Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
521
Views
10
Helpful
3
Replies

authentication between the ACS and AD

Go to solution
sidcracker
Level 1
Level 1

‎01-31-2011 04:43 AM - edited ‎03-10-2019 05:46 PM

Hello,

I would like to know the kind of authentication mechanism ACS 5.1 uses to talk with the Active Directory. Does it use MSCHAP or MSCHAPv2 or just plain PAP. By default it uses PAP to speak between the Cisco IOS and the ACS on the 5.1.

If you llook at the default device admin tab and click on allowed protocols ---> it mentions PAP.

DOes it use a secure means of transport between the ACS and AD. Idf so can anyone tell the authentication mechanism?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎01-31-2011 05:01 AM

Any administration session like telnet, ssh and console they always use PAP as an authentication method.


Though pap communication can be captured and read as it happens in clear text. However, since we have tacacs in use, it always encrypt the whole packet with shared secret defined on the IOS and ACS/TACACS so if you capture the traffic between the tacacs and device you won't be able to decrypt it without the key.


In case you have radius then use SSH (Putty) so that it can help you for secure communication.


ACS and AD do support CHAP, MSCHAPv1 and MSCHAPv2 and PAP.


However, these administration doesn't work on other authentication method except PAP.


HTH


Regds,

Jatin



Do rate helpful posts~

~Jatin

View solution in original post

3 Replies 3

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎01-31-2011 05:01 AM

Any administration session like telnet, ssh and console they always use PAP as an authentication method.


Though pap communication can be captured and read as it happens in clear text. However, since we have tacacs in use, it always encrypt the whole packet with shared secret defined on the IOS and ACS/TACACS so if you capture the traffic between the tacacs and device you won't be able to decrypt it without the key.


In case you have radius then use SSH (Putty) so that it can help you for secure communication.


ACS and AD do support CHAP, MSCHAPv1 and MSCHAPv2 and PAP.


However, these administration doesn't work on other authentication method except PAP.


HTH


Regds,

Jatin



Do rate helpful posts~

~Jatin

Go to solution
sidcracker
Level 1
Level 1
In response to Jatin Katyal

‎01-31-2011 05:06 AM

Thank you Jatin....

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to sidcracker

‎01-31-2011 07:34 AM

Your welcome

Rgds,

Jatin

~Jatin
Customers Also Viewed These Support Documents