Cisco IOS Authentication
Martin Pauly
pauly at hrz.uni-marburg.de
Fri Apr 6 10:24:37 CEST 2018
Hello Tom,
> We are looking into using freeRADIUS to provide authentications to our> Cisco IOS devices.
>
> There is a very helpful guide on the wiki
> https://wiki.freeradius.org/vendor/Cisco), however, the article only lists
> 'Cleartext-Password' as an acceptable method for storing the user's
> password attribute within freeRADIUS. Is it possible to use a more secure
> method of storing the passwords that is compatible with Cisco IOS?
why store inside freeradius? For CLI access to our IOS devices,
I use a dedicated RADIUS VM and authenticate all IOS shell access against
its local linux accounts, i.e. /etc/shadow on the RADIUS server is my password storage.
With all recent Linuxes using SHA-512 Hashes and a stripped-down config on the
dedicated machine, this should IMHO suffice as a password store -- but only
if your number of users is small (~12 in our case).
Downsides:
- On the (management) LAN, the only protection is the MD5 encryption with the shared secret.
- If you set up a second VM for redundancy, keeping the passwords in sync must be done manually.
We actually have this second VM (on a different cluster).
Again, this only feasible because of the small number of users.
Another way to go might be SSH keys on IOS, I haven't tried these yet.
Cheers, Martin
--
Dr. Martin Pauly Phone: +49-6421-28-23527
HRZ Univ. Marburg Fax: +49-6421-28-26994
Hans-Meerwein-Str. E-Mail: pauly at HRZ.Uni-Marburg.DE
D-35032 Marburg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5393 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20180406/f5037f6c/attachment.bin>
More information about the Freeradius-Users
mailing list