https://community.cisco.com/t5/network-access-control/pap-authentication-protocol/m-p/3914797#M38721 <P>Hi Clark,</P><P>&nbsp;</P><P>I added a comment on this post about your question =&gt; <A href="https://community.cisco.com/t5/routing/does-cisco-support-strong-remote-network-authentication/m-p/2767297/highlight/false#M257295" target="_blank">https://community.cisco.com/t5/routing/does-cisco-support-strong-remote-network-authentication/m-p/2767297/highlight/false#M257295</A></P><P>I think I reply to your answer.</P><P>&nbsp;</P><P>Regards.</P> Tue, 27 Aug 2019 15:52:58 GMT jeremytetart 2019-08-27T15:52:58Z https://community.cisco.com/t5/network-access-control/pap-authentication-protocol/m-p/2988903#M38716 <P>Dears,</P> <P>when&nbsp;I do&nbsp;ssh&nbsp;&nbsp;to switches the authentication protocol and in authentication details in the attached snapshot&nbsp;I see the protocol as a PAP_ASCII which is been used.</P> <P>As I know the PAP is clear text password authentication protocol, so how I can justify to anybody the connection to my switch is secure.</P> Mon, 11 Mar 2019 07:00:00 GMT https://community.cisco.com/t5/network-access-control/pap-authentication-protocol/m-p/2988903#M38716 clark white 2019-03-11T07:00:00Z https://community.cisco.com/t5/network-access-control/pap-authentication-protocol/m-p/2988904#M38717 <P>Enabling PAP as an authentication protocol with Radius+ means that <STRONG>user passwords are sent from a client to a NAS in plaintext form.</STRONG> The NAS ( switch / Router / WLC / ASA etc) encrypts the user's password using the shared secret and sends it in an Access-Request packet. </P> <P>RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>...so yes it's less secure when we compare against TACACS because TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header.</P> <P>https://technet.microsoft.com/en-us/library/cc958013.aspx</P> <P></P> <P>Rgds,</P> <P>Jatin</P> <P><EM>~ Do rate helpful posts.</EM></P> Tue, 16 Aug 2016 16:45:25 GMT https://community.cisco.com/t5/network-access-control/pap-authentication-protocol/m-p/2988904#M38717 Jatin Katyal 2016-08-16T16:45:25Z https://community.cisco.com/t5/network-access-control/pap-authentication-protocol/m-p/2988905#M38718 <P>Dear Jatin,</P> <P>thanks for the reply, In such situation how I can avoid PAP, whenever I do ssh or telnet the connection details shows me PAP_ASCII protocol if I don't allow PAP the connection will not be established.??</P> <P>thanks</P> Tue, 16 Aug 2016 19:53:32 GMT https://community.cisco.com/t5/network-access-control/pap-authentication-protocol/m-p/2988905#M38718 clark white 2016-08-16T19:53:32Z https://community.cisco.com/t5/network-access-control/pap-authentication-protocol/m-p/2988906#M38719 <P>So the only way to access the managed device securely is to use SSH and avoid TELNET. from NAS to AAA server ( Radius), your password is anyway encrypted.</P> <P>You may want to read the detailed discussion here:</P> <P>https://supportforums.cisco.com/discussion/12668396/does-cisco-support-strong-remote-network-authentication-protocols</P> <P></P> <P>Rgds,</P> <P>Jatin</P> <P>~ Do rate helpful posts.</P> Tue, 16 Aug 2016 20:05:27 GMT https://community.cisco.com/t5/network-access-control/pap-authentication-protocol/m-p/2988906#M38719 Jatin Katyal 2016-08-16T20:05:27Z https://community.cisco.com/t5/network-access-control/pap-authentication-protocol/m-p/2988907#M38720 <P>+5 to you expert</P> Tue, 16 Aug 2016 20:24:22 GMT https://community.cisco.com/t5/network-access-control/pap-authentication-protocol/m-p/2988907#M38720 clark white 2016-08-16T20:24:22Z https://community.cisco.com/t5/network-access-control/pap-authentication-protocol/m-p/3914797#M38721 <P>Hi Clark,</P><P>&nbsp;</P><P>I added a comment on this post about your question =&gt; <A href="https://community.cisco.com/t5/routing/does-cisco-support-strong-remote-network-authentication/m-p/2767297/highlight/false#M257295" target="_blank">https://community.cisco.com/t5/routing/does-cisco-support-strong-remote-network-authentication/m-p/2767297/highlight/false#M257295</A></P><P>I think I reply to your answer.</P><P>&nbsp;</P><P>Regards.</P> Tue, 27 Aug 2019 15:52:58 GMT https://community.cisco.com/t5/network-access-control/pap-authentication-protocol/m-p/3914797#M38721 jeremytetart 2019-08-27T15:52:58Z https://community.cisco.com/t5/network-access-control/pap-authentication-protocol/m-p/5299604#M596784 <P>Hi As I understood. PAP_ASCII is plain text but when you use from your laptop SSH then all traffic is encrytped and PAP_ASCII not used.&nbsp;Then between NAS and ISE PAP ASCII is running and it's encrypted by TACACS+.</P> Mon, 16 Jun 2025 13:16:59 GMT https://community.cisco.com/t5/network-access-control/pap-authentication-protocol/m-p/5299604#M596784 pafcio84 2025-06-16T13:16:59Z