Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2607
Views
0
Helpful
3
Replies

Default encryption on cisco router for radius authentication

sarahr202
Level 5
Level 5

‎12-12-2015 04:25 PM - edited ‎03-10-2019 11:19 PM

Hi everybody

Please consider the following config: 

What encryption will R1 use while communicating with radius server?

Much appreciated!!

R1(config)# aaa new-model
R1(config)# radius-server host 192.168.2.5 auth-port 1645 acct-port 1646
R1(config)# radius-server key MyRadiusKey
Labels:
0 Helpful
3 Replies 3

Karsten Iwen
VIP
VIP

‎12-13-2015 03:07 AM

There is no general encryption in RADIUS. The key is mainly used for authentication and encryption of only the user-password. This is from the RFC:

      Transactions between the client and RADIUS server are
      authenticated through the use of a shared secret, which is never
      sent over the network.  In addition, any user passwords are sent
      encrypted between the client and RADIUS server, to eliminate the
      possibility that someone snooping on an unsecure network could
      determine a user's password.

0 Helpful

sarahr202
Level 5
Level 5
In response to Karsten Iwen

‎12-14-2015 02:18 PM

Thanks Karsten,for the response.

In my example R1 is a Cisco router. When it sends radius-access request to Server, it first encrypts the message. My question is what kind of encryption R1 uses if none is specified( does it use MD5 or SHA etc)

0 Helpful

Karsten Iwen
VIP
VIP
In response to sarahr202

‎12-14-2015 02:27 PM

Its not the whole message that gets encrypted. The user-password is encrypted in a way that is explained in section 5.2 of the RFC:

5.2.  User-Password

   Description

      This Attribute indicates the password of the user to be
      authenticated, or the user's input following an Access-Challenge.
      It is only used in Access-Request packets.

      On transmission, the password is hidden.  The password is first
      padded at the end with nulls to a multiple of 16 octets.  A one-
      way MD5 hash is calculated over a stream of octets consisting of
      the shared secret followed by the Request Authenticator.  This
      value is XORed with the first 16 octet segment of the password and
      placed in the first 16 octets of the String field of the User-
      Password Attribute.

      If the password is longer than 16 characters, a second one-way MD5
      hash is calculated over a stream of octets consisting of the
      shared secret followed by the result of the first xor.  That hash
      is XORed with the second 16 octet segment of the password and
      placed in the second 16 octets of the String field of the User-
      Password Attribute.

      If necessary, this operation is repeated, with each xor result
      being used along with the shared secret to generate the next hash
      to xor the next segment of the password, to no more than 128
      characters.

0 Helpful
Customers Also Viewed These Support Documents