Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
285
Views
3
Helpful
4
Replies

Cisco AAA RADIUS - What Authentication Protocol Does It Use?

Go to solution
Mike Mertens
Level 1
Level 1

‎06-09-2025 10:44 AM

We use RADIUS for authenticating network admins logging into routers/switches. We use a Windows Server 2019 running NPS as our RADIUS server, which is apparently using NTLMv1 on the back end to authenticate to LDAP/AD. We need to move off of NTLMv1 (per Windows admin) but I am not familiar with the NPS configuration. Anyway, diving deeper into RADIUS, and I found and think I understand that the RADIUS server (or client?) can use NLTMv1, PAP, CHAP, MS-CHAP, EAP, EAP-TLS for authorization. So then, I should be able to reconfigure the NPS for RADIUS with something other than NTLM. However, that got me wondering: What does a Cisco router/switch configured for using RADIUS under AAA use to pass the user/password to the RADIUS server? What is the default config method, and how can I modify this? So when I SSH to a switch, the switch prompts me for userid/password, which is encrypted in SSH, but how do I see the encryption method for the switch-to-RADIUS server communication?

It seems the more I read, the more I'm getting confused.

 

Thanks for any clarification anyone can bring.

Mike

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎06-18-2025 07:17 AM

SW/R--radius--NPS (server)--NTLM--LDAP server 

So between SW/R and NPS there is only radius protocol.

MHM

View solution in original post

Go to solution
Karsten Iwen
VIP
VIP

‎06-18-2025 07:34 AM

The Authentication protocol from the RADIUS client (the switch/router) to the RADIUS server (your NPS) is PAP/ASCII. What happens between the NPS and the Directory-server depends heavily on the environment.

View solution in original post

4 Replies 4

Go to solution
M02@rt37
VIP
VIP

‎06-09-2025 12:52 PM

Hello @Mike Mertens 

Which RADIUS authentication method do you expect to use ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Go to solution
Mike Mertens
Level 1
Level 1
In response to M02@rt37

‎06-10-2025 06:58 AM

 
I guess "anything but NTLMv1", as that is what the Windows team is trying to retire. I'm quite confused right now as it seems that between the Windows NPS and AD/LDAP it is RADIUS with NTLMv1(?) and then I wonder: does that mean that RADIUS is using NTLMv1 between router/switch and the NSP RADIUS server? Or are these RADIUS "Access-Request", "Access-Accept", "Access-Reject" messages are application-layer on top of UDP being used between Cisco router/switch to the NPS/RADIUS server, then NPS is using NTLMv1between it and AD/LDAP?

THANKS!

Mike
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎06-18-2025 07:17 AM

SW/R--radius--NPS (server)--NTLM--LDAP server 

So between SW/R and NPS there is only radius protocol.

MHM

Go to solution
Karsten Iwen
VIP
VIP

‎06-18-2025 07:34 AM

The Authentication protocol from the RADIUS client (the switch/router) to the RADIUS server (your NPS) is PAP/ASCII. What happens between the NPS and the Directory-server depends heavily on the environment.

Customers Also Viewed These Support Documents