https://community.cisco.com/t5/network-access-control/authentication-configuration/m-p/682140#M422703 <HTML><HEAD></HEAD><BODY><P>ah, you didnt mention TACACS.</P><P></P><P>Sounds like you need to config the device to do CHAP or MSCHAP. Its either doing SENDPASS or plain old ASCII.</P></BODY></HTML> Tue, 10 Oct 2006 19:25:37 GMT darpotter 2006-10-10T19:25:37Z https://community.cisco.com/t5/network-access-control/authentication-configuration/m-p/682137#M422697 <P>Hello all,</P><P></P><P>We are a recent addition to the ACS 4.0 crowd and had a concern about router/switch user authentication using AAA and ACS with an external database.</P><P></P><P>We have several routers and switches working just fine with ACS using an external database (Windows AD). I also have EAP-PEAP and MSCHAP (V1 &amp; 2) enabled in the Global Policy. However, we seem to be able to clear text sniff user IDs and Passwords. This appears to be the exchange between the router/switch and the ACS box. What have I misconfigured or not configured correctly? I do have a correct and difficult authentication password for the tacacs key and the Network Device. </P><P></P><P>As of now, we are running this on a limitied number of network devices as we figure it all out and get it running as desired. So deployment has not left us vulnerable. </P><P></P><P>Any assistance will be very welcomed.</P><P></P><P>I rate posts!</P> Sun, 10 Mar 2019 21:47:12 GMT https://community.cisco.com/t5/network-access-control/authentication-configuration/m-p/682137#M422697 jphilope 2019-03-10T21:47:12Z https://community.cisco.com/t5/network-access-control/authentication-configuration/m-p/682138#M422699 <HTML><HEAD></HEAD><BODY><P></P><P>Are you sure?</P><P></P><P>RADIUS never sends passwords in the clear. Even if you had PAP authentication the password is masked with the shared secret.</P><P></P><P>If you use a sniffer that knows RADIUS you will see password attributes... however their content will not be plain text.</P><P></P><P>Unless your device is doing something mental!</P><P></P><P>Darran</P></BODY></HTML> Tue, 10 Oct 2006 15:52:45 GMT https://community.cisco.com/t5/network-access-control/authentication-configuration/m-p/682138#M422699 darpotter 2006-10-10T15:52:45Z https://community.cisco.com/t5/network-access-control/authentication-configuration/m-p/682139#M422701 <HTML><HEAD></HEAD><BODY><P>Sniffer does not know RADIUS, but we are using TACACS for AAA. </P><P></P><P>I was under the impression the shared secret between the client (Cisco IOS router/switch) and the ACS would have been used to hash the authentication exchange. However, the sniffer traces show this to be untrue...</P></BODY></HTML> Tue, 10 Oct 2006 16:52:31 GMT https://community.cisco.com/t5/network-access-control/authentication-configuration/m-p/682139#M422701 jphilope 2006-10-10T16:52:31Z https://community.cisco.com/t5/network-access-control/authentication-configuration/m-p/682140#M422703 <HTML><HEAD></HEAD><BODY><P>ah, you didnt mention TACACS.</P><P></P><P>Sounds like you need to config the device to do CHAP or MSCHAP. Its either doing SENDPASS or plain old ASCII.</P></BODY></HTML> Tue, 10 Oct 2006 19:25:37 GMT https://community.cisco.com/t5/network-access-control/authentication-configuration/m-p/682140#M422703 darpotter 2006-10-10T19:25:37Z