https://community.cisco.com/t5/network-access-control/using-chap-with-radius-authentication/m-p/1834086#M330107 <HTML><HEAD></HEAD><BODY><P>Hi Carlos</P><P></P><P>Thanks for that. I suspected this was the case but I wasn't sure.</P><P></P><P>I assume that if I were to configure an ASA/PIX for RADIUS authentication from remote VPN clients I could configure this for CHAP?</P><P></P><P>Thanks again.</P><P></P><P>John</P></BODY></HTML> Tue, 24 Jan 2012 19:02:24 GMT marraboytear 2012-01-24T19:02:24Z https://community.cisco.com/t5/network-access-control/using-chap-with-radius-authentication/m-p/1834082#M329808 <P>Hi</P><P></P><P>I have configured a Cisco 877 router to send RADIUS requests when a user logs in to the console (Line Console or Line VTY) using the following config:</P><P></P><P>aaa new-model</P><P>aaa authentication login default group radius</P><P>aaa authentication ppp default group radius</P><P></P><P>radius-server host 10.0.0.1 auth-port 1812 acct-port 1812 key mysharedkey</P><P></P><P>When I log the RADIUS packets I see that the Cisco router is sending the initial AccessRequest using PAP.</P><P></P><P>How can I configure the router to send it's inial AccessRequest packet using CHAP?</P><P></P><P>Apologies if this has already been discussed, I have searched high and low for an answer.</P><P></P><P>Thanks in advance.</P><P></P><P>John</P> Mon, 11 Mar 2019 01:44:58 GMT https://community.cisco.com/t5/network-access-control/using-chap-with-radius-authentication/m-p/1834082#M329808 marraboytear 2019-03-11T01:44:58Z https://community.cisco.com/t5/network-access-control/using-chap-with-radius-authentication/m-p/1834083#M329896 <HTML><HEAD></HEAD><BODY><P>Hello John,</P><P></P><P>Recently I commented on a similar request for ASA:</P><P></P><P><A class="jive-link-external-small" href="https://community.cisco.com/message/3536900#3536900">https://supportforums.cisco.com/message/3536900#3536900</A></P><P></P><P>Please review the above as it applies for IOS Management Authentication as well.</P><P></P><P>If this helps please rate.</P><P></P><P>Best Regards.</P></BODY></HTML> Mon, 23 Jan 2012 23:46:25 GMT https://community.cisco.com/t5/network-access-control/using-chap-with-radius-authentication/m-p/1834083#M329896 camejia 2012-01-23T23:46:25Z https://community.cisco.com/t5/network-access-control/using-chap-with-radius-authentication/m-p/1834084#M329958 <HTML><HEAD></HEAD><BODY><P>Hi Carlos</P><P></P><P>Thanks for your response. I understand what it says in the RFC:</P><P></P><PRE style="border-collapse: collapse; font-size: 1.2em; list-style-type: none; display: block; overflow-x: auto; overflow-y: auto; width: auto; white-space: pre;">The NAS then sends an Access-Request &nbsp;&nbsp; packet to the RADIUS server with the CHAP username as the User-Name &nbsp;&nbsp; and with the CHAP ID and CHAP response as the CHAP-Password &nbsp;&nbsp; (Attribute 3).</PRE><P></P><P>But, by default the NAS (in this case the Cisco 877 router) is sending a RADIUS packet with a PAP encoded password by default. As the NAS initiates the AccessRequest I need to configure it to send the correct attributes for the CHAP challenge. This is configured on the RADIUS server so it knows the NAS is going to send CHAP but the NAS initiates the request and I guess needs to be configured to do so.</P><P></P><P>Is this possible on a Cisco 877? How?</P><P></P><P>Thanks</P><P></P><P>John</P></BODY></HTML> Tue, 24 Jan 2012 10:02:19 GMT https://community.cisco.com/t5/network-access-control/using-chap-with-radius-authentication/m-p/1834084#M329958 marraboytear 2012-01-24T10:02:19Z https://community.cisco.com/t5/network-access-control/using-chap-with-radius-authentication/m-p/1834085#M330010 <HTML><HEAD></HEAD><BODY><P>Hello John,</P><P></P><P>PPP connection do support CHAP as there is a configuration command to enable CHAP as the challenge-response protocol. However, Console, VTY and AUX connections will always go over PAP when using RADIUS authentication. There is no such command to enable CHAP for those type of connections.</P><P></P><P>Best Regards.</P></BODY></HTML> Tue, 24 Jan 2012 16:11:17 GMT https://community.cisco.com/t5/network-access-control/using-chap-with-radius-authentication/m-p/1834085#M330010 camejia 2012-01-24T16:11:17Z https://community.cisco.com/t5/network-access-control/using-chap-with-radius-authentication/m-p/1834086#M330107 <HTML><HEAD></HEAD><BODY><P>Hi Carlos</P><P></P><P>Thanks for that. I suspected this was the case but I wasn't sure.</P><P></P><P>I assume that if I were to configure an ASA/PIX for RADIUS authentication from remote VPN clients I could configure this for CHAP?</P><P></P><P>Thanks again.</P><P></P><P>John</P></BODY></HTML> Tue, 24 Jan 2012 19:02:24 GMT https://community.cisco.com/t5/network-access-control/using-chap-with-radius-authentication/m-p/1834086#M330107 marraboytear 2012-01-24T19:02:24Z https://community.cisco.com/t5/network-access-control/using-chap-with-radius-authentication/m-p/1834087#M330199 <HTML><HEAD></HEAD><BODY><P>Hello John,</P><P></P><P>If you enable the command "password-management" under the ASA Tunnel Group configuration the ASA should use MSCHAPv2.</P><P></P><P>I am glad that I was able to help you.</P><P></P><P>Best Regards.</P></BODY></HTML> Tue, 24 Jan 2012 19:20:30 GMT https://community.cisco.com/t5/network-access-control/using-chap-with-radius-authentication/m-p/1834087#M330199 camejia 2012-01-24T19:20:30Z