Radius Secret Key Generator
Neomi Bensch
You and your VPN partner will use two separate passwords to create a unique 64-byte shared secret with the help of a cryptographic hash generator. Regardless of the length of each password, the generated Shared Secret will always be 64 bytes.
1) Create a list of at least 10 randomly generated passwords. These passwords should be at least 64 characters long. Email the password list to your VPN partner, but do NOT include these instructions, this website address, or anything else in the email that reveals the process that is about to be used.
2) Over the phone, provide your VPN partner this website address and have them pick one of the passwords from the list you emailed to them. Both of you will copy and paste the selected password to the Password 1 box.
3) Give your VPN partner a simple shorter password. I suggest a 16-digit numeric string as this would be easy to share over the phone with a reduced chance of mistakes. Both of you will enter this shorter password in the Password 2 box.
Alternate Method: Both parties use a random password generator to create a list of 10 or more long passwords and email them to each other. On the phone, decide which password from one of the lists to use as Password 1 and which password from the other list for Password 2.
I'm not trying to break into anything; I'm trying to generate the appropriate "enable secret" line given a clear text password, not decode an existing "enable secret" line with a hashed password. I need this for an automated config-file generator that I'm working on (Netomata Config Generator).
I want code that translates "foobar" to "5 $1$pdQG$0WzLBXV98voWIUEdIiLm11", so that I can generate the already-hashed passwords in my config-generation tool, rather than putting cleartext passwords in the generated configs and waiting for the router to generate the hash.
I presume that the "5" in the hashed result is some sort of hash algorithm identifier. If there are other hash algorithms that Cisco currently or has historically used, then I'd like to have the code for those algorithms as well.
I'm not sure if IOS requires you to use specific salt values, but technically there is no reason why it should as long as the string you provide in your 'enable secret' command is a valid MD5 password digest. If you have the opportunity to test, I'd be interested to know your results.
5 I believe refers to the fact that it's type 5, which uses MD5, which means you are going to need 300 playstation 3s. Type 7 is easily cracked and they even have scripts on websites for it. This might be better asked on Stackoverflow.
'5' means that the clear password has been converted to cisco password type 5.Type 5 password is a MD5 based algorithm (but I can't tell you how to compute it, sorry).Type 7 that is used when you do a "enable password" is a well know reversible algorithm."service password-encryption" just ensure that password will not be stored in clear (type 0)
The Vault enables users to log on via Remote Authentication Dial-In User Service (RADIUS) authentication, using logon credentials that are stored in the RADIUS server. The Vault also supports RADIUS challenge-response authentication, where the server sends back a challenge prompting the user for more logon information, such as additional authentication information contained on external tokens.
To configure the RADIUS authentication, you need to prepare by collecting the required information, then configure an organization SSL certificate for the Vault server. After you configure the certificate, you need to place the RADIUS secret in a Safe.
You can specify the full path of the file that will contain the encrypted secret, and the secret itself. This file may be in DAT, INI, or TXT format. The following example will encrypt the secret RADIUS/Vault password, which is VaultSecret, and store it in a file called radiusauth.dat in the current folder.
DNS names can contain only alphabetical characters (A-Z), numeric characters (0-9), the minus sign (-), and the period (.). Period characters are allowed only when they are used to delimit the components of domain style names. For more information, see the Microsoft support topic.
In the above example, the IP address of the RADIUS server is 1.1.1.250, and its port is 1812. The name of the RADIUS client (Vault machine as entered in the RADIUS server) is vaulthostname, and the name of the file that contains the secret password is radiusauth.dat. The file is stored in the current folder, and therefore the full path is not specified.
At startup, the Vault tries to connect using the first address that is configured in the list. If there is a failure, the Vault tries the next address in the list until it successfully connects. If the Vault reaches the end of the list, it goes back to the beginning of the list. When the Vault successfully connects, it tries to connect to the RADIUS server that was used in the last connection.
In the active firewall I have the same radius server configured with two different secret keys (one for active and one for passive). On my radius server I have two clients. One is the active firewall and the other for the passive.
