You also can store your credentials using ldap with the freeradius ldap module. It's a pretty lightweight protocol and gives you the ability to authenticate any other future services you may want to provide. Even linux shell authentication can be done with ldap. Plus ldap provides replication (master-slave) (multi-master). And there's even other schemas which can be added to improve your ldap environment (sudo, opensshlpk, bind-dyndb, etc) but that's another topic and not needed in this mailing list :) hope that's useful -dave On Fri, Apr 6, 2018 at 4:24 AM, Martin Pauly <pauly@hrz.uni-marburg.de> wrote:
Hello Tom,
We are looking into using freeRADIUS to provide authentications to our>
Cisco IOS devices.
There is a very helpful guide on the wiki https://wiki.freeradius.org/ve ndor/Cisco), however, the article only lists 'Cleartext-Password' as an acceptable method for storing the user's password attribute within freeRADIUS. Is it possible to use a more secure method of storing the passwords that is compatible with Cisco IOS?
why store inside freeradius? For CLI access to our IOS devices, I use a dedicated RADIUS VM and authenticate all IOS shell access against its local linux accounts, i.e. /etc/shadow on the RADIUS server is my password storage. With all recent Linuxes using SHA-512 Hashes and a stripped-down config on the dedicated machine, this should IMHO suffice as a password store -- but only if your number of users is small (~12 in our case).
Downsides: - On the (management) LAN, the only protection is the MD5 encryption with the shared secret. - If you set up a second VM for redundancy, keeping the passwords in sync must be done manually.
We actually have this second VM (on a different cluster). Again, this only feasible because of the small number of users.
Another way to go might be SSH keys on IOS, I haven't tried these yet.
Cheers, Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html