Hello everyone, I've made great progress into implementing the RADIUS servers into our network especially to be able to authenticate users connecting to the WiFi network. Everything works great and all the functionality test have passed with little or no problems. After the functionality tests, I started a few penetration tests to check how well the security is in place and I've got some bad results. I've solved many of this security problems and I am left with one problem that I have no idea how to workaround so far, and that problem is the RADIUS protocol itself, which sends data in clear-text. (I know I should have taught this from the beginning but I didn't know I would get to sent the RADIUS authentication packets to the cloud). To be more specific, I have made some packet sniffing on UDP coming from the Meraki Cloud towards our internal RADIUS servers and found those clear text information there: SSID name, AP MAC address, calling endpoint MAC address, AP IP address, username and other less relevant information. The user password hash is also there, but is hashed using SSHA512 which is secure enough to be sent over the Internet. As a security mechanism I didn't expose the RADIUS servers to the public side, I have just made some port forwarding on our gateways which allows only packets coming from the Meraki cloud to access those servers. I have also change the ports to obfuscate the sniffers a bit. But still, the packets (datagrams) are traveling across the Internet containing a lot of information which I am concern someone could use in the process of a reconnaissance attack. I've looked many ways to secure this problem but I didn't found a solution so far. I saw this problem was previously discussed here, but it has no solution: https://community.meraki.com/t5/Wireless-LAN/Sign-on-splash-page-with-radius-server-communication-not/m-p/48757#M7499 Also, changing the Network access to WPA2-Enterprise with my RADIUS server won't help much, as that will raise other problems I encountered and solved based on my previous post: https://community.meraki.com/t5/Wireless-LAN/Second-RADIUS-Server-not-Contacted-for-Authentication/m-p/70221#M10747 Has anyone come to a workaround to this problem? Is Meraki giving some security solution that I am no aware of? Thank you in advance! P.S.: I am using FreeRADIUS as a RADIUS service.
... View more