RADIUS, Rogues and Wireless Security Practices
Mobile
SHARE
Facebook X Pinterest WhatsApp

RADIUS, Rogues and Wireless Security Practices

Written By
Carol Ellison
Carol Ellison
Jul 27, 2004
3 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

It would be tempting to dismiss Aruba Wireless Networks advisory this week about RADIUS vulnerabilities as old news if security werent so darned important.

RADIUS (Remote Authentication Dial-In User Service) servers have been used to authenticate users since virtually the dawn of the World Wide Web, and their weaknesses have been known for about as long. Theyve also been addressed in more ways than one—both wired and wirelessly.

Not surprisingly, Aruba happens to have a device that addresses the problem the company described. But Aruba Chief Technology Officer Merwyn Andrade said, “our intent in bringing this up was more to raise awareness around security best practices.”

/zimages/7/28571.gifClick hereto read about the RADIUS attack that Aruba described.

It also wasnt surprising that, when I called around for reaction to the advisory, I found no one wringing their hands over it.

Eric Barnett, wireless administrator at Arkansas State University at Jonesboro, was in the midst of upgrading his campus network when I called, enabling wireless access for as many devices as possible on the campus network. That upgrade includes transitioning to 802.11i devices in departments where strong security is required. And the cost of upgrading all devices is prohibitive.

“Were an all-Cisco shop and the only way we can use AES [Advanced Encryption Standard] is with their new 1200 Series APs. Unfortunately most of ours are 350s. So were setting up AES in very specific areas,” he said.

The latest report, Barnett observed, “sounds kind of like the LEAP attack that came in a few years ago. If you have a good password policy, you should be OK.”

You should also be OK if you replace LEAP (Lightweight Extensible Authentication Protocol) with EAP-FAST (EAP-Flexible Authentication via Secure Tunneling), the protocol Cisco developed to fix the problem.

Arubas Andrade acknowledged there are many fixes for RADIUS weaknesses. “There are existing recommendations to protect against this, its just that people are not following them,” he said. He advised IT managers to “work with your vendors to mitigate these threats.”

What may be most significant about Arubas advisory is that the problem the company describes existed on wired networks even before wireless entered the picture. Gartner Analyst Ken Dulaney notes that the dictionary attack that Aruba described could occur by plugging a laptop into a network port just as easily as it could if you plugged in a rogue access point.

For that reason, he said, “we dont think its a big deal. First of all, youve got to gain access to the wired network, and once you have that type of access, you can do damage in a lot of places.”

If anything, he said, the advisory demonstrates how far wireless security has come.

RADIUS servers were put to work to compensate for the vulnerabilities of WEP (Wired Equivalent Privacy) soon after the weaknesses of the original security mechanism became known. The two key components of good security are encryption, which was weak in WEP, and authentication, which wasnt in WEP at all. No small number of enterprises addressed wireless LAN security by running RADIUS authentication with a strong encryption mechanism such as VPN.

The IEEEs ratification of 802.11i addressed these problems by scrapping WEPs flawed encryption for strong AES encryption, and by using port-based 802.1X authentication with an EAP type with an authentication server (usually RADIUS) to mutually authenticate devices and isolate rogues.

Dulaney said Aruba “may have been trying to use this as an illustration of what can happen. It does go back to the theme that wired and wireless are converging.”

The message here is that wireless security is no longer just a wireless issue: Its a network issue. If you havent done so already, advises Dulaney, “you need to look at security schemes that protect you across both mediums.”

More from Carol Ellison

/zimages/7/28571.gifCheck out eWEEK.coms Mobile & Wireless Center at http://wireless.eweek.com for the latest news, reviews and analysis.

/zimages/7/77042.gif

Be sure to add our eWEEK.com mobile and wireless news feed to your RSS newsreader or My Yahoo page

Carol Ellison
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

facebook
linkedin
youtube
rss
x

Company

About us Contact us Advertise with us

Categories

Latest News Resources Artificial Intelligence Video Big Data & Analytics Cloud Networking

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information