freeradius and cisco hidden share

Peter Nixon listuser at
Mon Apr 9 18:58:03 CEST 2007

Hi Michael

Please add any info you feel is relevant to:



On Mon 09 Apr 2007, King, Michael wrote:
> It sounds like your trying to encrypt the shared secret in the router
> config.  Or, your trying to copy the encrypted shared secret and paste
> it.  (The 7 is what tipped me off)
> First, you need to verify that you have the password-encryption is
> enabled in the IOS.  This is the magic that makes that happen.
> Second, Be aware that IOS from 12.2 to 12.4 is majorly different.  Trust
> me, I've just ended a 4 firmware upgrade nightmare (Went from 12.2, to
> 12.3, to 12.4, to another 12.4) just to chase down a bug that popped up
> in 12.3 (We needed a new feature that didn't exist in 12.2 or we would
> have stayed there)
> This is taken from the internet, but it looks like it will fit you
> pretty well.
> nst-Active-Directory-from-Cisco-IOS.aspx
> The IOS side of the configuration is quite easy. The commands can be
> entered sequentially either as a paste in from a text file or as part of
> some automated procedure (e.g. SecureCRT scripts, an Expect shell
> script, etc). The sample config below assumes two RADIUS servers with IP
> addresses and The sample also sources all
> requests from interface Loopback0:
> Note: Don't use the key of Cis$ko.  Make up your own.
> conf t
> aaa new-model
> radius-server host auth-port 1812 acct-port 1813 key Cis$ko
> radius-server host auth-port 1812 acct-port 1813 key Cis$ko
> ip radius source-interface Loopback0
> aaa group server radius RadiusServers
>  server auth-port 1812 acct-port 1813
>  server auth-port 1812 acct-port 1813
>  exit
> aaa authentication login default group RadiusServers local
> exit
> Assuming the password-encryption service is started on the device the
> shared secrets will be encrypted after they're entered. It is also
> highly recommended that a local login exist in case there is a failure
> to communicate with the RADIUS servers for any reason (the
> authentication order in the configlet specifies falling back to the
> local database after the RadiusServers group). Ports 1812 and 1813 are
> specified in this configuration, so the necessary holes will need to be
> punched through firewalls and access-lists to allow this to work. To
> change the ports utilized by IAS, pull up the properties of the root
> node in the console and choose the ports tab.
> -
> List info/subscribe/unsubscribe? See


Peter Nixon
PGP Key:

More information about the Freeradius-Users mailing list