Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
567
Views
1
Helpful
6
Replies

Is MSCHAP possible with aaa radius authentication?

Go to solution
DavidvanWijck05094
Level 1
Level 1

‎03-27-2025 06:17 AM

We have a MS NPS server for Radius to handle aaa with users in AD.

It works fine when we use no encryption.
It does not seem to work when we enable MSCHAP on the MS Server.
Is this even possible?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
M02@rt37
VIP
VIP
In response to DavidvanWijck05094

‎04-15-2025 02:18 AM

Hello @DavidvanWijck05094 

MSChap-V2 is used for user authentication like dial-in and vpn and not for switch management...

For managing your switches, the recommended approach is to use RADIUS with PAP or CHAP authentication methods. These methods are compatible with Cisco IOS for console, SSH, or Telnet access.

But also, consider using TACACS+ instead of RADIUS. Unlike RADIUS, which encrypts only the password, TACACS+ encrypts the entire authentication process, including both username and password, providing a more secure authentication mechanism.

So, TACACS+ for device administration and RADIUS for secure network access​:

M02rt37_0-1744708642564.png

source: CCNP ENCOR 350-401_Chapter 26: Network Device Access Control and Infrastructure Security

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

6 Replies 6

Go to solution
M02@rt37
VIP
VIP

‎03-27-2025 06:29 AM

Hello @DavidvanWijck05094 

Do you check PEAP-MSCHAPv2 ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Go to solution
DavidvanWijck05094
Level 1
Level 1
In response to M02@rt37

‎03-27-2025 06:35 AM

No only mschap en mschapv2

0 Helpful

Go to solution
M02@rt37
VIP
VIP
In response to DavidvanWijck05094

‎03-27-2025 07:49 AM - edited ‎03-27-2025 07:50 AM

@DavidvanWijck05094 

MS-CHAPv2 without PEAP is not secure.

MS-CHAP and MS-CHAPv2 require access to plaintext or reversibly encrypted passwords in active directory. Since AD doesn't store user passwords in plaintext by defaut, authentication will fail unless you enable "Store Password Using Reversible Encryption".

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994559(v=ws.11)

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Go to solution
DavidvanWijck05094
Level 1
Level 1
In response to M02@rt37

‎04-15-2025 02:09 AM

Does this work on a Cisco 9500/9300/9200 with aaa for management with mschap via NPS Radius?

0 Helpful

Go to solution
M02@rt37
VIP
VIP
In response to DavidvanWijck05094

‎04-15-2025 02:18 AM

Hello @DavidvanWijck05094 

MSChap-V2 is used for user authentication like dial-in and vpn and not for switch management...

For managing your switches, the recommended approach is to use RADIUS with PAP or CHAP authentication methods. These methods are compatible with Cisco IOS for console, SSH, or Telnet access.

But also, consider using TACACS+ instead of RADIUS. Unlike RADIUS, which encrypts only the password, TACACS+ encrypts the entire authentication process, including both username and password, providing a more secure authentication mechanism.

So, TACACS+ for device administration and RADIUS for secure network access​:

M02rt37_0-1744708642564.png

source: CCNP ENCOR 350-401_Chapter 26: Network Device Access Control and Infrastructure Security

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Go to solution
DavidvanWijck05094
Level 1
Level 1

‎04-02-2025 12:04 AM - edited ‎04-15-2025 02:10 AM

.

0 Helpful
Customers Also Viewed These Support Documents