freeradius and cisco hidden share
Hello *I'm running FreeRadius with the standard Ubuntu Breezy package that reads as freeradius 1.0.4-2. Its been the connection to the LDAP backend for authentication on an old Cisco 3640 with IOS 12.2(23) for quite a while. I'm trying to setup a new 2811 router with IOS 12.4(11)T1 and am running into a little trouble with repeating the same configuration. The setup works fine if I use a password like "testing123" on both ends. But when I use "radius-server key 7" to encrypt it breaks. The current setup does use this so I know it works. But in all the documentation I've been weeding** through** on configuring clients.conf nothing seems to mention how this kind of encryption works on the Free Radius server end. The router insists on extremely long key for this configuration. The 3640 shows one in the config. But client.conf show a much shorter one. When I try to plug the long one in clients.conf freeradius fails to startup. So how do you configure freeradius for a Cisco hidden password? Thanks * -- John Baker Network Systems Administrator Marlboro College Phone: 451-7551 off campus; 551 on campus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and cisco hidden share
John Baker wrote: > The setup works fine if I use a password like "testing123" on both ends. > But when I use "radius-server key 7" to encrypt it breaks. As in... what happens? > The current > setup does use this so I know it works. But in all the documentation > I've been weeding** through** on configuring clients.conf nothing seems > to mention how this kind of encryption works on the Free Radius server end. See RFC 2865... if you really care about it. But trust me, FreeRADIUS works. > The router insists on extremely long key for this configuration. The > 3640 shows one in the config. But client.conf show a much shorter one. > > When I try to plug the long one in clients.conf freeradius fails to startup. Could you say what error it produces? The comments in clients.conf indicate that the shared secret can be no more than 31 characters long. In 2.0, this restriction is removed. > So how do you configure freeradius for a Cisco hidden password? No idea. The Cisco "hidden password" thing isn't well documented. i.e. The Cisco docs tell you that you can enable hidden passwords, but don't say what that means. And if you look for "hidden password" in: http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455a5f.html It looks to me like you're using the wrong command. "radius server key" sets the shared secret to the following text, which in your case is "7". If you want hidden passwords, it looks like you have to use another command. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and cisco hidden share
Hello I'm certain was using the right command. The number 7 in the line tells the router that a hidden key will follow. coltrane(config)#radius-server key ? 0 Specifies an UNENCRYPTED key will follow 7 Specifies HIDDEN key will follow LINE The UNENCRYPTED (cleartext) shared key Now at this point I actually got it to work. It turned out that in trying to copy the extremely long number from the old config there was an error. But I still don't know exactly what it is doing so I'm hoping somebody can explain because I may want to change the key at some point. On the router end the key is configured with radius-server key 7 "54-character-key" On the radius server in clients.conf this client's secret = "totally-different-26-character-key" Initially I thought that one side or the other would be like /etc/shadow passwords or the garbled string you see looking at a enable secret password in the cisco conf. That would account for them appearing totally different. But just copying the old configuration straight works so I guess not. Alan DeKok wrote: > John Baker wrote: > >> The setup works fine if I use a password like "testing123" on both ends. >> But when I use "radius-server key 7" to encrypt it breaks. >> > > As in... what happens? > > >> The current >> setup does use this so I know it works. But in all the documentation >> I've been weeding** through** on configuring clients.conf nothing seems >> to mention how this kind of encryption works on the Free Radius server end. >> > > See RFC 2865... if you really care about it. But trust me, FreeRADIUS > works. > > >> The router insists on extremely long key for this configuration. The >> 3640 shows one in the config. But client.conf show a much shorter one. >> >> When I try to plug the long one in clients.conf freeradius fails to startup. >> > > Could you say what error it produces? > > The comments in clients.conf indicate that the shared secret can be no > more than 31 characters long. In 2.0, this restriction is removed. > > >> So how do you configure freeradius for a Cisco hidden password? >> > > No idea. The Cisco "hidden password" thing isn't well documented. > i.e. The Cisco docs tell you that you can enable hidden passwords, but > don't say what that means. > > And if you look for "hidden password" in: > > http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455a5f.html > > It looks to me like you're using the wrong command. "radius server > key" sets the shared secret to the following text, which in your case is > "7". If you want hidden passwords, it looks like you have to use > another command. > > Alan DeKok. > -- > http://deployingradius.com - The web site of the book > http://deployingradius.com/blog/ - The blog > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- John Baker Network Systems Administrator Marlboro College Phone: 451-7551 off campus; 551 on campus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius and cisco hidden share
It sounds like your trying to encrypt the shared secret in the router config. Or, your trying to copy the encrypted shared secret and paste it. (The 7 is what tipped me off) First, you need to verify that you have the password-encryption is enabled in the IOS. This is the magic that makes that happen. Second, Be aware that IOS from 12.2 to 12.4 is majorly different. Trust me, I've just ended a 4 firmware upgrade nightmare (Went from 12.2, to 12.3, to 12.4, to another 12.4) just to chase down a bug that popped up in 12.3 (We needed a new feature that didn't exist in 12.2 or we would have stayed there) This is taken from the internet, but it looks like it will fit you pretty well. http://briandesmond.com/blog/archive/2006/07/22/How-to-authenticate-agai nst-Active-Directory-from-Cisco-IOS.aspx The IOS side of the configuration is quite easy. The commands can be entered sequentially either as a paste in from a text file or as part of some automated procedure (e.g. SecureCRT scripts, an Expect shell script, etc). The sample config below assumes two RADIUS servers with IP addresses 192.168.1.10 and 192.168.1.11. The