Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, December 1, 2011 6:09 PM
hi all
we know that we should define " share secret " in both RADIUS servers and All RADIUS Clients so they be able to communicate with each other.
is this shared secret for Authentication or for encryption or for both ?
is this authentication two-way ? i mean does both RADIUS Server and RADIUS Clients Authenticate each other ? or only RADIUS Server Authenticates RADIUS Clients ?
thanks in advance
All replies (2)
Thursday, December 1, 2011 6:52 PM ✅Answered
RADIUS client authenticates to the RADIUS server using the shared secret. RADIUS is an authentication and accounting protocol. However, the secret is sort of involved with traffic encryption between the two. But it's somewhat older, and it's a best practice to implement IPSec between the two.
Read the quote from the link below:
Sensitive attributes are encrypted using the RADIUS hiding mechanism
The RADIUS hiding mechanism uses the RADIUS shared secret, the Request Authenticator, and the use of the MD5 hashing algorithm to encrypt the User-Password and other attributes such as Tunnel-Password (RFC 2868, section 3.5) and MS-CHAP-MPPE-Keys (RFC 2548, section 2.4.1). This is a well-known issue and RFC 2865 states:"
“The User-Password hiding mechanism described in Section 5.2 has not been subjected to significant amounts of cryptanalysis in the published literature. Some in the IETF community are concerned that this method might not provide sufficient confidentiality protection [15] to passwords transmitted using RADIUS. Users should evaluate their threat environment and consider whether additional security mechanisms should be employed.”
The use of a stream cipher and MD5 as a cipher primitive are part of the RADIUS specification. The only standard way to further protect the attributes that are hidden is to use Internet Protocol Security (IPsec) with Encapsulating Security Payload (ESP) and an encryption algorithm such as Triple Data Encryption Standard (3DES), to provide data confidentiality for the entire RADIUS message."
The above was quoted from:
RADIUS Protocol Security and Best Practices
http://technet.microsoft.com/en-us/library/bb742489.aspx
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Friday, December 2, 2011 6:05 AM ✅Answered
Hi John,
Thanks for posting here.
> is this shared secret for Authentication or for encryption or for both ?
> is this authentication two-way ? i mean does both RADIUS Server and RADIUS Clients Authenticate each other ? or only RADIUS Server Authenticates RADIUS Clients ?
Please refer to the explications below:
Shared secrets are used to verify that RADIUS messages, with the exception of the Access-Request message, are sent by a RADIUS-enabled device that is configured with the same shared secret. Shared secrets also verify that the RADIUS message has not been modified in transit (message integrity). The shared secret is also used to encrypt some RADIUS attributes, such as User-Password and Tunnel-Password. To provide verification for Access-Request messages, you can enable use of the RADIUS Message Authenticator attribute for both the RADIUS client configured on the server running NPS and the access server.
Shared Secrets for NPS and RADIUS Clients
http://technet.microsoft.com/en-us/library/cc771660(WS.10).aspx
Using the Message Authenticator Attribute
http://technet.microsoft.com/en-us/library/cc753271(WS.10).aspx
Thanks.
Tiger Li
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.