https://community.cisco.com/t5/network-access-control/default-encryption-on-cisco-router-for-radius-authentication/m-p/2777994#M41366 <P>Its not the whole message that gets encrypted. The user-password is encrypted in a way that is explained in <A href="http://www.ietf.org/rfc/rfc2865.txt">section 5.2 of the RFC:</A></P> <PRE class="prettyprint">5.2. User-Password Description This Attribute indicates the password of the user to be authenticated, or the user's input following an Access-Challenge. It is only used in Access-Request packets. On transmission, the password is hidden. The password is first padded at the end with nulls to a multiple of 16 octets. A one- way MD5 hash is calculated over a stream of octets consisting of the shared secret followed by the Request Authenticator. This value is XORed with the first 16 octet segment of the password and placed in the first 16 octets of the String field of the User- Password Attribute. If the password is longer than 16 characters, a second one-way MD5 hash is calculated over a stream of octets consisting of the shared secret followed by the result of the first xor. That hash is XORed with the second 16 octet segment of the password and placed in the second 16 octets of the String field of the User- Password Attribute. If necessary, this operation is repeated, with each xor result being used along with the shared secret to generate the next hash to xor the next segment of the password, to no more than 128 characters. </PRE> <P></P> Mon, 14 Dec 2015 22:27:50 GMT Karsten Iwen 2015-12-14T22:27:50Z https://community.cisco.com/t5/network-access-control/default-encryption-on-cisco-router-for-radius-authentication/m-p/2777991#M41363 <P>Hi everybody</P> <P>Please consider the following config:&nbsp;</P> <P>What encryption will R1 use while communicating with radius server?</P> <P>Much appreciated!!</P> <P></P> <PRE class="prettyprint">R1(config)# aaa new-model<BR />R1(config)# radius-server host 192.168.2.5 auth-port 1645 acct-port 1646<BR />R1(config)# radius-server key MyRadiusKey</PRE> Mon, 11 Mar 2019 06:19:24 GMT https://community.cisco.com/t5/network-access-control/default-encryption-on-cisco-router-for-radius-authentication/m-p/2777991#M41363 sarahr202 2019-03-11T06:19:24Z https://community.cisco.com/t5/network-access-control/default-encryption-on-cisco-router-for-radius-authentication/m-p/2777992#M41364 <P>There is no general encryption in RADIUS. The&nbsp;key is mainly used for authentication and encryption of only the user-password. This is from the <A href="http://www.ietf.org/rfc/rfc2865.txt">RFC</A>:</P> <PRE class="prettyprint"> Transactions between the client and RADIUS server are authenticated through the use of a shared secret, which is never sent over the network. In addition, any user passwords are sent encrypted between the client and RADIUS server, to eliminate the possibility that someone snooping on an unsecure network could determine a user's password. </PRE> <P></P> Sun, 13 Dec 2015 11:07:56 GMT https://community.cisco.com/t5/network-access-control/default-encryption-on-cisco-router-for-radius-authentication/m-p/2777992#M41364 Karsten Iwen 2015-12-13T11:07:56Z https://community.cisco.com/t5/network-access-control/default-encryption-on-cisco-router-for-radius-authentication/m-p/2777993#M41365 <P>Thanks Karsten,for the response.</P> <P>In my example R1 is a Cisco router. When it sends radius-access request to Server, it first encrypts the message. My question is what kind of encryption R1 uses if none is specified( does it use MD5 or SHA etc)</P> <P></P> <P></P> Mon, 14 Dec 2015 22:18:44 GMT https://community.cisco.com/t5/network-access-control/default-encryption-on-cisco-router-for-radius-authentication/m-p/2777993#M41365 sarahr202 2015-12-14T22:18:44Z https://community.cisco.com/t5/network-access-control/default-encryption-on-cisco-router-for-radius-authentication/m-p/2777994#M41366 <P>Its not the whole message that gets encrypted. The user-password is encrypted in a way that is explained in <A href="http://www.ietf.org/rfc/rfc2865.txt">section 5.2 of the RFC:</A></P> <PRE class="prettyprint">5.2. User-Password Description This Attribute indicates the password of the user to be authenticated, or the user's input following an Access-Challenge. It is only used in Access-Request packets. On transmission, the password is hidden. The password is first padded at the end with nulls to a multiple of 16 octets. A one- way MD5 hash is calculated over a stream of octets consisting of the shared secret followed by the Request Authenticator. This value is XORed with the first 16 octet segment of the password and placed in the first 16 octets of the String field of the User- Password Attribute. If the password is longer than 16 characters, a second one-way MD5 hash is calculated over a stream of octets consisting of the shared secret followed by the result of the first xor. That hash is XORed with the second 16 octet segment of the password and placed in the second 16 octets of the String field of the User- Password Attribute. If necessary, this operation is repeated, with each xor result being used along with the shared secret to generate the next hash to xor the next segment of the password, to no more than 128 characters. </PRE> <P></P> Mon, 14 Dec 2015 22:27:50 GMT https://community.cisco.com/t5/network-access-control/default-encryption-on-cisco-router-for-radius-authentication/m-p/2777994#M41366 Karsten Iwen 2015-12-14T22:27:50Z