Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Authentication Configuration

Hello all,

We are a recent addition to the ACS 4.0 crowd and had a concern about router/switch user authentication using AAA and ACS with an external database.

We have several routers and switches working just fine with ACS using an external database (Windows AD). I also have EAP-PEAP and MSCHAP (V1 & 2) enabled in the Global Policy. However, we seem to be able to clear text sniff user IDs and Passwords. This appears to be the exchange between the router/switch and the ACS box. What have I misconfigured or not configured correctly? I do have a correct and difficult authentication password for the tacacs key and the Network Device.

As of now, we are running this on a limitied number of network devices as we figure it all out and get it running as desired. So deployment has not left us vulnerable.

Any assistance will be very welcomed.

I rate posts!

3 REPLIES
Silver

Re: Authentication Configuration

Are you sure?

RADIUS never sends passwords in the clear. Even if you had PAP authentication the password is masked with the shared secret.

If you use a sniffer that knows RADIUS you will see password attributes... however their content will not be plain text.

Unless your device is doing something mental!

Darran

New Member

Re: Authentication Configuration

Sniffer does not know RADIUS, but we are using TACACS for AAA.

I was under the impression the shared secret between the client (Cisco IOS router/switch) and the ACS would have been used to hash the authentication exchange. However, the sniffer traces show this to be untrue...

Silver

Re: Authentication Configuration

ah, you didnt mention TACACS.

Sounds like you need to config the device to do CHAP or MSCHAP. Its either doing SENDPASS or plain old ASCII.

128
Views
0
Helpful
3
Replies
CreatePlease to create content