We are a recent addition to the ACS 4.0 crowd and had a concern about router/switch user authentication using AAA and ACS with an external database.
We have several routers and switches working just fine with ACS using an external database (Windows AD). I also have EAP-PEAP and MSCHAP (V1 & 2) enabled in the Global Policy. However, we seem to be able to clear text sniff user IDs and Passwords. This appears to be the exchange between the router/switch and the ACS box. What have I misconfigured or not configured correctly? I do have a correct and difficult authentication password for the tacacs key and the Network Device.
As of now, we are running this on a limitied number of network devices as we figure it all out and get it running as desired. So deployment has not left us vulnerable.
Sniffer does not know RADIUS, but we are using TACACS for AAA.
I was under the impression the shared secret between the client (Cisco IOS router/switch) and the ACS would have been used to hash the authentication exchange. However, the sniffer traces show this to be untrue...
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :