RADIUS (Remote Authentication Dial-In User Service) servers have been used to authenticate users since virtually the dawn of the World Wide Web, and their weaknesses have been known for about as long. Theyve also been addressed in more ways than one—both wired and wirelessly.
Not surprisingly, Aruba happens to have a device that addresses the problem the company described. But Aruba Chief Technology Officer Merwyn Andrade said, "our intent in bringing this up was more to raise awareness around security best practices."
It also wasnt surprising that, when I called around for reaction to the advisory, I found no one wringing their hands over it.
Eric Barnett, wireless administrator at Arkansas State University at Jonesboro, was in the midst of upgrading his campus network when I called, enabling wireless access for as many devices as possible on the campus network. That upgrade includes transitioning to 802.11i devices in departments where strong security is required. And the cost of upgrading all devices is prohibitive.
"Were an all-Cisco shop and the only way we can use AES [Advanced Encryption Standard] is with their new 1200 Series APs. Unfortunately most of ours are 350s. So were setting up AES in very specific areas," he said.
The latest report, Barnett observed, "sounds kind of like the LEAP attack that came in a few years ago. If you have a good password policy, you should be OK."
You should also be OK if you replace LEAP (Lightweight Extensible Authentication Protocol) with EAP-FAST (EAP-Flexible Authentication via Secure Tunneling), the protocol Cisco developed to fix the problem.
Arubas Andrade acknowledged there are many fixes for RADIUS weaknesses. "There are existing recommendations to protect against this, its just that people are not following them," he said. He advised IT managers to "work with your vendors to mitigate these threats."
What may be most significant about Arubas advisory is that the problem the company describes existed on wired networks even before wireless entered the picture. Gartner Analyst Ken Dulaney notes that the dictionary attack that Aruba described could occur by plugging a laptop into a network port just as easily as it could if you plugged in a rogue access point.
For that reason, he said, "we dont think its a big deal. First of all, youve got to gain access to the wired network, and once you have that type of access, you can do damage in a lot of places."
If anything, he said, the advisory demonstrates how far wireless security has come.
RADIUS servers were put to work to compensate for the vulnerabilities of WEP (Wired Equivalent Privacy) soon after the weaknesses of the original security mechanism became known. The two key components of good security are encryption, which was weak in WEP, and authentication, which wasnt in WEP at all. No small number of enterprises addressed wireless LAN security by running RADIUS authentication with a strong encryption mechanism such as VPN.
The IEEEs ratification of 802.11i addressed these problems by scrapping WEPs flawed encryption for strong AES encryption, and by using port-based 802.1X authentication with an EAP type with an authentication server (usually RADIUS) to mutually authenticate devices and isolate rogues.
Dulaney said Aruba "may have been trying to use this as an illustration of what can happen. It does go back to the theme that wired and wireless are converging."
The message here is that wireless security is no longer just a wireless issue: Its a network issue. If you havent done so already, advises Dulaney, "you need to look at security schemes that protect you across both mediums."
More from Carol Ellison