Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2504
Views
3
Helpful
4
Replies

Cisco AAA RADIUS - What Authentication Protocol Does It Use?

Go to solution
Mike Mertens
Community Member

‎06-09-2025 10:44 AM

We use RADIUS for authenticating network admins logging into routers/switches. We use a Windows Server 2019 running NPS as our RADIUS server, which is apparently using NTLMv1 on the back end to authenticate to LDAP/AD. We need to move off of NTLMv1 (per Windows admin) but I am not familiar with the NPS configuration. Anyway, diving deeper into RADIUS, and I found and think I understand that the RADIUS server (or client?) can use NLTMv1, PAP, CHAP, MS-CHAP, EAP, EAP-TLS for authorization. So then, I should be able to reconfigure the NPS for RADIUS with something other than NTLM. However, that got me wondering: What does a Cisco router/switch configured for using RADIUS under AAA use to pass the user/password to the RADIUS server? What is the default config method, and how can I modify this? So when I SSH to a switch, the switch prompts me for userid/password, which is encrypted in SSH, but how do I see the encryption method for the switch-to-RADIUS server communication?

It seems the more I read, the more I'm getting confused.

 

Thanks for any clarification anyone can bring.

Mike

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎06-18-2025 07:17 AM

SW/R--radius--NPS (server)--NTLM--LDAP server 

So between SW/R and NPS there is only radius protocol.

MHM

View solution in original post

Go to solution
Karsten Iwen
VIP
VIP

‎06-18-2025 07:34 AM

The Authentication protocol from the RADIUS client (the switch/router) to the RADIUS server (your NPS) is PAP/ASCII. What happens between the NPS and the Directory-server depends heavily on the environment.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

View solution in original post

4 Replies 4

Go to solution
M02@rt37
VIP
VIP

‎06-09-2025 12:52 PM

Hello @Mike Mertens 

Which RADIUS authentication method do you expect to use ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Go to solution
Mike Mertens
Community Member
In response to M02@rt37

‎06-10-2025 06:58 AM

 
I guess "anything but NTLMv1", as that is what the Windows team is trying to retire. I'm quite confused right now as it seems that between the Windows NPS and AD/LDAP it is RADIUS with NTLMv1(?) and then I wonder: does that mean that RADIUS is using NTLMv1 between router/switch and the NSP RADIUS server? Or are these RADIUS "Access-Request", "Access-Accept", "Access-Reject" messages are application-layer on top of UDP being used between Cisco router/switch to the NPS/RADIUS server, then NPS is using NTLMv1between it and AD/LDAP?

THANKS!

Mike
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎06-18-2025 07:17 AM

SW/R--radius--NPS (server)--NTLM--LDAP server 

So between SW/R and NPS there is only radius protocol.

MHM

Go to solution
Karsten Iwen
VIP
VIP

‎06-18-2025 07:34 AM

The Authentication protocol from the RADIUS client (the switch/router) to the RADIUS server (your NPS) is PAP/ASCII. What happens between the NPS and the Directory-server depends heavily on the environment.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Customers Also Viewed These Support Documents