Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
15502
Views
0
Helpful
5
Replies

Using CHAP with RADIUS authentication

Go to solution
marraboytear
Level 1
Level 1

‎01-20-2012 11:56 AM - edited ‎03-10-2019 06:44 PM

Hi

I have configured a Cisco 877 router to send RADIUS requests when a user logs in to the console (Line Console or Line VTY) using the following config:

aaa new-model

aaa authentication login default group radius

aaa authentication ppp default group radius

radius-server host 10.0.0.1 auth-port 1812 acct-port 1812 key mysharedkey

When I log the RADIUS packets I see that the Cisco router is sending the initial AccessRequest using PAP.

How can I configure the router to send it's inial AccessRequest packet using CHAP?

Apologies if this has already been discussed, I have searched high and low for an answer.

Thanks in advance.

John

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
camejia
Level 3
Level 3
In response to marraboytear

‎01-24-2012 08:11 AM

Hello John,

PPP connection do support CHAP as there is a configuration command to enable CHAP as the challenge-response protocol. However, Console, VTY and AUX connections will always go over PAP when using RADIUS authentication. There is no such command to enable CHAP for those type of connections.

Best Regards.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
camejia
Level 3
Level 3

‎01-23-2012 03:46 PM

Hello John,

Recently I commented on a similar request for ASA:

https://supportforums.cisco.com/message/3536900#3536900

Please review the above as it applies for IOS Management Authentication as well.

If this helps please rate.

Best Regards.

0 Helpful

Go to solution
marraboytear
Level 1
Level 1
In response to camejia

‎01-24-2012 02:02 AM

Hi Carlos

Thanks for your response. I understand what it says in the RFC:

The NAS then sends an Access-Request
   packet to the RADIUS server with the CHAP username as the User-Name
   and with the CHAP ID and CHAP response as the CHAP-Password
   (Attribute 3).

But, by default the NAS (in this case the Cisco 877 router) is sending a RADIUS packet with a PAP encoded password by default. As the NAS initiates the AccessRequest I need to configure it to send the correct attributes for the CHAP challenge. This is configured on the RADIUS server so it knows the NAS is going to send CHAP but the NAS initiates the request and I guess needs to be configured to do so.

Is this possible on a Cisco 877? How?

Thanks

John

0 Helpful

Go to solution
camejia
Level 3
Level 3
In response to marraboytear

‎01-24-2012 08:11 AM

Hello John,

PPP connection do support CHAP as there is a configuration command to enable CHAP as the challenge-response protocol. However, Console, VTY and AUX connections will always go over PAP when using RADIUS authentication. There is no such command to enable CHAP for those type of connections.

Best Regards.

0 Helpful

Go to solution
marraboytear
Level 1
Level 1
In response to camejia

‎01-24-2012 11:02 AM

Hi Carlos

Thanks for that. I suspected this was the case but I wasn't sure.

I assume that if I were to configure an ASA/PIX for RADIUS authentication from remote VPN clients I could configure this for CHAP?

Thanks again.

John

0 Helpful

Go to solution
camejia
Level 3
Level 3
In response to marraboytear

‎01-24-2012 11:20 AM

Hello John,

If you enable the command "password-management" under the ASA Tunnel Group configuration the ASA should use MSCHAPv2.

I am glad that I was able to help you.

Best Regards.

0 Helpful
Customers Also Viewed These Support Documents