Question : Problem: Cisco - IAS - No Encryption

Hello Everyone,

  I am currently setting up some new cisco gear.   Since Telnet sends information in clear text I am going to disable telnet and use SSH.  Today I wanted to setup Radius to our IAS Server to authenticate using my Active Directory Username/Password on our switches.  When I was configuring it I found out you have to use No Encryption - PAP.  Anyways I have it all configured and everything works but I am concerned whether this is the right way to go?

SInce there is no encryption on the traffic is my username and password sent in clear text so anyone with a sinffer could figure out my username and password?

I know that telnet is sent in clear text and a sniffer can see all the commands that are typed.

I guess what I am asking is:
  Is there a security risk involved with intergrating the cisco 3750 with Radius for Authentication?
  Is this recommended?
  Is there a better way to do it other than just creating local passwords?

Answer : Problem: Cisco - IAS - No Encryption

Hi 2hype,
The PAP auth that you a configuring on the RADIUS server is for the user passwords with RADIUS messages, and not used for the authentication of RADIUS messages themselves.

The point of using RADIUS is two-fold: firstly you are leveraging your already existing user database and do not have to keep a separate one for each router. Also, it's presumed that the network between your router and RADIUS server is trusted, so the risk of sniffing passwords should be reduced. In any case, the user passwords will be encrypted within the over-all RADIUS message using the symmetric shared secret.


So using SSH and RADIUS is advised for security.