Hello All,
I have been using Mikrotik and Windows 2008 R2 / Network Policy Server (NPS) Radius for several months now. I was so happy to get it working that I never stopped to think about the level of security. I have only been able to get Radius working using CHAP and MS-CHAP authentication types if I also have 'Store password using reversible encryption' checked in Active Directory Users and Computers.
How secure is the network if I'm using CHAP and storing reversible passwords?
Are there any other types of other centralized authentication software I can use that can provide a higher level of security?
Re: Mikrotik + Radius + Security
Ah, the old CHAP vs PAP argument. Unfortunately, there's no easy answer to this one, but for discussions, Google is your friend.
With CHAP, you are as secure as the machine storing the passwords. A clear-text password is never present at any portion of your network, so it can never be sniffed. However, if your radius server is compromised, then all bets are off. Lock it down, and you should be good.
With PAP, passwords can be stored using 1-way encryption, the caveat to this, is that the password is passed from CPE to NAS in the clear, then encrypted using a shared key. In the case of wireless, that means that anyone on the network has the potential to sniff out that password. Segregate your clients, encrypt your wireless, and you're good. However, wireless encryption is more or less a joke. WEP can be cracked in seconds, WPA not so quick.
IMO, either method is fine, as it's being used for access control and a breech at this level is an annoyance, but hardly a major problem unless it goes unchecked. Other security concerns should be handled at layer 3 or higher using other methods such as IPSEC and SSL. I tell customers with higher security needs that they need to review their choice of vendors, as I'm absolutely sure I can't help them.
With CHAP, you are as secure as the machine storing the passwords. A clear-text password is never present at any portion of your network, so it can never be sniffed. However, if your radius server is compromised, then all bets are off. Lock it down, and you should be good.
With PAP, passwords can be stored using 1-way encryption, the caveat to this, is that the password is passed from CPE to NAS in the clear, then encrypted using a shared key. In the case of wireless, that means that anyone on the network has the potential to sniff out that password. Segregate your clients, encrypt your wireless, and you're good. However, wireless encryption is more or less a joke. WEP can be cracked in seconds, WPA not so quick.
IMO, either method is fine, as it's being used for access control and a breech at this level is an annoyance, but hardly a major problem unless it goes unchecked. Other security concerns should be handled at layer 3 or higher using other methods such as IPSEC and SSL. I tell customers with higher security needs that they need to review their choice of vendors, as I'm absolutely sure I can't help them.
Re: Mikrotik + Radius + Security
This helped meAh, the old CHAP vs PAP argument. Unfortunately, there's no easy answer to this one, but for discussions, Google is your friend.
With CHAP, you are as secure as the machine storing the passwords. A clear-text password is never present at any portion of your network, so it can never be sniffed. However, if your radius server is compromised, then all bets are off. Lock it down, and you should be good.
With PAP, passwords can be stored using 1-way encryption, the caveat to this, is that the password is passed from CPE to NAS in the clear, then encrypted using a shared key. In the case of wireless, that means that anyone on the network has the potential to sniff out that password. Segregate your clients, encrypt your wireless, and you're good. However, wireless encryption is more or less a joke. WEP can be cracked in seconds, WPA not so quick.
IMO, either method is fine, as it's being used for access control and a breech at this level is an annoyance, but hardly a major problem unless it goes unchecked. Other security concerns should be handled at layer 3 or higher using other methods such as IPSEC and SSL. I tell customers with higher security needs that they need to review their choice of vendors, as I'm absolutely sure I can't help them.
Who is online
Users browsing this forum: Ahrefs [Bot], Bing [Bot] and 154 guests