RAdius server for login authentication

NightShade1NightShade1 Member Posts: 431
I wonder how many of you uses radius server for login authentication for your network equipments in example switches, routers etc

IF you use it, would you feel its insecure? as it just encrypt the password and not the user name? and it does not encrypt all the packet like with tacacs+?

I know many of you i guess uses TACAC +

But well im just asking about radius server here...

Guess one of the advantage of the radius over tacac+ i guess is that it overhead less on your equipments...

Would you implement RAdius authentication for example with windows server 2008 nps i mean if you could pick between that and local login on every switch? and why?
Product Manager - ArubaNetworks
Alternetworks Corp

Comments

  • emerald_octaneemerald_octane Member Posts: 613
    so you can have accountability and centralized administration on all your gear. If you have several switches and your management structure calls for x number of admins to have read access or x number of admins to have read/write access, what's easier:

    A) Creating a new user name or much worse just giving the main/only password to all admins/read onlys and then terminating these accounts when employees leave across every device which could lead to errors; no centralized record of who logged in when and where.

    B) Providing access to new admins by simply adding them to an AD security group as part of the intake process to provide them with the appropriate level of access across all appropriately configured devices , much easier to disable and also a record of who logged in at what time under what conditions and from where. Requires nothing beyond the initial configuration step on the network devices.

    Obviously the biggest negative for such a structure is to have a failed NPS infrastucture which causes a DoS which might piss off management, but any book out there says that auth infrastructure should be hardened and redundant anyway.
  • NightShade1NightShade1 Member Posts: 431
    im concerned about the security as like i said it just encrypt the passwords.
    i know its not that secure like with tacacs+ but it is enough secure?
    Product Manager - ArubaNetworks
    Alternetworks Corp
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    I have used both and seems plenty secure enough, if you are really worried then one thing you can do is run the rdius traffic over a seperte out of bands network.

    You can do things to help prevent DoS attacks by blocking repeted log in atempts from the same IP, or restricting the management interfaces to only accept traffic from specific hosts. So really a well set up authentication sould be able to mitigate agisnt DoS attacks.

    And of course you can insture there are local authentication methods that can over ride the Tacas / Radius methods.

    Personal If you have tacacs+ then go for it but Radius is plenty for basic authentication (remember with Tacacs+ you ccan authenticate indivual commands unlike Radius that is more all or nothing.)

    When you have 1,500 devices to manage local authentication is never going to work, so central managment is the way to go, and RAdius is a perfectly acctable way to go.

    the over head is not going to make any difference, your only going to be using it when you log on, and if the difference in using tacacs or radius is pusing you network over the edge I would suggest you have for more pressing issue than what protocol to use.

    remeber with radius when you say only the username is encrypted you are talking about the device authenticating with the server for the communication to begin. this is not the username and password you then use to authenticate to the deivce for managment.
    RADIUS - Wikipedia, the free encyclopedia

    so the device creates a secure link with the server, and then the authentication information is sent, this information can very but can be in the form of a certificate, or simpel suer name and password, using things like EAP or PAP. these have there own layer of authentication so can be weak or strong depending what you chose.

    so while there may be an argument that radius is not as secre as Tacacs+ for most uses and as longas you configure it correctly it is not noramly the weak point of the authentication.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • NightShade1NightShade1 Member Posts: 431
    I konw you said you already used both...
    Guess you configured it...
    ]Now i see on the link you gave me
    The RADIUS protocol does not transmit passwords in cleartext between the NAS and RADIUS server (not even with PAP protocol)
    This asnwer my question tho... at least for logging on the devices config such as switches.. the manual i have seen around always use pap...
    Product Manager - ArubaNetworks
    Alternetworks Corp
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    yep used both.

    CISCO ACS servers and various Windows NPS / Radius servers.

    The only beifit I really see with Tacacs + is how granaulr it can be for authoristion and for auditing.

    Radius can log you on or of a device, or in cisco set you to a specifice privilage level.

    Tacacs+ on the other hand can authorised a user agisnt every command there use and log the resullt.

    However unless you have very large instulations and some one or ones to manage this kind of set up, it is a mamoth task to set up and keep on top of.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Sign In or Register to comment.