Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4005
Views
0
Helpful
3
Replies

Radius-server Host Configuration C3825

julito4589
Level 1
Level 1

‎10-09-2014 02:58 PM - edited ‎03-04-2019 11:56 PM

Hi,

I'm changing radius configurations in a Cisco 3825 router.

The current configuration reads

!
radius-server host X.X.X.X key 7 [LONG STRING WITH ENCRYPTED KEY]
!

 

I'm changing both the host and the key (this ties to a PhoneFactor two-factor authentication agent, but that's not relevant here).

 

Based on the documentation here http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfrad.html#wp1000937, the command should look something like:

Router(config)#radius-server host x.x.x.x

Router(config)# radius-server key {0 string | 7 string | string}

 

I'm issuing

radius-server host x.x.x.x key 7 PASSWORD-STRING

 

and I get an error message for %Invalid encrypted key: PASSWORD-STRING

Am I supposed to enter an already encrypted key? And if so, how am I encrypting so the router can decrypt it and pass it to the Radius server on the other end.

Otherwise, what am I doing wrong?

thank you

 

Labels:
0 Helpful
3 Replies 3

ghostinthenet
Level 7
Level 7

‎10-09-2014 03:41 PM

You're correct. If you use "radius-server host x.x.x.x key 7 PASSWORD-STRING" the router will expect an already-encrypted string to follow.

If your router has "service password-encryption" in its configuration, it will automatically generate the encrypted configuration line when you enter it in an unencrypted format. Just enter the unencrypted password string using the following command format:

radius-server host x.x.x.x key 0 PASSWORD-STRING

When you check the configuration afterwards, you'll see that the version in the running configuration is encrypted.

0 Helpful

julito4589
Level 1
Level 1
In response to ghostinthenet

‎10-10-2014 07:08 AM

Ok. Thanks for the answer.

service password-encryption is enabled so the Radius shared secret now shows encrypted. Apparently radius-server command will be deprecated and replaced with radius server.

0 Helpful

ghostinthenet
Level 7
Level 7
In response to julito4589

‎10-10-2014 07:18 AM

True... but the new format isn't much different.

radius server RADIUS_AD
 address ipv4 x.x.x.x auth-port 1812 acct-port 1813
 key 0 radius-key

The same rule applies for the 0 (unencrypted) and 7 (encrypted) options on the key statement.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card