cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
500
Views
0
Helpful
3
Replies

Authentication Configuration

jphilope
Level 3
Level 3

Hello all,

We are a recent addition to the ACS 4.0 crowd and had a concern about router/switch user authentication using AAA and ACS with an external database.

We have several routers and switches working just fine with ACS using an external database (Windows AD). I also have EAP-PEAP and MSCHAP (V1 & 2) enabled in the Global Policy. However, we seem to be able to clear text sniff user IDs and Passwords. This appears to be the exchange between the router/switch and the ACS box. What have I misconfigured or not configured correctly? I do have a correct and difficult authentication password for the tacacs key and the Network Device.

As of now, we are running this on a limitied number of network devices as we figure it all out and get it running as desired. So deployment has not left us vulnerable.

Any assistance will be very welcomed.

I rate posts!

3 Replies 3

darpotter
Level 5
Level 5

Are you sure?

RADIUS never sends passwords in the clear. Even if you had PAP authentication the password is masked with the shared secret.

If you use a sniffer that knows RADIUS you will see password attributes... however their content will not be plain text.

Unless your device is doing something mental!

Darran

Sniffer does not know RADIUS, but we are using TACACS for AAA.

I was under the impression the shared secret between the client (Cisco IOS router/switch) and the ACS would have been used to hash the authentication exchange. However, the sniffer traces show this to be untrue...

ah, you didnt mention TACACS.

Sounds like you need to config the device to do CHAP or MSCHAP. Its either doing SENDPASS or plain old ASCII.