Quick question on when or if the encryption starts when using the RADIUS authentication option with Certificates. In the setup article:
https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Authentication
The Network Policy configuration steps for RADIUS say "Deselect all checkboxes and select Unencrypted authentication (PAP, SPAP)". So is this connection method unencrypted?
Solved! Go to solution.
With certificate authentication, only public certificates are transferred. There's a way to check binary matches on AD when using Cisco ISE for example, but PKI should be secure enough for most purposes nowadays.
RADIUS itself is an unencrypted protocol framework, so yes. You're able to transmit obfuscated password though by using a Shared Secret that is used to hash via MD5.
There are several protocols that can be leveraged "inside" to have a common "language" in-between its peers. PAP, CHAP or EAP-MSCHAPv2 are three of those password-based protocols. It sounds like you're using EAL-TLS that will use certificates for authentication.
As for your question, you'll find great information about it on https://www.securew2.com/blog/what-is-eap-tls. In a nutshell, encryption starts after having completed the authentication that is based on encryption keys that both parties will rely on.
To add to the answer from @CptnCrnch :
- The traffic from the user to the MX is protected with TLS, including the authentication.
- The MX forwards the user credentials with RADIUS to the RADIUS server, which is the cleartext password encrypted with a weak encryption algorithm.
Would Certificate and Active Directory authentication offer any improvement?
With certificate authentication, only public certificates are transferred. There's a way to check binary matches on AD when using Cisco ISE for example, but PKI should be secure enough for most purposes nowadays.