Hi there...The passive firewall should authenticate to Radius just like the active firewall. Have you tried swapping the 2 Radius clients such that the passive firewall will authenticate to the active client, and active firewall --> passive client? Also, you may want to check the secret key for typo. Thanks.
Traditionally Cisco has used several different methods for storing passwords and keys in IOS. The older methods are Type 5 (MD5 hash) & Type7 (Vigenere obfuscation). We enabled Type 7 encryption with the CLI service password-encryption command.
The super-secret-password you used is very important. It's very important that you store the key somewhere offline. Be sure to keep in it KeePass, or 1Password or the password vault of your choice. Optimally each device you configure Type 6 on will have a unique Key.
But have you any idear how to change the password type to 6 on cat 2960X Switch, especially the keys in the Radius and TACACs section? Because its working for the username password but not for the Radius and TACACs Key... I have to remove the keys in the section and create a new key 6 entry and the hash I got from a working 9XXX Switch. But I dont think this is the correct way to do it, right?
No, I don't think the way you are doing it with the 2960 is the way to do it. I'm actually a little surprised it is converting your username password combo. I just tried the same with a 3750X w IOS 15.2(4)E7 and nothing was converted, not the username password and not the RADIUS or TACACS keys.
Do you have any idea why your instructions do not work on a C1000-8P-E-2G-L with 15.2(7)E6? The switch does not know the command "password encryption aes" nor "key config-key password-encrypt" in config mode.
I'm wanting to convert all my type 7 password right now and trying to figure out the best way to go about this. I want to use type 8 or 9 for my local "username" passwords and type 6 for my radius shared keys (as type 8/9 is not available for radius shared keys). Is this possible to use both in the same switch config?
If you can use both, and I've already converted my "username" command passwords to type 8 or 9, will entering the "password encryption aes" and "key config-key password-encrypt super-secret-password" commands convert those username password to type 6 or will it continue to use type 8/9 for "username" and only convert the radius shared keys to type 6?
You may have already answered this in the Q&A in you post and pasting below, but just wanted to confirm what to expect. Sounds like it should keep the local "username" passwords as 8 or 9 and only convert my radius server keys?
Type 8 is a HASH - which cannot be reversed back to the original plain-text and therefore cannot be used for something like radius. Type 8 is suitable for a user secret where the stored hash gets compared to the hash of what a user enters.
IOS converts it to type 6 in config but then reads it as type 7 so it breaks service. The workaround is to explicitly configure it with type 7 *after* you have enabled AES encryption and then it keeps working because IOS doesn't convert it.
@toormehdi ...
> Does this master key needs to be on the target box prior to pasting in or could it be entered after ? Trying to understand the order of operations.
- Yes the encrypted format can be copied and will work as long as and when the same master key is used. It can be entered before or after.
> Could there be a situation where a pasted config with encrypted password ends up getting encrypted twice ? Assume a newer or different router model or higher IOS version ?
- No, IOS will not re-encrypt a key/password already in type 6.
> Is there a way to decrypt the keys/password with the master key. Is there a tool on or off box ?
- Not that I know of although it would be theoretically possible if you had the Cisco algorithm and the key.
>Also noticed on ios xe some keys we created for PSKs just go in literally without getting encrypted even though aes password encryption is turned on ? What could be the reason for such behaviour ?
- AES encryption started with things like VPN keys and has gradually been extended to other passwords and keys in newer IOS versions. You still need "service password-encryption" for everything else.
While there are several RADIUS software out there, FreeRADIUS is one of the most popular RADIUS software of choice in Linux. Since it has PAM library, this is also perfect for integrating it with Google Authenticator PAM. If you want to know more about FreeRADIUS, you might want to check this book out. I have not read it so read through the reviews to see if that will work for your needs.
Installing FreeRADIUS and Google Authenticator on Ubuntu 16.04 is very easy. All we need is to issue one line command. I added NTP package here since my Google Authenticator configuration is TOTP based. If one went through the Ubuntu installation properly, there might not be a need for this so long as the system is syncing to the time correctly.
c80f0f1006