AW: Riverbed console authentication, encrypted User-Password

Schaatsbergen, Chris Chris.Schaatsbergen at aleo-solar.de
Mon Mar 14 11:50:18 CET 2011


Hi,

Pretty weird. I set the Shared Secret again (in CLI) and had exactly the same results. So I tried setting the shared secret using the Riverbed web interface and now it works perfectly. Will write a new ticket for Riverbed support.

Sorry to have bothered you, thanks for the help.

Chris Schaatsbergen

> -----Ursprüngliche Nachricht-----
> Von: freeradius-users-bounces+chris.schaatsbergen=aleo-
> solar.de at lists.freeradius.org [mailto:freeradius-users-
> bounces+chris.schaatsbergen=aleo-solar.de at lists.freeradius.org] Im
> Auftrag von Stefan Winter
> Gesendet: Montag, 14. März 2011 11:12
> An: freeradius-users at lists.freeradius.org
> Betreff: Re: Riverbed console authentication, encrypted User-Password
> 
> Hi,
> 
> > I have been asked if our Riverbed console users can also be
> authenticated through freeRadius. Riverbed has RiOS running, which is
> almost Cisco IOS and a Radius Server can be configured so I did. In
> freeRadius I added the Riverbed as client but unfortunately it was not
> that easy (is it ever?).
> >
> > rad_recv: Access-Request packet from host 10.1.1.27 port 9538, id=37,
> length=71
> >         User-Name = "username"
> >         User-Password = "/\227\334\377\374\302\343\204\345\001'O\227"
> >         NAS-Identifier = "webasd"
> >         NAS-Port = 8513
> >         NAS-Port-Type = Virtual
> >         Service-Type = Authenticate-Only
> >
> > That is not the password I entered, my conclusion is that Riverbed
> encrypts the password before the entire request is encrypted using the
> shared secret.
> 
> This looks like a typical case of shared secret mismatch. Are you
> *sure* that the shared secret is exactly the same on RiOS and
> FreeRADIUS?
> 
> > I cannot find a way to change how Riverbed sends the request, though
> I am writing a ticket there as well. My question to you, can freeRadius
> work with encrypted passwords?
> 
> It can, in a multitude of ways. None of these ways is about en-
> /dycrypting the password within the User-Password attribute though.
> That is very odd. My strong guess is a shared secret mismatch instead.
> 
> Greetings,
> 
> Stefan Winter
> 
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
> de la Recherche 6, rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
> 
> Tel: +352 424409 1
> Fax: +352 422473
> 





More information about the Freeradius-Users mailing list