Cisco IOS Authentication

Dave Macias davama at gmail.com
Fri Apr 6 14:21:57 CEST 2018


You also can store your credentials using ldap with the freeradius ldap
module.
It's a pretty lightweight protocol and gives you the ability to
authenticate any other future services you may want to provide. Even linux
shell authentication can be done with ldap.
Plus ldap provides replication (master-slave) (multi-master).

And there's even other schemas which can be added to improve your ldap
environment (sudo, opensshlpk, bind-dyndb, etc) but that's another topic
and not needed in this mailing list :)

hope that's useful

-dave

On Fri, Apr 6, 2018 at 4:24 AM, Martin Pauly <pauly at hrz.uni-marburg.de>
wrote:

> Hello Tom,
>
> We are looking into using freeRADIUS to provide authentications to our>
>> Cisco IOS devices.
>>
>> There is a very helpful guide on the wiki https://wiki.freeradius.org/ve
>> ndor/Cisco), however, the article only lists
>> 'Cleartext-Password' as an acceptable method for storing the user's
>> password attribute within freeRADIUS. Is it possible to use a more secure
>> method of storing the passwords that is compatible with Cisco IOS?
>>
>
> why store inside freeradius? For CLI access to our IOS devices,
> I use a dedicated RADIUS VM and authenticate all IOS shell access against
> its local linux accounts, i.e. /etc/shadow on the RADIUS server is my
> password storage.
> With all recent Linuxes using SHA-512 Hashes and a stripped-down config on
> the
> dedicated machine, this should IMHO suffice as a password store -- but only
> if your number of users is small (~12 in our case).
>
> Downsides:
> - On the (management) LAN, the only protection is the MD5 encryption with
> the shared secret.
> - If you set up a second VM for redundancy, keeping the passwords in sync
> must be done manually.
>
> We actually have this second VM (on a different cluster).
> Again, this only feasible because of the small number of users.
>
> Another way to go might be SSH keys on IOS, I haven't tried these yet.
>
> Cheers, Martin
> --
>   Dr. Martin Pauly     Phone:  +49-6421-28-23527
>   HRZ Univ. Marburg    Fax:    +49-6421-28-26994
>   Hans-Meerwein-Str.   E-Mail: pauly at HRZ.Uni-Marburg.DE
>   D-35032 Marburg
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>


More information about the Freeradius-Users mailing list