AW: Authenticating SSH login on a Cisco IOS switch to AD
Alan DeKok
aland at deployingradius.com
Thu Feb 10 13:50:17 CET 2011
Oliver Elliott wrote:
> I had a look into this and as far as I could tell, the conversation
> between the switch and the radius server was not encrypted unless you
> use TACACS. Does anyone know if this conversation can be encrypted while
> using Freeradius, as otherwise the domain login details are presumably
> being sent over the network in clear text?
RADIUS passwords are always encrypted.
If you want a "real" TACACS+ server, add TACACS+ support to
FreeRADIUS. It isn't hard. i.e. probably ~2K LoC. But I haven't had
the incentive to do it yet.
After that, maybe ARP. I've been looking at the "arpwatch" programs,
and none of them talk to databases. <sigh>
Alan DeKok.
More information about the Freeradius-Users
mailing list