CISCO IOSXE 16.9.2 radius key type 9 encryption?

Question

I get a warning When I try to configure radius on a CISCO Switch 9300: Cisco IOSXE [Fuji], CAT9K_IOSXE), Version 16.9.2, RELEASE SOFTWARE (fc4)

Warning message once I add the Radius key:

WARNING: Command has been added to the configuration using a type 0 password. However, type 0 passwords will soon be deprecated. Migrate to a supported password type

I have the service password-encryption enabled globally which only does level 7 but cannot find any documentation if possible to do Type 8 or 9 for radius key configuration like I do for admin authentication for example:

enable algorithm-type scrypt secret password
username admin privilege 15 algorithm-type scrypt secret password

Warning occurs after I add:

radius server RADIUS-SERVER
address ipv4 IP auth-port 1812 acct-port 1813
timeout 2
retransmit 2
key password

Thanks.

score 0 · Answer 1 · answered Mar 25 '19 at 13:53

0

It seems that the only encryption for the RAIDUS key is either Type0 (plain text) or 7 (encrypted).

I believe CISCO should remove this Warning message as it creates confusion.

answered Mar 25 '19 at 13:53

KCJ

1
1
3

score 0 · Answer 2 · edited Oct 24 '19 at 20:50

Cisco is doing this in another way: You should replace your service password-encryption to password encryption aes

This will change all the non encrypted passwords to type 6 (AES). If you keep your type 7 for Radius -- it will not change for you! You need to enter them in clear text again!

I cannot see any head-to-head comparison between type 6 and type 9. I still THINK type 9 is better, I will keep type 9 on what they can provided (i.e. username and enable password)

CISCO IOSXE 16.9.2 radius key type 9 encryption?

2 Answers2