Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
505
Views
0
Helpful
3
Replies

Authentication Configuration

jphilope
Level 3
Level 3

‎10-10-2006 04:53 AM - edited ‎03-10-2019 02:47 PM

Hello all,

We are a recent addition to the ACS 4.0 crowd and had a concern about router/switch user authentication using AAA and ACS with an external database.

We have several routers and switches working just fine with ACS using an external database (Windows AD). I also have EAP-PEAP and MSCHAP (V1 & 2) enabled in the Global Policy. However, we seem to be able to clear text sniff user IDs and Passwords. This appears to be the exchange between the router/switch and the ACS box. What have I misconfigured or not configured correctly? I do have a correct and difficult authentication password for the tacacs key and the Network Device.

As of now, we are running this on a limitied number of network devices as we figure it all out and get it running as desired. So deployment has not left us vulnerable.

Any assistance will be very welcomed.

I rate posts!

Labels:
0 Helpful
3 Replies 3

darpotter
Level 5
Level 5

‎10-10-2006 08:52 AM

Are you sure?

RADIUS never sends passwords in the clear. Even if you had PAP authentication the password is masked with the shared secret.

If you use a sniffer that knows RADIUS you will see password attributes... however their content will not be plain text.

Unless your device is doing something mental!

Darran

0 Helpful

jphilope
Level 3
Level 3
In response to darpotter

‎10-10-2006 09:52 AM

Sniffer does not know RADIUS, but we are using TACACS for AAA.

I was under the impression the shared secret between the client (Cisco IOS router/switch) and the ACS would have been used to hash the authentication exchange. However, the sniffer traces show this to be untrue...

0 Helpful

darpotter
Level 5
Level 5
In response to jphilope

‎10-10-2006 12:25 PM

ah, you didnt mention TACACS.

Sounds like you need to config the device to do CHAP or MSCHAP. Its either doing SENDPASS or plain old ASCII.

0 Helpful
Customers Also Viewed These Support Documents