topic Re: Cisco ACS 4.2 and Radius authentication? in Network Access Control

Cisco ACS 4.2 and Radius authentication?

f-persson — Mon, 11 Mar 2019 00:49:59 GMT

Hi,

I have a Cisco ACS 4.2 installed and using it to authenticate users that log on to switches using TACACS+, when I use local password database, everything is working. But if i try to use external database authentication using a windows 2008 radius server, I have problem that I can only use PAP, not CHAP. Anyone who know if it's possible to use CHAP with external radius authentication?

Re: Cisco ACS 4.2 and Radius authentication?

marcohernandez — Wed, 16 Feb 2011 17:04:06 GMT

Hi F-Persson:

I think you are little confused.

The ACS uses RADIUS and TACACS+ to authenticate users and in general to do AAA.

I understand that your are integrating the ACS with a Window 2008 Server. This is called External Database (I guest this is what you call external raduis).

As I know, theres is no problem to use PAP or CHAP for Extenal Windows Authentication.

I recommend the following:

I am asuming you have already installed the Remote Agent. And you have configured the External Database configuration for Windows Authentication.

1. Check if you are able to read the Windows Groups from the ACS

2. When testing the users authenticatión, look into the Remote Agent logs for a specific "Windows Error" o integration error.

3. In System Configuration->Global Authentication Setup, verify what options you have checked in "MS-CHAP Configuration" section

Re: Cisco ACS 4.2 and Radius authentication?

f-persson — Wed, 16 Feb 2011 19:13:25 GMT

I'm using external database authentication, but not windows authentication, I've set up Radius Authentication. And there you cab only specify radius server etc, but not choose PAP/CHAP etc.. So I can se in my radiusserver that it uses PAP (unencrypted) and I dont want these accounts to travel unencrypted on my network. But how can I use CHAP instead of PAP when using a Radius server as external database?

Re: Cisco ACS 4.2 and Radius authentication?

Jatin Katyal — Thu, 17 Feb 2011 03:00:11 GMT

To access network devices for administrative purpose, we have only three methods available :

[1] Telnet : Which uses PAP authentication protocol between client and the NAS device. So the communication between Client and NAS is unencrypted, and when this information flows from NAS to IAS server gets encrypted using the shared secret key configured on device/IAS server.

[2] SSH : Which uses public-key cryptography for encrypting information between client and the NAS device, i.e, information sent between client

and NAS is fully secure. And the communication between NAS and IAS is encrypted using shared secret same as above. Good point on SSH side is that commincation channel is secure all the time.Again the authentication type would remain same that is PAP.

[3] Console:Which is also the same it will not allow to use MSCHAP as there is no need to secure it as you laptop is connected directly to the NAS and then if you are using TACACS it will encrypt the payload .

Summarizing, we cannot use CHAP, MS-CHAP, MS-CHAP V2 for communication between client and NAS device or administrative access.

And the most secure way to administer a device is to use SSH.

Rgds, Jatin

Do rate helpful post~