Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Radius-server Host Configuration C3825

Hi,

I'm changing radius configurations in a Cisco 3825 router.

The current configuration reads

!
radius-server host X.X.X.X key 7 [LONG STRING WITH ENCRYPTED KEY]
!

 

I'm changing both the host and the key (this ties to a PhoneFactor two-factor authentication agent, but that's not relevant here).

 

Based on the documentation here http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfrad.html#wp1000937, the command should look something like:

Router(config)#radius-server host x.x.x.x

Router(config)# radius-server key {0 string | 7 string | string}

 

I'm issuing

radius-server host x.x.x.x key 7 PASSWORD-STRING

 

and I get an error message for %Invalid encrypted key: PASSWORD-STRING

Am I supposed to enter an already encrypted key? And if so, how am I encrypting so the router can decrypt it and pass it to the Radius server on the other end.

Otherwise, what am I doing wrong?

thank you

 

3 REPLIES

You're correct. If you use

You're correct. If you use "radius-server host x.x.x.x key 7 PASSWORD-STRING" the router will expect an already-encrypted string to follow.

If your router has "service password-encryption" in its configuration, it will automatically generate the encrypted configuration line when you enter it in an unencrypted format. Just enter the unencrypted password string using the following command format:

radius-server host x.x.x.x key 0 PASSWORD-STRING

When you check the configuration afterwards, you'll see that the version in the running configuration is encrypted.

New Member

Ok. Thanks for the answer

Ok. Thanks for the answer.

service password-encryption is enabled so the Radius shared secret now shows encrypted. Apparently radius-server command will be deprecated and replaced with radius server.

True... but the new format

True... but the new format isn't much different.

radius server RADIUS_AD
 address ipv4 x.x.x.x auth-port 1812 acct-port 1813
 key 0 radius-key

The same rule applies for the 0 (unencrypted) and 7 (encrypted) options on the key statement.

58
Views
0
Helpful
3
Replies
CreatePlease login to create content