I was quit surprised to find out that the radius shared secret key is stored plan text in the config.
Can we encrypt it just like we do with user accounts? ea encrypted-password
It’s a secret not a public key.
The user account passwords isnt really encrypted but rather salted hash.
This means that whats stored and compared against is the resulting hash.
This is not really possible with radius which means that you must store the “secret passphrase” encrypted in VyOS rather than salted hash (unless you store it in cleartext as it is today).
And when it gets encrypted in VyOS (since VyOS must be able to decrypt it before sending to the radius server or used as salt on data sent to the radius server) this means that any admin can also reverse this since the key to encrypt this part of the config will be available to the admin.
It will also be somewhat tricky to deal with backup and restore into a new device.
So in short - dont let others read your configs. And if you have to then let the configs pass through some cleaning first such as:
show config commands | strip-private
When it comes to communicating with the radius server the following best practices (among others) should be applied:
- Radius server is only available through the mgmt-network.
- Radius server uses ACL to define which hosts are able to send and receive data from it.
- Use unique (one per host) user/pass to auth against the radius server for the radius traffic. This way if one host is compromised just that user/pass combo needs to be replaced.
- Use TLS encrypted communication with the radius server (radius over TLS) if possible.
2 Likes
Arista does hash/salt radius secrets: EOS 4.31.1F - User Security - Arista
So does JunOS: RADIUS Authentication | Junos OS | Juniper Networks
And IOS etc etc
So I guess the best practice is to store it encypted. Could you make this possible in VyOS?