Description:
The RADIUS server in the Datacenter (DS) should be using the recommended security protocol to protect the credentials of users who are authenticating to the network. The recommended security protocol is EAP-TLS, which uses Transport Layer Security (TLS) to encrypt the authentication traffic between the RADIUS server and the client.
Rationale:
Using the recommended security protocol helps to protect the credentials of users who are authenticating to the network. If the RADIUS server is not using a secure protocol, then an attacker could potentially intercept the authentication traffic and steal the user's credentials. This could then be used to gain unauthorized access to the network.
Impact:
If the RADIUS server is not using the recommended security protocol, then there is a risk that an attacker could steal the credentials of users who are authenticating to the network. This could then be used to gain unauthorized access to the network.
Default Value:
The default value for the security protocol on the RADIUS server in the DS is PAP. However, PAP is not a secure protocol and should not be used.
Pre-requisites:
To implement this policy, you will need the following:
- Access to the RADIUS server in the DS
- The ability to change the security protocol on the RADIUS server
Remediation Steps:
To remediate this policy, you will need to follow these steps:
- Log in to the RADIUS server in the DS.
- Change the security protocol to EAP-TLS.
- Save the changes.
Test Plan:
To test that the policy has been implemented correctly, you can follow these steps:
- Generate a new RADIUS authentication request.
- Send the request to the RADIUS server.
- Verify that the authentication request was successful and that the security protocol was used.
Implementation Plan:
The following are the steps on how to implement this policy using the AWS CLI:
- Log in to the AWS CLI.
- Run the following command to change the security protocol on the RADIUS server:
aws iam change-password-policy --policy-name RADIUSServerPasswordPolicy --password-policy-document file://password_policy.json
- Save the changes.
The following are the steps on how to implement this policy using the AWS GUI:
- Go to the AWS IAM console.
- Click on "Policies" in the left-hand navigation menu.
- Click on the "RADIUSServerPasswordPolicy" policy.
- Click on the "Edit" button.
- In the "Password Policy Document" section, change the "DefaultPasswordPolicy" value to "1".
- Click on the "Save" button.
Backout Plan:
To back out of this policy, you can follow these steps:
- Log in to the RADIUS server in the DS.
- Change the security protocol back to PAP.
- Save the changes.
Note:
This policy is only applicable to the RADIUS server in the DS. If you have other RADIUS servers in your environment, you will need to implement this policy on those servers as well.
Reference:
- AWS IAM Password Policy Documentation: https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingPasswordPolicies.html
Section 2: Tags and Keywords:
- tags: security, radius, eap-tls
- keywords: authentication, protocol, security, tls