Using CHAP with RADIUS authentication

Answered Question
Jan 20th, 2012
User Badges:

Hi


I have configured a Cisco 877 router to send RADIUS requests when a user logs in to the console (Line Console or Line VTY) using the following config:


aaa new-model

aaa authentication login default group radius

aaa authentication ppp default group radius


radius-server host 10.0.0.1 auth-port 1812 acct-port 1812 key mysharedkey


When I log the RADIUS packets I see that the Cisco router is sending the initial AccessRequest using PAP.


How can I configure the router to send it's inial AccessRequest packet using CHAP?


Apologies if this has already been discussed, I have searched high and low for an answer.


Thanks in advance.


John

Correct Answer by camejia about 5 years 6 months ago

Hello John,


PPP connection do support CHAP as there is a configuration command to enable CHAP as the challenge-response protocol. However, Console, VTY and AUX connections will always go over PAP when using RADIUS authentication. There is no such command to enable CHAP for those type of connections.


Best Regards.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
marraboytear Tue, 01/24/2012 - 02:02
User Badges:

Hi Carlos


Thanks for your response. I understand what it says in the RFC:


The NAS then sends an Access-Request
   packet to the RADIUS server with the CHAP username as the User-Name
   and with the CHAP ID and CHAP response as the CHAP-Password
   (Attribute 3).


But, by default the NAS (in this case the Cisco 877 router) is sending a RADIUS packet with a PAP encoded password by default. As the NAS initiates the AccessRequest I need to configure it to send the correct attributes for the CHAP challenge. This is configured on the RADIUS server so it knows the NAS is going to send CHAP but the NAS initiates the request and I guess needs to be configured to do so.


Is this possible on a Cisco 877? How?


Thanks


John

Correct Answer
camejia Tue, 01/24/2012 - 08:11
User Badges:
  • Silver, 250 points or more

Hello John,


PPP connection do support CHAP as there is a configuration command to enable CHAP as the challenge-response protocol. However, Console, VTY and AUX connections will always go over PAP when using RADIUS authentication. There is no such command to enable CHAP for those type of connections.


Best Regards.

marraboytear Tue, 01/24/2012 - 11:02
User Badges:

Hi Carlos


Thanks for that. I suspected this was the case but I wasn't sure.


I assume that if I were to configure an ASA/PIX for RADIUS authentication from remote VPN clients I could configure this for CHAP?


Thanks again.


John

camejia Tue, 01/24/2012 - 11:20
User Badges:
  • Silver, 250 points or more

Hello John,


If you enable the command "password-management" under the ASA Tunnel Group configuration the ASA should use MSCHAPv2.


I am glad that I was able to help you.


Best Regards.

Actions

This Discussion

Related Content