show radius attribute mgmt password
Enterasys C3 Configuration Guide 32-17
Request Transmission
If the mschapv2 option has been configured, the RADIUS client software will take the cleartext
user password indicated by the management session and use it to properly fill the MS-CHAP2-
Response RADIUS attribute, following the guidelines set forth in both RFC2548 and RFC2759.
In short, the attribute is filled with both a randomly generated challenge as well as the appropriate
MS-CHAPv2 response calculated using the challenge and the passed clear text password. No
User-Password RADIUS attribute will be passed in this case.
Response Validation
When the MS-CHAP2-Success attribute is received in an access accept RADIUS response frame, it
will be validated according to RFC2548 and RFC2759. This attribute contains the 42 byte
authenticator response. Upon receipt, the RADIUS client software will calculate its own
authenticator response using the information that was passed in the MS-CHAP2-Response
attribute and the user's passed clear text password.
If the value calculated does not match the value in the attribute, it will be assumed that the
message is not from the RADIUS server and the response message will be dropped. A log
message will be output that indicates this condition has occurred.
Password Changing
If an Access Reject packet is received from the RADIUS server and it includes an MS-CHAP-Error
attribute that indicates that the user's password has expired, the switch will prompt the user for a
new password. If the user appropriately enters a new password, then that password will be sent to
the RADIUS server via the MS-CHAPv2 password change RADIUS attributes.
If the server responds with an Access Accept, then the user will be allowed access and the
password has been successfully changed. If an Access Reject is sent from the server, then the
password has not been changed and the user will be denied access.
Example
This example changes the RADIUS management authentication mode to MS-CHAPv2, then
displays the RADIUS configuration.
C3(su)->set radius attribute mgmt password mschapv2
C3(su)->show radius
RADIUS status: Disabled
RADIUS retries: 2
RADIUS timeout: 5 seconds
RADIUS attribute mgmt password: mschapv2
RADIUS Server IP Address Auth-Port Realm-Type IPsec
-------------- ---------- --------- ----------------- --------
1 10.1.0.27 1812 any disabled
2 192.168.10.10 1812 any enabled
show radius attribute mgmt password
Use this command to display the currently configured RADIUS management authentication
mode. The current state can also be displayed with the show radius command.
Syntax
show radius attribute mgmt password
To Next Page
Loading...
Need help?
General