AW: Authenticating SSH login on a Cisco IOS switch to AD

Alan DeKok aland at deployingradius.com
Thu Feb 10 13:50:17 CET 2011


Oliver Elliott wrote:
> I had a look into this and as far as I could tell, the conversation
> between the switch and the radius server was not encrypted unless you
> use TACACS. Does anyone know if this conversation can be encrypted while
> using Freeradius, as otherwise the domain login details are presumably
> being sent over the network in clear text?

  RADIUS passwords are always encrypted.

  If you want a "real" TACACS+ server, add TACACS+ support to
FreeRADIUS.  It isn't hard.  i.e. probably ~2K LoC.  But I haven't had
the incentive to do it yet.

  After that, maybe ARP.  I've been looking at the "arpwatch" programs,
and none of them talk to databases.  <sigh>

  Alan DeKok.



More information about the Freeradius-Users mailing list