Security

 View Only
last person joined: 15 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

RADIUS Keys - best practices

This thread has been viewed 18 times
  • 1.  RADIUS Keys - best practices

    MVP EXPERT
    Posted 27 days ago

    Hi, in the past I've always ensured that every switch/mobility controller has a uniquely generated shared key. I know that we can  define our use of shared keys either  unique to a device or  fpr example  have the same shared  key  across a given ip address scope e.g. 192/10

    So does Aruba have a recommended best practice for RADIUS shared ket assignment ... or is it just a case of "you can do these thinjgs .. .take your pick..."

    Rgds

    Alex



  • 2.  RE: RADIUS Keys - best practices

    EMPLOYEE
    Posted 27 days ago

    From the hardening guide here: https://support.hpe.com/hpesc/public/docDisplay?docId=a00107216en_us

    "RADIUS secrets
    The RADIUS protocol provides a weak form of encryption, which uses the RADIUS shared secret as the basis for the
    encryption key. Ensure that the RADIUS shared secret is as long and as complex as possible ArubaOS supports a
    maximum length of 63 characters. There is no need for this secret to be memorable by a human, so use a service
    such as
    http://www.random.org/ to generate a truly random string.
    An authentication server performing authentication for WPA2 sessions will use the RADIUS protocol to send the
    WPA2 Pairwise Master Key (PMK) to an Aruba mobility controller an attacker intercepting this key would also be
    able to monitor and decrypt Wi-Fi traffic over the air. If the link between the RADIUS server and the Aruba device is
    trusted (e.g., within the same datacenter) then relying on RADIUS encryption is sufficient. However, if the path
    traverses untrusted segments, such as WAN links, RADIUS traffic should be secured inside IPsec tunnels."



    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 3.  RE: RADIUS Keys - best practices

    EMPLOYEE
    Posted 27 days ago

    I've seen people go with one global key and I've seen people go with individual keys based on unique device/device type/geography/whim/etc.  Best practice for security is to move to RadSec where the key is no longer the most susceptible portion of the communication.  Short of RadSec, maintain a policy that meets the needs that you feel are important.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------