freeradius and cisco hidden share

King, Michael MKing at bridgew.edu
Mon Apr 9 18:37:33 CEST 2007


It sounds like your trying to encrypt the shared secret in the router
config.  Or, your trying to copy the encrypted shared secret and paste
it.  (The 7 is what tipped me off)

First, you need to verify that you have the password-encryption is
enabled in the IOS.  This is the magic that makes that happen.  

Second, Be aware that IOS from 12.2 to 12.4 is majorly different.  Trust
me, I've just ended a 4 firmware upgrade nightmare (Went from 12.2, to
12.3, to 12.4, to another 12.4) just to chase down a bug that popped up
in 12.3 (We needed a new feature that didn't exist in 12.2 or we would
have stayed there)

This is taken from the internet, but it looks like it will fit you
pretty well.
http://briandesmond.com/blog/archive/2006/07/22/How-to-authenticate-agai
nst-Active-Directory-from-Cisco-IOS.aspx

The IOS side of the configuration is quite easy. The commands can be
entered sequentially either as a paste in from a text file or as part of
some automated procedure (e.g. SecureCRT scripts, an Expect shell
script, etc). The sample config below assumes two RADIUS servers with IP
addresses 192.168.1.10 and 192.168.1.11. The sample also sources all
requests from interface Loopback0:

Note: Don't use the key of Cis$ko.  Make up your own.

conf t
aaa new-model
radius-server host 192.168.1.10 auth-port 1812 acct-port 1813 key Cis$ko
radius-server host 192.168.1.11 auth-port 1812 acct-port 1813 key Cis$ko

ip radius source-interface Loopback0

aaa group server radius RadiusServers
 server 192.168.1.10 auth-port 1812 acct-port 1813
 server 192.168.1.11 auth-port 1812 acct-port 1813
 exit

aaa authentication login default group RadiusServers local
exit

Assuming the password-encryption service is started on the device the
shared secrets will be encrypted after they're entered. It is also
highly recommended that a local login exist in case there is a failure
to communicate with the RADIUS servers for any reason (the
authentication order in the configlet specifies falling back to the
local database after the RadiusServers group). Ports 1812 and 1813 are
specified in this configuration, so the necessary holes will need to be
punched through firewalls and access-lists to allow this to work. To
change the ports utilized by IAS, pull up the properties of the root
node in the console and choose the ports tab.




More information about the Freeradius-Users mailing list