John Baker <johnnyb@marlboro.edu> writes:
I'm certain was using the right command. The number 7 in the line tells the router that a hidden key will follow.
coltrane(config)#radius-server key ? 0 Specifies an UNENCRYPTED key will follow 7 Specifies HIDDEN key will follow LINE The UNENCRYPTED (cleartext) shared key
Now at this point I actually got it to work. It turned out that in trying to copy the extremely long number from the old config there was an error.
But I still don't know exactly what it is doing so I'm hoping somebody can explain because I may want to change the key at some point.
On the router end the key is configured with radius-server key 7 "54-character-key"
On the radius server in clients.conf this client's secret = "totally-different-26-character-key"
Initially I thought that one side or the other would be like /etc/shadow passwords or the garbled string you see looking at a enable secret password in the cisco conf. That would account for them appearing totally different. But just copying the old configuration straight works so I guess not.
The Cisco type 7 "encryption" is just a local obfuscation of the password to avoid accidental reading-over-the-shoulder. It is "decrypted" by the router before it is used, so in fact both ends have access to the same clear text password. Please read http://www.cisco.com/warp/public/701/64.html if you think this provides any security of any sort. Bjørn