Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13385
Views
25
Helpful
5
Replies

PAP Authentication Protocol

Go to solution
clark white
Level 2
Level 2

‎08-16-2016 07:25 AM - edited ‎03-11-2019 12:00 AM

Dears,

when I do ssh  to switches the authentication protocol and in authentication details in the attached snapshot I see the protocol as a PAP_ASCII which is been used.

As I know the PAP is clear text password authentication protocol, so how I can justify to anybody the connection to my switch is secure.

Labels:
Preview file
127 KB
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to clark white

‎08-16-2016 01:05 PM

So the only way to access the managed device securely is to use SSH and avoid TELNET. from NAS to AAA server ( Radius), your password is anyway encrypted.

You may want to read the detailed discussion here:

https://supportforums.cisco.com/discussion/12668396/does-cisco-support-strong-remote-network-authentication-protocols

Rgds,

Jatin

~ Do rate helpful posts.

~Jatin

View solution in original post

5 Replies 5

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎08-16-2016 09:45 AM

Enabling PAP as an authentication protocol with Radius+ means that user passwords are sent from a client to a NAS in plaintext form. The NAS ( switch / Router / WLC / ASA etc) encrypts the user's password using the shared secret and sends it in an Access-Request packet.

RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party :)

...so yes it's less secure when we compare against TACACS because TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header.

https://technet.microsoft.com/en-us/library/cc958013.aspx

Rgds,

Jatin

~ Do rate helpful posts.

~Jatin

Go to solution
clark white
Level 2
Level 2
In response to Jatin Katyal

‎08-16-2016 12:53 PM

Dear Jatin,

thanks for the reply, In such situation how I can avoid PAP, whenever I do ssh or telnet the connection details shows me PAP_ASCII protocol if I don't allow PAP the connection will not be established.??

thanks

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to clark white

‎08-16-2016 01:05 PM

So the only way to access the managed device securely is to use SSH and avoid TELNET. from NAS to AAA server ( Radius), your password is anyway encrypted.

You may want to read the detailed discussion here:

https://supportforums.cisco.com/discussion/12668396/does-cisco-support-strong-remote-network-authentication-protocols

Rgds,

Jatin

~ Do rate helpful posts.

~Jatin

Go to solution
clark white
Level 2
Level 2
In response to Jatin Katyal

‎08-16-2016 01:24 PM

+5 to you expert

0 Helpful

Go to solution
jeremytetart
Level 1
Level 1

‎08-27-2019 08:52 AM

Hi Clark,

 

I added a comment on this post about your question => https://community.cisco.com/t5/routing/does-cisco-support-strong-remote-network-authentication/m-p/2767297/highlight/false#M257295

I think I reply to your answer.

 

Regards.

0 Helpful
Customers Also Viewed These Support Documents