topic At least it's a config that in Network Access Control

Radius Server key

clark white — Mon, 11 Mar 2019 07:01:12 GMT

Dears,

whenever I specify the key for the radius server it comes type 7 as such below, if I m not wrong type 7 can be decrypted easily how I can use a encryption which cannot be decrypted.

radius server ISE-SERVERS-SEC

address ipv4 10.X.X.1 auth-port 1645 acct-port 1646

key 7 121608161C0C1E012B3F

thanks

Not all passwords can be

Karsten Iwen — Mon, 22 Aug 2016 18:33:43 GMT

Not all passwords can be protected efficiently. While there are functions in IOS to provide good security for login-passwords and VPN-PSK, I'm not aware of a similar function for RADIUS keys.

There are still some ways to provide security for your keys:

Never use unencrypted management sessions like Telnet or HTTP. Use SSH and HTTPS instead.
Use SNMPv3 instead of SNMPv2
When backing up your config use SCP instead of TFTP/FTP
use complex keys (you have to decide if "omangreat" is a good key)
use long keys as the length of the shown type 7 output relates to the length of the key/password
make sure there is no one sholdersurfing when working on your config

Dear

clark white — Mon, 22 Aug 2016 21:30:47 GMT

Dear

so you are confirming me that when we are configuring the radius host with a key command there is only type 7 key encryption apart from that we have to secure by the ways you have mentioned,

so my configs are correct I am not doing any mistakes for specifying the keys

Dears,

clark white — Wed, 24 Aug 2016 11:35:08 GMT

Dears,

Anybody can confirm to me the above .

thanks

At least it's a config that

Karsten Iwen — Wed, 24 Aug 2016 11:37:53 GMT

At least it's a config that is shown in Cisco best practices and I assume that there is no "hidden gem" to protect these keys better than with type7.

anybody can help me for my

clark white — Wed, 31 Aug 2016 20:01:59 GMT

anybody can help me for my above query and also can confirm to me whether there is another way best practices to configure the radius configuration on the switches.

thanks

Re: Radius Server key

Eman.Jr — Thu, 05 May 2022 14:23:56 GMT

Use type 6 password if your device supports it. Enter the following in global config and it will convert type 7 passwords to type 6

! Specify a password you want the system to use to encrypt

hostname(config)# key config-key password-encrypt <password>

hostname(config)# password encryption aes

Reference:

CSI_CISCO_PASSWORD_TYPES_BEST_PRACTICES_20220217.PDF (defense.gov)