Cisco IOS Authentication

Arran Cudbard-Bell a.cudbardb at freeradius.org
Thu Apr 5 13:32:58 CEST 2018



> On Apr 5, 2018, at 9:49 AM, Tom Griffin <t.griffin at sheffield.ac.uk> wrote:
> 
> Hello,
> 
> We are looking into using freeRADIUS to provide authentications to our
> Cisco IOS devices.
> 
> There is a very helpful guide on the wiki (
> https://wiki.freeradius.org/vendor/Cisco), however, the article only lists
> 'Cleartext-Password' as an acceptable method for storing the user's
> password attribute within freeRADIUS. Is it possible to use a more secure
> method of storing the passwords that is compatible with Cisco IOS?

Not sure what IOS supports, probably PAP and CHAP.  It's always the same trade off, if you use PAP you can have your passwords stored in any format, but the password is sent over the wire from the NAS to the RADIUS server.

If you use CHAP then you need the plaintext password available to validate the CHAP-Response from the NAS, but the password is never sent over the wire.

You have to decide on what you believe to be the greater risk.  Someone getting hold of the shared secrets and decrypting admin credentials by sniffing on your management network, or someone getting access to password store and getting all the credentials in plaintext.

-Arran


More information about the Freeradius-Users mailing list