Hello Tom,
We are looking into using freeRADIUS to provide authentications to our> Cisco IOS devices.
There is a very helpful guide on the wiki https://wiki.freeradius.org/vendor/Cisco), however, the article only lists 'Cleartext-Password' as an acceptable method for storing the user's password attribute within freeRADIUS. Is it possible to use a more secure method of storing the passwords that is compatible with Cisco IOS?
why store inside freeradius? For CLI access to our IOS devices, I use a dedicated RADIUS VM and authenticate all IOS shell access against its local linux accounts, i.e. /etc/shadow on the RADIUS server is my password storage. With all recent Linuxes using SHA-512 Hashes and a stripped-down config on the dedicated machine, this should IMHO suffice as a password store -- but only if your number of users is small (~12 in our case). Downsides: - On the (management) LAN, the only protection is the MD5 encryption with the shared secret. - If you set up a second VM for redundancy, keeping the passwords in sync must be done manually. We actually have this second VM (on a different cluster). Again, this only feasible because of the small number of users. Another way to go might be SSH keys on IOS, I haven't tried these yet. Cheers, Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg