10-09-2014 02:58 PM - edited 03-04-2019 11:56 PM
Hi,
I'm changing radius configurations in a Cisco 3825 router.
The current configuration reads
!
radius-server host X.X.X.X key 7 [LONG STRING WITH ENCRYPTED KEY]
!
I'm changing both the host and the key (this ties to a PhoneFactor two-factor authentication agent, but that's not relevant here).
Based on the documentation here http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfrad.html#wp1000937, the command should look something like:
Router(config)#radius-server host x.x.x.x
Router(config)# radius-server key {0 string | 7 string | string}
I'm issuing
radius-server host x.x.x.x key 7 PASSWORD-STRING
and I get an error message for %Invalid encrypted key: PASSWORD-STRING
Am I supposed to enter an already encrypted key? And if so, how am I encrypting so the router can decrypt it and pass it to the Radius server on the other end.
Otherwise, what am I doing wrong?
thank you
10-09-2014 03:41 PM
You're correct. If you use "radius-server host x.x.x.x key 7 PASSWORD-STRING" the router will expect an already-encrypted string to follow.
If your router has "service password-encryption" in its configuration, it will automatically generate the encrypted configuration line when you enter it in an unencrypted format. Just enter the unencrypted password string using the following command format:
radius-server host x.x.x.x key 0 PASSWORD-STRING
When you check the configuration afterwards, you'll see that the version in the running configuration is encrypted.
10-10-2014 07:08 AM
Ok. Thanks for the answer.
service password-encryption is enabled so the Radius shared secret now shows encrypted. Apparently radius-server command will be deprecated and replaced with radius server.
10-10-2014 07:18 AM
True... but the new format isn't much different.
radius server RADIUS_AD address ipv4 x.x.x.x auth-port 1812 acct-port 1813 key 0 radius-key
The same rule applies for the 0 (unencrypted) and 7 (encrypted) options on the key statement.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: