Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5156
Views
0
Helpful
4
Replies

FreeRadius User-password encoding

Go to solution
marketgraph
Level 1
Level 1

‎03-06-2007 12:15 PM - edited ‎03-10-2019 03:01 PM

Hi,

I'm trying to setup a RADIUS server to authenticate my users on a couple of routers.

Now I've done my initial setup on a 1811 router and everything works fine, moving to a production 2801 router I get into problems. Trying our second production 2801 it works fine again. I'm busting my head on what might be wrong but cannot find anything!

What I see in my FreeRadius outputlog:

rad_recv: Access-Request packet from host 10.1.1.25:1645, id=172, length=96

User-Name = "sander"

Reply-Message = "Password: "

User-Password = "\204p\034\272\345\346K^\250s\346\200gN\035\250"

NAS-Port = 194

NAS-Port-Id = "tty194"

NAS-Port-Type = Virtual

Calling-Station-Id = "10.2.1.112"

NAS-IP-Address = 10.1.1.25

rlm_sql (sql): Reserving sql socket id: 3

So the User-Password get's crypted somehow by the Cisco. The password is "test" for now. If I login from my other two Cisco routers I see the plaintex password in the logfile from FreeRadius (like I'd expect).

Is there any reason why this 2801 router is acting weird and putting a different user-password encoding into the mix?

Both 2801 are running the same IOS release.

Please help!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Vivek Santuka
Cisco Employee
Cisco Employee
In response to marketgraph

‎03-08-2007 02:45 AM

Hi,

Only password in encrypted with RADIUS. I would suggest checking the keys

Regards,

Vivek

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Vivek Santuka
Cisco Employee
Cisco Employee

‎03-07-2007 04:19 AM

Hi,

IOS will encrypt the password field in a Radius packet if you are using a secret key.

Please remove any "key" keyword from the radius host entry or remove "radius-server key" command from the config.

Regards,

Vivek

0 Helpful

Go to solution
marketgraph
Level 1
Level 1
In response to Vivek Santuka

‎03-07-2007 04:34 PM

Thanks for your answer but I'm a little confused. On both my 2801 routers I have the following:

radius-server host 10.1.1.1 auth-port 1812 acct-port 1813 key 7 <>

Both servers use there own key for radius authentication on my free radisu but that part seems to work as the reques come through. But only one of these Cisco 2801 lets me see the password in the radius log (in which case the checking works)

Or is only the password bit encrypted and could my key be wrong?

0 Helpful

Go to solution
Vivek Santuka
Cisco Employee
Cisco Employee
In response to marketgraph

‎03-08-2007 02:45 AM

Hi,

Only password in encrypted with RADIUS. I would suggest checking the keys

Regards,

Vivek

0 Helpful

Go to solution
marketgraph
Level 1
Level 1
In response to Vivek Santuka

‎03-08-2007 03:55 AM

Re-entered the key and everything works now.

Thanks for your help.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents