Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2159
Views
0
Helpful
2
Replies

MS-CHAP for Radius Authentication of Catalyst / Nexus rather than unsafe PAP

ciscoprolin
Level 1
Level 1

‎05-06-2019 12:02 AM

Hi,

we have noticed on our FreeRADIUS server that the Cisco switches still use the unsafe PAP authentication method where the password between the switch and the radius server is transmitted accross the LAN in cleartext.

Is there any way to tell the Catalyst Switches such as 2960S, 2960X, 3850, 3650 or Nexus 3K,5K,6K,7K to use MS-CHAP instead of PAP ?

If not are there any plans to implement this in the future ?

Thanks,

Thorsten

Labels:
0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎05-06-2019 02:30 AM

MSCAP support available.

 

https://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_aaa/configuration/15-2mt/sec-mschap-ver2.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

ciscoprolin
Level 1
Level 1
In response to balaji.bandi

‎05-06-2019 03:00 AM

Hi thanks,

but as far as I understand the document behind the link you have kindly provided this only refers to PPP authentication on routers (prerequisite in the doc you provided is: Configure the interface for PPP encapsulation)

We need MS-CHAP for authenticating admin users on switches who try to connect via SSH.

 

Our question is if and how that's possible on Catalyst and Nexus switches (not PPP routers) ?

 

Thanks a lot,

Thorsten

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents