Hello, We are looking into using freeRADIUS to provide authentications to our Cisco IOS devices. There is a very helpful guide on the wiki ( https://wiki.freeradius.org/vendor/Cisco), however, the article only lists 'Cleartext-Password' as an acceptable method for storing the user's password attribute within freeRADIUS. Is it possible to use a more secure method of storing the passwords that is compatible with Cisco IOS? Thanks Tom Griffin University of Sheffield
On Apr 5, 2018, at 9:49 AM, Tom Griffin <t.griffin@sheffield.ac.uk> wrote:
Hello,
We are looking into using freeRADIUS to provide authentications to our Cisco IOS devices.
There is a very helpful guide on the wiki ( https://wiki.freeradius.org/vendor/Cisco), however, the article only lists 'Cleartext-Password' as an acceptable method for storing the user's password attribute within freeRADIUS. Is it possible to use a more secure method of storing the passwords that is compatible with Cisco IOS?
Not sure what IOS supports, probably PAP and CHAP. It's always the same trade off, if you use PAP you can have your passwords stored in any format, but the password is sent over the wire from the NAS to the RADIUS server. If you use CHAP then you need the plaintext password available to validate the CHAP-Response from the NAS, but the password is never sent over the wire. You have to decide on what you believe to be the greater risk. Someone getting hold of the shared secrets and decrypting admin credentials by sniffing on your management network, or someone getting access to password store and getting all the credentials in plaintext. -Arran
Hello Tom,
We are looking into using freeRADIUS to provide authentications to our> Cisco IOS devices.
There is a very helpful guide on the wiki https://wiki.freeradius.org/vendor/Cisco), however, the article only lists 'Cleartext-Password' as an acceptable method for storing the user's password attribute within freeRADIUS. Is it possible to use a more secure method of storing the passwords that is compatible with Cisco IOS?
why store inside freeradius? For CLI access to our IOS devices, I use a dedicated RADIUS VM and authenticate all IOS shell access against its local linux accounts, i.e. /etc/shadow on the RADIUS server is my password storage. With all recent Linuxes using SHA-512 Hashes and a stripped-down config on the dedicated machine, this should IMHO suffice as a password store -- but only if your number of users is small (~12 in our case). Downsides: - On the (management) LAN, the only protection is the MD5 encryption with the shared secret. - If you set up a second VM for redundancy, keeping the passwords in sync must be done manually. We actually have this second VM (on a different cluster). Again, this only feasible because of the small number of users. Another way to go might be SSH keys on IOS, I haven't tried these yet. Cheers, Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg
You also can store your credentials using ldap with the freeradius ldap module. It's a pretty lightweight protocol and gives you the ability to authenticate any other future services you may want to provide. Even linux shell authentication can be done with ldap. Plus ldap provides replication (master-slave) (multi-master). And there's even other schemas which can be added to improve your ldap environment (sudo, opensshlpk, bind-dyndb, etc) but that's another topic and not needed in this mailing list :) hope that's useful -dave On Fri, Apr 6, 2018 at 4:24 AM, Martin Pauly <pauly@hrz.uni-marburg.de> wrote:
Hello Tom,
We are looking into using freeRADIUS to provide authentications to our>
Cisco IOS devices.
There is a very helpful guide on the wiki https://wiki.freeradius.org/ve ndor/Cisco), however, the article only lists 'Cleartext-Password' as an acceptable method for storing the user's password attribute within freeRADIUS. Is it possible to use a more secure method of storing the passwords that is compatible with Cisco IOS?
why store inside freeradius? For CLI access to our IOS devices, I use a dedicated RADIUS VM and authenticate all IOS shell access against its local linux accounts, i.e. /etc/shadow on the RADIUS server is my password storage. With all recent Linuxes using SHA-512 Hashes and a stripped-down config on the dedicated machine, this should IMHO suffice as a password store -- but only if your number of users is small (~12 in our case).
Downsides: - On the (management) LAN, the only protection is the MD5 encryption with the shared secret. - If you set up a second VM for redundancy, keeping the passwords in sync must be done manually.
We actually have this second VM (on a different cluster). Again, this only feasible because of the small number of users.
Another way to go might be SSH keys on IOS, I haven't tried these yet.
Cheers, Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Am 06.04.2018 um 14:21 schrieb Dave Macias:
You also can store your credentials using ldap with the freeradius ldap module. [LDAP advantages]
Sure, that's for the large-scale stuff. I described a scenario with very few users, and authentication as the only service. The plus with local Unix accounts is that you barely have to set up anything at all, but rather rely on existing, well implemented infrastructure. But you should definitely be aware of its limitations. Cheers, Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg
participants (4)
-
Arran Cudbard-Bell -
Dave Macias -
Martin Pauly -
Tom Griffin