Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Radius & PAP (Aironet -> AD)

I'm testing out setting up Radius from our Aironet's that uses Active  Directory for authentication, however it seems the only supported  authentication (unless you get Cisco Secure Access Control Server) is  PAP. We set this up so basically the PAP is I guess "wrapped" inside PEAP-MSCHAPv2.

This makes me sort of wary as PAP is plain text, but I'm not sure as to  the risk in this case. In a situation like dial-in VPN obviously sending  the plaintext password is easily discoverable, but is the connection  already secured by the time the password is transmitted over a wireless  link? ie) you wouldn't be sending the plaintext password over the  wireless link?

1 REPLY

Radius & PAP (Aironet -> AD)

wireless clients use EAP protocol when they authenticate.

PEAP is one flavor of different EAP methods around. Inside the EAP there is authentication done inside a secure tunnel and this is usually MSCHAPv2. So PEAP-MSCHAPv2 is EAP method that uses PEAP and uses MSCHAPv2 inside the tunnel to do the authentication.

MSCHAPv2 is used, not PAP. But on your radius you can't only enable MSCHAPv2 because this means MSCHAPv2 without PEAP (EAP-MSCHAPv2) which is also exist and different from EAP.

What you need to do on the radius server is to enable PEAP. Inside PEAP options you need to choose MSCHAPv2.

HTH

Amjad

You want to say "Thank you"? Don't. Just rate the useful answers, that is more useful than "Thank you".

Rating useful replies is more useful than saying "Thank you"
589
Views
0
Helpful
1
Replies
CreatePlease to create content