John Baker <[EMAIL PROTECTED]> writes:

>  I'm certain was using the right command. The number 7 in the line tells 
> the router that a hidden key will follow.
>
> coltrane(config)#radius-server key ?
>   0     Specifies an UNENCRYPTED key will follow
>   7     Specifies HIDDEN key will follow
>   LINE  The UNENCRYPTED (cleartext) shared key
>
> Now at this point I actually got it to work. It turned out that in 
> trying to copy the extremely long number from the old config there was 
> an error.
>
> But I still don't know exactly what it is doing so I'm hoping somebody 
> can explain because I may want to change the key at some point.
>
> On the router end the key is configured with radius-server key 7 
> "54-character-key"
>
> On the radius server in clients.conf this client's secret = 
> "totally-different-26-character-key"
>
> Initially I thought that one side or the other would be like /etc/shadow 
> passwords or the garbled string you see looking at a enable secret 
> password in the cisco conf. That would account for them appearing 
> totally different. But just copying the old configuration straight works 
> so I guess not.

The Cisco type 7 "encryption" is just a local obfuscation of the
password to avoid accidental reading-over-the-shoulder. It is
"decrypted" by the router before it is used, so in fact both ends have
access to the same clear text password.

Please read http://www.cisco.com/warp/public/701/64.html if you think
this provides any security of any sort.



Bjørn

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to