Allied Telesis AlliedWare Plus Operating System Version 5.4.4C (x310-26FT,x310-26FP,x310-50FT,x310-50FP) User Manual
Page 1118
Authentication Introduction and Configuration
Software Reference for x310 Series Switches
42.22
AlliedWare Plus
TM
Operating System - Version 5.4.4C
C613-50046-01 REV A
Ensuring Authentication Methods Require
Different Usernames and Passwords
If you configure a user or device to use multiple authentication methods, you need to set
up your system to avoid a potential vulnerability.
The vulnerability occurs because there is no way for a RADIUS server to determine what
authentication method you are using. Authentication simply queries a RADIUS server to
see whether a username/password pair is valid.
This means that if you use the same RADIUS server for multiple authentication methods, a
user can enter the same username/password pair for each of these authentication
methods. If that username/password pair is valid for one of the methods, it will work for all
of them.
This vulnerability is particularly significant for MAC authentication, because the default
username and password is the MAC address of the supplicant device, which is easy to
discover.
For example, if you set up two-step authentication of MAC authentication and 802.1X
authentication, and both use the same RADIUS server, then an attacker does not need to
know the 801.1x username and password. Instead, they can pass the 802.1X
authentication step by entering the device’s MAC address into the 802.1X username and
password fields.
To avoid this vulnerability:
■
Use different RADIUS servers for each authentication method, and/or
■
Change the default password for MAC authentication, by using the