RADIUS server for authentication using PAP for router..Want to use MS-CHAPv2

Tarjeet Singh · ‎03-21-2013

I noticed that when our routers or switches use the RADIUS server for authentication, they are using PAP. I also noticed that when our WLC uses the RADIUS server for authentication, it uses PEAP with MS-CHAPv2.

Can we change the routers so that all the authentication is done using something more secure than PAP? Perhaps PEAP with MS-CHAPv2 for everything?

I tried to implement on our server with MS-CHAP and I couldn't access any device with my window credentials, so I reverted back to PAP.

The bad thing about PAP is that it transmits usernames and passwords in the clear, so I'd like to get away from it if possible. Please advice. If i need to add some kind of config on router side to make sure it support MS-CHAPv2..

Thanks in advance

Amjad Abdullah · ‎03-22-2013

WLC sends PEAP for dot1x users only. If you use webAuth for example and use the RADIUS as backend auth server then the request can only be either PAP or CHAP (configurable from WLC).

Anyway, you must make sure your router sends the request in chap and make sure your server is able to handle a chap request.

What is your server by the way?

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"

Tarjeet Singh · ‎03-25-2013

Hi Amjad,

I am using Microsoft server. I have found the document on MS CHAPv2 configuration for Cisco router. I am bit confused here. In Cisco document they have given steps with config.

Summary Steps (Configure the NAS to accept MSCHAP V2 authentication for local or RADIUS authentication)

1. enable

2. configure terminal

3. radius-server vsa send authentication

4. interface type number

5. ppp max-bad-auth number

6. ppp authentication ms-chap-v2

7. end

I am not seeing step 5 through 6 configuration on my Router 1900 c1900-universalk9-mz.SPA.151-4.M4.bin

FastEthernet 0/1 (No option for PP on my 1900 router or any router)

ppp max-bad-auth number

ppp max-bad-auth 2

ppp authentication ms-chap-v2

Yea I can see on router radius-server vsa send authentication

Please advice...

Amjad Abdullah · ‎03-25-2013

Because the config you see is for PPP auth; not dot1x auth.
You have to look for a doc for dot1x auth with machapv2. Not sure if that is possible.

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"

Tarjeet Singh · ‎03-25-2013

Hi Amjad,

When i telnet into router or switch and enter my credentials. It take my credientials to Radius server over PAP. which is in clear txt.

So I want to use MSCHAPv2, then next time when i will telnet to router or switch. It will send my credentials in hash to Radius server for authenication.

There must be a way that we can configure MSCHAPv2 on router. but m confused about dot80.1x. do we need 802.1x for that

Amjad Abdullah · ‎03-26-2013

Sorry Tarjeet, I meant the RADIUS authentication, not the dot1x authentication.

Searching, a cisco employee said there is no way to do that.

check this:

https://supportforums.cisco.com/thread/2126960

in ASA you can enable the password-management command and it then uses chap. But for routers (or switches) I am not sure if there is any such commands that does same things.

I suggest you ask in the routers/switches forums because this is a device's behavior. They can give you more updated information if this feature is enabled or if it will be in the future.

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"