Authentication Configuration

jphilope · ‎10-10-2006

Hello all,

We are a recent addition to the ACS 4.0 crowd and had a concern about router/switch user authentication using AAA and ACS with an external database.

We have several routers and switches working just fine with ACS using an external database (Windows AD). I also have EAP-PEAP and MSCHAP (V1 & 2) enabled in the Global Policy. However, we seem to be able to clear text sniff user IDs and Passwords. This appears to be the exchange between the router/switch and the ACS box. What have I misconfigured or not configured correctly? I do have a correct and difficult authentication password for the tacacs key and the Network Device.

As of now, we are running this on a limitied number of network devices as we figure it all out and get it running as desired. So deployment has not left us vulnerable.

Any assistance will be very welcomed.

I rate posts!

darpotter · ‎10-10-2006

Are you sure?

RADIUS never sends passwords in the clear. Even if you had PAP authentication the password is masked with the shared secret.

If you use a sniffer that knows RADIUS you will see password attributes... however their content will not be plain text.

Unless your device is doing something mental!

Darran

jphilope · ‎10-10-2006

Sniffer does not know RADIUS, but we are using TACACS for AAA.

I was under the impression the shared secret between the client (Cisco IOS router/switch) and the ACS would have been used to hash the authentication exchange. However, the sniffer traces show this to be untrue...

darpotter · ‎10-10-2006

ah, you didnt mention TACACS.

Sounds like you need to config the device to do CHAP or MSCHAP. Its either doing SENDPASS or plain old ASCII.