freeradius and cisco hidden share

Peter Nixon listuser at peternixon.net
Mon Apr 9 18:58:03 CEST 2007


Hi Michael

Please add any info you feel is relevant to:
http://wiki.freeradius.org/Cisco

Cheers

Peter

On Mon 09 Apr 2007, King, Michael wrote:
> It sounds like your trying to encrypt the shared secret in the router
> config.  Or, your trying to copy the encrypted shared secret and paste
> it.  (The 7 is what tipped me off)
>
> First, you need to verify that you have the password-encryption is
> enabled in the IOS.  This is the magic that makes that happen.
>
> Second, Be aware that IOS from 12.2 to 12.4 is majorly different.  Trust
> me, I've just ended a 4 firmware upgrade nightmare (Went from 12.2, to
> 12.3, to 12.4, to another 12.4) just to chase down a bug that popped up
> in 12.3 (We needed a new feature that didn't exist in 12.2 or we would
> have stayed there)
>
> This is taken from the internet, but it looks like it will fit you
> pretty well.
> http://briandesmond.com/blog/archive/2006/07/22/How-to-authenticate-agai
> nst-Active-Directory-from-Cisco-IOS.aspx
>
> The IOS side of the configuration is quite easy. The commands can be
> entered sequentially either as a paste in from a text file or as part of
> some automated procedure (e.g. SecureCRT scripts, an Expect shell
> script, etc). The sample config below assumes two RADIUS servers with IP
> addresses 192.168.1.10 and 192.168.1.11. The sample also sources all
> requests from interface Loopback0:
>
> Note: Don't use the key of Cis$ko.  Make up your own.
>
> conf t
> aaa new-model
> radius-server host 192.168.1.10 auth-port 1812 acct-port 1813 key Cis$ko
> radius-server host 192.168.1.11 auth-port 1812 acct-port 1813 key Cis$ko
>
> ip radius source-interface Loopback0
>
> aaa group server radius RadiusServers
>  server 192.168.1.10 auth-port 1812 acct-port 1813
>  server 192.168.1.11 auth-port 1812 acct-port 1813
>  exit
>
> aaa authentication login default group RadiusServers local
> exit
>
> Assuming the password-encryption service is started on the device the
> shared secrets will be encrypted after they're entered. It is also
> highly recommended that a local login exist in case there is a failure
> to communicate with the RADIUS servers for any reason (the
> authentication order in the configlet specifies falling back to the
> local database after the RadiusServers group). Ports 1812 and 1813 are
> specified in this configuration, so the necessary holes will need to be
> punched through firewalls and access-lists to allow this to work. To
> change the ports utilized by IAS, pull up the properties of the root
> node in the console and choose the ports tab.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc



More information about the Freeradius-Users mailing list