Riverbed console authentication, encrypted User-Password

Stefan Winter stefan.winter at restena.lu
Mon Mar 14 11:11:44 CET 2011


> I have been asked if our Riverbed console users can also be authenticated through freeRadius. Riverbed has RiOS running, which is almost Cisco IOS and a Radius Server can be configured so I did. In freeRadius I added the Riverbed as client but unfortunately it was not that easy (is it ever?).
> rad_recv: Access-Request packet from host port 9538, id=37, length=71
>         User-Name = "username"
>         User-Password = "/\227\334\377\374\302\343\204\345\001'O\227"
>         NAS-Identifier = "webasd"
>         NAS-Port = 8513
>         NAS-Port-Type = Virtual
>         Service-Type = Authenticate-Only
> That is not the password I entered, my conclusion is that Riverbed encrypts the password before the entire request is encrypted using the shared secret.

This looks like a typical case of shared secret mismatch. Are you *sure*
that the shared secret is exactly the same on RiOS and FreeRADIUS?

> I cannot find a way to change how Riverbed sends the request, though I am writing a ticket there as well. My question to you, can freeRadius work with encrypted passwords?

It can, in a multitude of ways. None of these ways is about
en-/dycrypting the password within the User-Password attribute though.
That is very odd. My strong guess is a shared secret mismatch instead.


Stefan Winter

Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110314/e02a3f4a/attachment.pgp>

More information about the Freeradius-Users mailing list