Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

When does encryption start with RADIUS and Certificate authentication

Solved
JordanCN
Here to help
‎Nov 12 2023 5:18 PM
‎Nov 12 2023 5:18 PM

When does encryption start with RADIUS and Certificate authentication

Quick question on when or if the encryption starts when using the RADIUS authentication option with Certificates.  In the setup article:

 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Authentication

 

The Network Policy configuration steps for RADIUS say "Deselect all checkboxes and select Unencrypted authentication (PAP, SPAP)". So is this connection method unencrypted?

Labels:
0 Kudos
Subscribe
1 Accepted Solution
In response to JordanCN
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Nov 13 2023 7:00 AM
‎Nov 13 2023 7:00 AM

With certificate authentication, only public certificates are transferred. There's a way to check binary matches on AD when using Cisco ISE for example, but PKI should be secure enough for most purposes nowadays.

View solution in original post

0 Kudos
Subscribe
4 Replies 4
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Nov 13 2023 12:17 AM
‎Nov 13 2023 12:17 AM

RADIUS itself is an unencrypted protocol framework, so yes. You're able to transmit obfuscated password though by using a Shared Secret that is used to hash via MD5.

There are several protocols that can be leveraged "inside"  to have a common "language" in-between its peers. PAP, CHAP or EAP-MSCHAPv2 are three of those password-based protocols. It sounds like you're using EAL-TLS that will use certificates for authentication.

 

As for your question, you'll find great information about it on https://www.securew2.com/blog/what-is-eap-tls. In a nutshell, encryption starts after having completed the authentication that is based on encryption keys that both parties will rely on.

Subscribe
KarstenI
Kind of a big deal
Kind of a big deal
‎Nov 13 2023 5:15 AM
‎Nov 13 2023 5:15 AM

To add to the answer from @CptnCrnch :

- The traffic from the user to the MX is protected with TLS, including the authentication.

- The MX forwards the user credentials with RADIUS to the RADIUS server, which is the cleartext password encrypted with a weak encryption algorithm. 

0 Kudos
Subscribe
In response to KarstenI
JordanCN
Here to help
‎Nov 13 2023 6:33 AM
‎Nov 13 2023 6:33 AM

Would Certificate and Active Directory authentication offer any improvement?  

0 Kudos
Subscribe
In response to JordanCN
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Nov 13 2023 7:00 AM
‎Nov 13 2023 7:00 AM

With certificate authentication, only public certificates are transferred. There's a way to check binary matches on AD when using Cisco ISE for example, but PKI should be secure enough for most purposes nowadays.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.