freeradius and cisco hidden share
Bjørn Mork
bjorn at mork.no
Wed Apr 11 14:10:32 CEST 2007
John Baker <johnnyb at marlboro.edu> writes:
> I'm certain was using the right command. The number 7 in the line tells
> the router that a hidden key will follow.
>
> coltrane(config)#radius-server key ?
> 0 Specifies an UNENCRYPTED key will follow
> 7 Specifies HIDDEN key will follow
> LINE The UNENCRYPTED (cleartext) shared key
>
> Now at this point I actually got it to work. It turned out that in
> trying to copy the extremely long number from the old config there was
> an error.
>
> But I still don't know exactly what it is doing so I'm hoping somebody
> can explain because I may want to change the key at some point.
>
> On the router end the key is configured with radius-server key 7
> "54-character-key"
>
> On the radius server in clients.conf this client's secret =
> "totally-different-26-character-key"
>
> Initially I thought that one side or the other would be like /etc/shadow
> passwords or the garbled string you see looking at a enable secret
> password in the cisco conf. That would account for them appearing
> totally different. But just copying the old configuration straight works
> so I guess not.
The Cisco type 7 "encryption" is just a local obfuscation of the
password to avoid accidental reading-over-the-shoulder. It is
"decrypted" by the router before it is used, so in fact both ends have
access to the same clear text password.
Please read http://www.cisco.com/warp/public/701/64.html if you think
this provides any security of any sort.
Bjørn
More information about the Freeradius-Users
mailing list