Re: freeradius and cisco hidden share

[John Baker <johnnyb@marlboro.edu>]

Hello

I'm certain was using the right command. The number 7 in the line tells 
the router that a hidden key will follow.

coltrane(config)#radius-server key ?
 0     Specifies an UNENCRYPTED key will follow
 7     Specifies HIDDEN key will follow
 LINE  The UNENCRYPTED (cleartext) shared key

Now at this point I actually got it to work. It turned out that in 
trying to copy the extremely long number from the old config there was 
an error.

But I still don't know exactly what it is doing so I'm hoping somebody 
can explain because I may want to change the key at some point.

On the router end the key is configured with radius-server key 7 
"54-character-key"

On the radius server in clients.conf this client's secret = 
"totally-different-26-character-key"

Initially I thought that one side or the other would be like /etc/shadow 
passwords or the garbled string you see looking at a enable secret 
password in the cisco conf. That would account for them appearing 
totally different. But just copying the old configuration straight works 
so I guess not.

Alan DeKok wrote:
> John Baker wrote:
>   
> > The setup works fine if I use a password like "testing123" on both ends. 
> > But when I use "radius-server key 7" to encrypt it breaks.
> >     
>
>   As in... what happens?
>
>   
> >  The current 
> > setup does use this so I know it works. But in all the documentation 
> > I've been weeding** through** on configuring clients.conf nothing seems 
> > to mention how this kind of encryption works on the Free Radius server end.
> >     
>
>   See RFC 2865... if you really care about it.  But trust me, FreeRADIUS
> works.
>
>   
> > The router insists on extremely long key for this configuration. The 
> > 3640 shows one in the config. But client.conf show a much shorter one.
> >
> > When I try to plug the long one in clients.conf freeradius fails to startup.
> >     
>
>   Could you say what error it produces?
>
>   The comments in clients.conf indicate that the shared secret can be no
> more than 31 characters long.  In 2.0, this restriction is removed.
>
>   
> > So how do you configure freeradius for a Cisco hidden password?
> >     
>
>   No idea.  The Cisco "hidden password" thing isn't well documented.
> i.e. The Cisco docs tell you that you can enable hidden passwords, but
> don't say what that means.
>
>   And if you look for "hidden password" in:
>
> http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455a5f.html
>
>   It looks to me like you're using the wrong command.  "radius server
> key" sets the shared secret to the following text, which in your case is
> "7".  If you want hidden passwords, it looks like you have to use
> another command.
>
>   Alan DeKok.
> --
>   http://deployingradius.com       - The web site of the book
>   http://deployingradius.com/blog/ - The blog
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>   


--
John Baker
Network Systems Administrator
Marlboro College
Phone: 451-7551 off campus; 551 on campus