Meraki

Community

When does encryption start with RADIUS and Certificate authentication

Solved
JordanCN
Getting noticed
‎Nov 12 2023 5:18 PM
‎Nov 12 2023 5:18 PM

When does encryption start with RADIUS and Certificate authentication

Quick question on when or if the encryption starts when using the RADIUS authentication option with Certificates.  In the setup article:

 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Authentication

 

The Network Policy configuration steps for RADIUS say "Deselect all checkboxes and select Unencrypted authentication (PAP, SPAP)". So is this connection method unencrypted?

Labels:
0 Kudos
1 Accepted Solution
In response to JordanCN
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Nov 13 2023 7:00 AM
‎Nov 13 2023 7:00 AM

With certificate authentication, only public certificates are transferred. There's a way to check binary matches on AD when using Cisco ISE for example, but PKI should be secure enough for most purposes nowadays.

View solution in original post

0 Kudos
4 Replies 4
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Nov 13 2023 12:17 AM
‎Nov 13 2023 12:17 AM

RADIUS itself is an unencrypted protocol framework, so yes. You're able to transmit obfuscated password though by using a Shared Secret that is used to hash via MD5.

There are several protocols that can be leveraged "inside"  to have a common "language" in-between its peers. PAP, CHAP or EAP-MSCHAPv2 are three of those password-based protocols. It sounds like you're using EAL-TLS that will use certificates for authentication.

 

As for your question, you'll find great information about it on https://www.securew2.com/blog/what-is-eap-tls. In a nutshell, encryption starts after having completed the authentication that is based on encryption keys that both parties will rely on.

KarstenI
Kind of a big deal
Kind of a big deal
‎Nov 13 2023 5:15 AM
‎Nov 13 2023 5:15 AM

To add to the answer from @CptnCrnch :

- The traffic from the user to the MX is protected with TLS, including the authentication.

- The MX forwards the user credentials with RADIUS to the RADIUS server, which is the cleartext password encrypted with a weak encryption algorithm. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to KarstenI
JordanCN
Getting noticed
‎Nov 13 2023 6:33 AM
‎Nov 13 2023 6:33 AM

Would Certificate and Active Directory authentication offer any improvement?  

0 Kudos
In response to JordanCN
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Nov 13 2023 7:00 AM
‎Nov 13 2023 7:00 AM

With certificate authentication, only public certificates are transferred. There's a way to check binary matches on AD when using Cisco ISE for example, but PKI should be secure enough for most purposes nowadays.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.