Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1993
Views
5
Helpful
3
Replies

Cisco ACS 4.2 and Radius authentication?

f-persson
Level 1
Level 1

‎02-16-2011 07:03 AM - edited ‎03-10-2019 05:49 PM

Hi,

I have a Cisco ACS 4.2 installed and using it to authenticate users that log on to switches using TACACS+, when I use local password database, everything is working. But if i try to use external database authentication using a windows 2008 radius server, I have problem that I can only use PAP, not CHAP. Anyone who know if it's possible to use CHAP with external radius authentication?

Labels:
0 Helpful
3 Replies 3

marcohernandez
Level 1
Level 1

‎02-16-2011 09:04 AM

Hi F-Persson:

I think you are little confused.

The ACS uses RADIUS and TACACS+ to authenticate users and in general to do AAA.

I understand that your are integrating the ACS with a Window 2008 Server. This is called External Database (I guest this is what you call external raduis).

As I know, theres is no problem to use PAP or CHAP for Extenal Windows Authentication.

I recommend the following:

I am asuming you have already installed the Remote Agent. And you have configured the External Database configuration for Windows Authentication.

1. Check if you are able to read the Windows Groups from the ACS

2. When testing the users authenticatión, look into the Remote Agent logs for a specific "Windows Error" o integration error.

3. In System Configuration->Global Authentication Setup, verify what options you have checked in "MS-CHAP Configuration" section

0 Helpful

f-persson
Level 1
Level 1
In response to marcohernandez

‎02-16-2011 11:13 AM

I'm using external database authentication, but not windows authentication, I've set up Radius Authentication. And there you cab only specify radius server etc, but not choose PAP/CHAP etc.. So I can se in my radiusserver that it uses PAP (unencrypted) and I dont want these accounts to travel unencrypted on my network. But how can I use CHAP instead of PAP when using a Radius server as external database?

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee

‎02-16-2011 07:00 PM

To access network devices for administrative purpose, we have only three methods available :


[1] Telnet : Which uses PAP authentication protocol between client and the NAS device. So the communication between Client and NAS is unencrypted,  and when this information flows from NAS to IAS server gets encrypted using the shared secret key configured on device/IAS server.


[2] SSH : Which uses  public-key cryptography for encrypting information between client and the NAS device, i.e, information sent between client 

and NAS is fully secure. And the communication between NAS and IAS is encrypted using shared secret same as above. Good point on SSH side is that commincation channel is secure all the time.Again the authentication type would remain same that is PAP.


[3] Console:Which is also the same it will not allow to use MSCHAP as there is no need to secure it as you laptop is connected directly to the NAS and then if you are using TACACS it will encrypt the payload .


Summarizing, we cannot use CHAP, MS-CHAP, MS-CHAP V2 for communication between client and NAS device or administrative access.


And the most secure way to administer a  device is to use SSH.



Rgds, Jatin

Do rate helpful post~



~Jatin
Customers Also Viewed These Support Documents