Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10701
Views
10
Helpful
2
Replies

How do I encrypt a radius key in a switch/router configuration?

Go to solution
jdmatic
Level 1
Level 1

‎12-27-2018 06:50 AM - edited ‎02-20-2020 09:45 PM

Hey y'all, new to this forum. Currently studying for my CCNA so I'm pretty green. Figured this would be a good spot to get definitive answers on current best practices.

 

My question is: I'm configuring radius in some new switches we bought (Catalyst 2960x). The problem is that the key shows up in the config in plain txt. I've tried adding 'radius-server key 7 password', but the command fails and seems as though it wants me to key in an already encrypted password string?

 

Is the 'service password-encryption' command the only other way to encrypt that password? I was under the impression that this global command isn't strong encryption. Below is my current config...

 

no service password-encryption

aaa group server radius RADIUSGROUPNAME
server-private xxx.xxx.xxx.xxx key password
ip radius source-interface VlanXX
radius-server retransmit 1
radius-server timeout 1

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎12-27-2018 08:35 AM

You are right with your assumption. The password following the "7" is the obfuscated password that is enabled with "service password-encryption". And yes, it's more a protection against shoulder-surfing and nothing more. But it's likely that your IOS has no more functionality to protect the key. On newer IOS versions there are encrypted passwords that can also protect the keys of AAA-servers and (that was IMO implemented first) VPN pre-shared keys. These keys are of type "6".

View solution in original post

2 Replies 2

Go to solution
Karsten Iwen
VIP
VIP

‎12-27-2018 08:35 AM

You are right with your assumption. The password following the "7" is the obfuscated password that is enabled with "service password-encryption". And yes, it's more a protection against shoulder-surfing and nothing more. But it's likely that your IOS has no more functionality to protect the key. On newer IOS versions there are encrypted passwords that can also protect the keys of AAA-servers and (that was IMO implemented first) VPN pre-shared keys. These keys are of type "6".

Go to solution
jdmatic
Level 1
Level 1
In response to Karsten Iwen

‎12-27-2018 09:41 AM

I'm currently on 15.2 and yes it doesn't appear as though 6 is even an option. Good to know, thank you for your help.
0 Helpful
Customers Also Viewed These Support Documents