Radius-server Host Configuration C3825

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-09-2014 02:58 PM - edited 03-04-2019 11:56 PM
Hi,
I'm changing radius configurations in a Cisco 3825 router.
The current configuration reads
!
radius-server host X.X.X.X key 7 [LONG STRING WITH ENCRYPTED KEY]
!
I'm changing both the host and the key (this ties to a PhoneFactor two-factor authentication agent, but that's not relevant here).
Based on the documentation here http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfrad.html#wp1000937, the command should look something like:
Router(config)#radius-server host x.x.x.x
Router(config)# radius-server key {0 string | 7 string | string}
I'm issuing
radius-server host x.x.x.x key 7 PASSWORD-STRING
and I get an error message for %Invalid encrypted key: PASSWORD-STRING
Am I supposed to enter an already encrypted key? And if so, how am I encrypting so the router can decrypt it and pass it to the Radius server on the other end.
Otherwise, what am I doing wrong?
thank you
- Labels:
-
Other Routing
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-09-2014 03:41 PM
You're correct. If you use "radius-server host x.x.x.x key 7 PASSWORD-STRING" the router will expect an already-encrypted string to follow.
If your router has "service password-encryption" in its configuration, it will automatically generate the encrypted configuration line when you enter it in an unencrypted format. Just enter the unencrypted password string using the following command format:
radius-server host x.x.x.x key 0 PASSWORD-STRING
When you check the configuration afterwards, you'll see that the version in the running configuration is encrypted.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-10-2014 07:08 AM
Ok. Thanks for the answer.
service password-encryption is enabled so the Radius shared secret now shows encrypted. Apparently radius-server command will be deprecated and replaced with radius server.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-10-2014 07:18 AM
True... but the new format isn't much different.
radius server RADIUS_AD address ipv4 x.x.x.x auth-port 1812 acct-port 1813 key 0 radius-key
The same rule applies for the 0 (unencrypted) and 7 (encrypted) options on the key statement.