sample also sources all requests from interface Loopback0: Note: Don't use the key of Cis$ko. Make up your own. conf t aaa new-model radius-server host 192.168.1.10 auth-port 1812 acct-port 1813 key Cis$ko radius-server host 192.168.1.11 auth-port 1812 acct-port 1813 key Cis$ko ip radius source-interface Loopback0 aaa group server radius RadiusServers server 192.168.1.10 auth-port 1812 acct-port 1813 server 192.168.1.11 auth-port 1812 acct-port 1813 exit aaa authentication login default group RadiusServers local exit Assuming the password-encryption service is started on the device the shared secrets will be encrypted after they're entered. It is also highly recommended that a local login exist in case there is a failure to communicate with the RADIUS servers for any reason (the authentication order in the configlet specifies falling back to the local database after the RadiusServers group). Ports 1812 and 1813 are specified in this configuration, so the necessary holes will need to be punched through firewalls and access-lists to allow this to work. To change the ports utilized by IAS, pull up the properties of the root node in the console and choose the ports tab. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius and cisco hidden share
One further comment. The shared secret in FreeRADIUS CANNOT be the "really long number" in the IOS config file. This is an encrypted hash of the "REAL" secret. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and cisco hidden share
Hi Michael Please add any info you feel is relevant to: http://wiki.freeradius.org/Cisco Cheers Peter On Mon 09 Apr 2007, King, Michael wrote: > It sounds like your trying to encrypt the shared secret in the router > config. Or, your trying to copy the encrypted shared secret and paste > it. (The 7 is what tipped me off) > > First, you need to verify that you have the password-encryption is > enabled in the IOS. This is the magic that makes that happen. > > Second, Be aware that IOS from 12.2 to 12.4 is majorly different. Trust > me, I've just ended a 4 firmware upgrade nightmare (Went from 12.2, to > 12.3, to 12.4, to another 12.4) just to chase down a bug that popped up > in 12.3 (We needed a new feature that didn't exist in 12.2 or we would > have stayed there) > > This is taken from the internet, but it looks like it will fit you > pretty well. > http://briandesmond.com/blog/archive/2006/07/22/How-to-authenticate-agai > nst-Active-Directory-from-Cisco-IOS.aspx > > The IOS side of the configuration is quite easy. The commands can be > entered sequentially either as a paste in from a text file or as part of > some automated procedure (e.g. SecureCRT scripts, an Expect shell > script, etc). The sample config below assumes two RADIUS servers with IP > addresses 192.168.1.10 and 192.168.1.11. The sample also sources all > requests from interface Loopback0: > > Note: Don't use the key of Cis$ko. Make up your own. > > conf t > aaa new-model > radius-server host 192.168.1.10 auth-port 1812 acct-port 1813 key Cis$ko > radius-server host 192.168.1.11 auth-port 1812 acct-port 1813 key Cis$ko > > ip radius source-interface Loopback0 > > aaa group server radius RadiusServers > server 192.168.1.10 auth-port 1812 acct-port 1813 > server 192.168.1.11 auth-port 1812 acct-port 1813 > exit > > aaa authentication login default group RadiusServers local > exit > > Assuming the password-encryption service is started on the device the > shared secrets will be encrypted after they're entered. It is also > highly recommended that a local login exist in case there is a failure > to communicate with the RADIUS servers for any reason (the > authentication order in the configlet specifies falling back to the > local database after the RadiusServers group). Ports 1812 and 1813 are > specified in this configuration, so the necessary holes will need to be > punched through firewalls and access-lists to allow this to work. To > change the ports utilized by IAS, pull up the properties of the root > node in the console and choose the ports tab. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and cisco hidden share
Okay, this is the piece I was trying to figure out. :) Like I said in a follow up I found that copying the key out of the old cisco config and the old one in the users.conf worked. Initially I made an error on this cisco end when copying that made it fail. So the piece of confusion is how you get that encrypted hash in there in the first place when configuring a new key. King, Michael wrote: > > > One further comment. > > The shared secret in FreeRADIUS CANNOT be the "really long number" in > the IOS config file. This is an encrypted hash of the "REAL" secret. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- John Baker Network Systems Administrator Marlboro College Phone: 451-7551 off campus; 551 on campus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius and cisco hidden share
> -Original Message- > So the piece of confusion is how you get that encrypted hash > in there in the first place when configuring a new key. Service password-encryption http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_command_ reference_chapter09186a00801a7fa1.html#wp1204790 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and cisco hidden share
John Baker <[EMAIL PROTECTED]> writes: > I'm certain was using the right command. The number 7 in the line tells > the router that a hidden key will follow. > > coltrane(config)#radius-server key ? > 0 Specifies an UNENCRYPTED key will follow > 7 Specifies HIDDEN key will follow > LINE The UNENCRYPTED (cleartext) shared key > > Now at this point I actually got it to work. It turned out that in > trying to copy the extremely long number from the old config there was > an error. > > But I still don't know exactly what it is doing so I'm hoping somebody > can explain because I may want to change the key at some point. > > On the router end the key is configured with radius-server key 7 > "54-character-key" > > On the radius server in clients.conf this client's secret = > "totally-different-26-character-key" > > Initially I thought that one side or the other would be like /etc/shadow > passwords or the garbled string you see looking at a enable secret > password in the cisco conf. That would account for them appearing > totally different. But just copying the old configuration straight works > so I guess not. The Cisco type 7 "encryption" is just a local obfuscation of the password to avoid accidental reading-over-the-shoulder. It is "decrypted" by the router before it is used, so in fact both ends have access to the same clear text password. Please read http://www.cisco.com/warp/public/701/64.html if you think this provides any security of any sort. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html