a way to check binary matches on AD when using Cisco ISE for example, but PKI should be secure enough for most purposes nowadays.

View solution in original post

4 Replies 4
CptnCrnch
Kind of a big deal
Kind of a big deal

RADIUS itself is an unencrypted protocol framework, so yes. You're able to transmit obfuscated password though by using a Shared Secret that is used to hash via MD5.

There are several protocols that can be leveraged "inside"  to have a common "language" in-between its peers. PAP, CHAP or EAP-MSCHAPv2 are three of those password-based protocols. It sounds like you're using EAL-TLS that will use certificates for authentication.

 

As for your question, you'll find great information about it on https://www.securew2.com/blog/what-is-eap-tls. In a nutshell, encryption starts after having completed the authentication that is based on encryption keys that both parties will rely on.

KarstenI
Kind of a big deal
Kind of a big deal

To add to the answer from @CptnCrnch :

- The traffic from the user to the MX is protected with TLS, including the authentication.

- The MX forwards the user credentials with RADIUS to the RADIUS server, which is the cleartext password encrypted with a weak encryption algorithm. 

Would Certificate and Active Directory authentication offer any improvement?  

CptnCrnch
Kind of a big deal
Kind of a big deal

With certificate authentication, only public certificates are transferred. There's a way to check binary matches on AD when using Cisco ISE for example, but PKI should be secure enough for most purposes nowadays.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels