cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

324
Views
0
Helpful
2
Replies
Highlighted
Beginner

MS-CHAP for Radius Authentication of Catalyst / Nexus rather than unsafe PAP

Hi,

we have noticed on our FreeRADIUS server that the Cisco switches still use the unsafe PAP authentication method where the password between the switch and the radius server is transmitted accross the LAN in cleartext.

Is there any way to tell the Catalyst Switches such as 2960S, 2960X, 3850, 3650 or Nexus 3K,5K,6K,7K to use MS-CHAP instead of PAP ?

If not are there any plans to implement this in the future ?

Thanks,

Thorsten

2 REPLIES 2
Highlighted
VIP Mentor

Re: MS-CHAP for Radius Authentication of Catalyst / Nexus rather than unsafe PAP

MSCAP support available.

 

https://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_aaa/configuration/15-2mt/sec-mschap-ver2.html

BB
*** Rate All Helpful Responses ***
Highlighted
Beginner

Re: MS-CHAP for Radius Authentication of Catalyst / Nexus rather than unsafe PAP

Hi thanks,

but as far as I understand the document behind the link you have kindly provided this only refers to PPP authentication on routers (prerequisite in the doc you provided is: Configure the interface for PPP encapsulation)

We need MS-CHAP for authenticating admin users on switches who try to connect via SSH.

 

Our question is if and how that's possible on Catalyst and Nexus switches (not PPP routers) ?

 

Thanks a lot,

Thorsten

 

 

CreatePlease to create content
Content for Community-Ad