you configure a TACACS+ group with MSCHAP V2, the AAA default login authentication uses the next
configured method, or the local method, if no other server group is configured.
The Cisco NX-OS software may display the following message:
“ Warning: MSCHAP V2 is supported only with Radius.”
This warning message is informational only and does not affect MSCHAP V2 operation with RADIUS.
Note
By default, the Cisco NX-OS device uses Password Authentication Protocol (PAP) authentication between
the Cisco NX-OS device and the remote server. If you enable MSCHAP or MSCHAP V2, you need to configure
your RADIUS server to recognize the MSCHAP and MSCHAP V2 vendor-specific attributes (VSAs).
This table shows the RADIUS VSAs required for MSCHAP.
Table 6: MSCHAP and MSCHAP V2 RADIUS VSAs
DescriptionVSAVendor-Type
Number
Vendor-ID
Number
Contains the challenge sent by an AAA server to an
MSCHAP or MSCHAP V2 user. It can be used in
both Access-Request and Access-Challenge packets.
MSCHAP-Challenge11311
Contains the response value provided by an
MSCHAP or MSCHAP V2 user in response to the
challenge. It is only used in Access-Request packets.
MSCHAP-Response11211
Before you begin
Disable AAA ASCII authentication for logins.
SUMMARY STEPS
1. configure terminal
2. no aaa authentication login ascii-authentication
3. aaa authentication login {mschap | mschapv2} enable
4. exit
5. (Optional) show aaa authentication login {mschap | mschapv2}
6. (Optional) copy running-config startup-config
DETAILED STEPS
PurposeCommand or Action
Enters configuration mode.configure terminal
Example:
Step 1
switch# configure terminal
switch(config)#
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
25
Configuring AAA
Enabling MSCHAP or MSCHAP V2 Authentication
To Next Page
Loading...
