05-06-2019 12:02 AM
Hi,
we have noticed on our FreeRADIUS server that the Cisco switches still use the unsafe PAP authentication method where the password between the switch and the radius server is transmitted accross the LAN in cleartext.
Is there any way to tell the Catalyst Switches such as 2960S, 2960X, 3850, 3650 or Nexus 3K,5K,6K,7K to use MS-CHAP instead of PAP ?
If not are there any plans to implement this in the future ?
Thanks,
Thorsten
05-06-2019 02:30 AM
MSCAP support available.
https://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_aaa/configuration/15-2mt/sec-mschap-ver2.html
05-06-2019 03:00 AM
Hi thanks,
but as far as I understand the document behind the link you have kindly provided this only refers to PPP authentication on routers (prerequisite in the doc you provided is: Configure the interface for PPP encapsulation).
We need MS-CHAP for authenticating admin users on switches who try to connect via SSH.
Our question is if and how that's possible on Catalyst and Nexus switches (not PPP routers) ?
Thanks a lot,
Thorsten
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide