Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
597
Views
0
Helpful
1
Replies

Alternatives to PAP for Radius auth on IOS XE devices?

J P
Level 1
Level 1

‎12-04-2015 09:57 PM - edited ‎03-10-2019 11:17 PM

I'm using Microsoft NPS on Windows 2012 to do Radius authentication and authorization for Cisco 3650 switches.  I'm wondering if it's possible configure anything better than PAP back to NPS for SSH/console sessions.  I've seen documentation for CHAP/CHAPv2 for PPP sessions, but I didn't think that applied to infrastructure logon.

Thanks for your time,

Jeremy 

Labels:
0 Helpful
1 Reply 1

Nadav
Level 7
Level 7

‎12-06-2015 01:50 AM

Radius either authenticates with PAP by asking for a username and password, or CHAP for a message challenge. Cisco opts for username and password and not CHAP for login.  I wouldn't rely on the security of CHAP to be honest, it's probably far weaker than you may think.

Your best bet is to implement TACACS, it is far more secure and refined. There are free and commercial implementations. 

0 Helpful
Customers Also Viewed These Support Documents