I was wondering what the point of Shared Secrets are on RADIUS servers if I set the secret in the Cisco switch configuration. If the supplicant wanting to be authenticated does not have to know it, what is the point?
Thanks
Asked
Active
Viewed 950 times
2 Answers
3
The shared secret between a RADIUS server and a NAS (network access server - in your case the switch) serves several purposes:
- For many RADIUS messages, it provides an assurance that the message is from a NAS/RADIUS that has the same shared secret.
- It ensures that the RADIUS message has not been changed in transit.
- It is used to encrypt some RADIUS attributes so they are not sent in the clear.
YLearn
- 1,237
- 7
- 17
-
Regarding point 1 it only does that for Accounting-Requests, CoA and DM unless the Message-Authenticator is used https://tools.ietf.org/rfc/rfc2869.txt Regarding point 2 it only does that for Accounting-Requests, CoA and DM unless the Message-Authenticator is used https://tools.ietf.org/rfc/rfc2869.txt Regarding point 3, yes it's used to encrypt things like User-Password. – Arran Cudbard-Bell Jul 03 '14 at 20:03
-
@ArranCudbard-Bell, if you check [RFC 2865](https://tools.ietf.org/rfc/rfc2865.txt), you will find that any message with a response authenticator provide both 1 and 2. This would include at least Access-Accept, Access-Reject, and Access-Challenge messages. The response authenticator is a one way hash that uses a number of pieces of information for the input, including (but not limited to) the RADIUS response attributes and the shared secret. – YLearn Jul 03 '14 at 20:32
-
You stated 'from a NAS/RADIUS', it does not provide validation that the packet originated from a NAS with the correct shared secret for Access-Requests. Yes the NAS must discard the response with an invalid Response-Authenticator. But in terms of the RADIUS server processing the packet and consuming CPU time in doing so, it provides no protection. – Arran Cudbard-Bell Jul 03 '14 at 23:42
-
@ArranCudbard-Bell, the sentence started with "For many RADIUS messages." So I didn't claim it did so for all of them, nor did I say it would protect from the NAS or RADIUS from processing the message. For completeness, RADIUS servers will also drop based on the response authenticator when acting as a proxy. – YLearn Jul 04 '14 at 00:58
2
RADIUS secrets authenticate the communication between the RADIUS client (the switch) and the RADIUS server. The intent of the RADIUS protocol is to abstract the authentication (authorization and accounting) away from the endpoint. There still needs to be some kind of authentication between the RADIUS client and server to insure that only authentic RADIUS clients and servers are communicating with each other.
Evan Anderson
- 141,071
- 19
- 191
- 328
-
-
Except it doesn't do that for Access-Request messages. The RADIUS server can receive Access-Requests with an incorrect shared-secret (so long as the Message-Authenticator attribute is absent) and process them happily. Authentication may fail if PAP was used, as the password will be decrypted wrong, but that's about all the notice you'll get. – Arran Cudbard-Bell Jul 03 '14 at 20:05
-
@ArranCudbard-Bell - True enough. This answer wasn't mean to be an all-encompassing description of RADIUS. This depends on the RADIUS server implementation. The Microsoft IAS RADIUS implementation can be configured to disregard Access-Request messages with bad shared secrets. (That is, if you configure the server to require that the client include the signature attribute.) – Evan Anderson Jul 03 '14 at 20:16
-
The comment was to make people aware that if a Message-Authenticator is not included in the Access-Request, then the server may process Access-Requests created using a mismatched shared-secret. It's one of *the* most common gotchas in RADIUS deployments, because it's completely unexpected. Many RADIUS client implementations still do not include a Message-Authenticator attribute, or have this functionality turned off by default. – Arran Cudbard-Bell Jul 03 '14 at 23:46