RADIUS Management Authentication
26-6 Configuring Security Features
RADIUS Management Authentication
MS-CHAP is the Microsoft version of the Challenge-Handshake Authentication Protocol (CHAP).
MS-CHAPv2 is defined in RFC 2759.
When you enable MS-CHAPv2 management authentication with the set radius attribute mgmt
password mschapv2 command, the following features are supported:
• MS-CHAPv2 style encryption of user passwords between the switch and RADIUS server.
• Support for the following MS-CHAPv2 RADIUS attributes:
– MS-CHAP2-Response
– MS-CHAP2-Success
• Support for MS-CHAPv2 password changing, which requires support of these attributes:
– MS-CHAP2-CPW
– MS-CHAP-Error
– MS-CHAP-NT-Enc-PW
Request Transmission
If the mschapv2 option has been configured, the RADIUS client software will take the clear text
user password indicated by the management session and use it to properly fill the
MS-CHAP2-Response RADIUS attribute, following the guidelines set forth in both RFC2548 and
RFC2759.
In short, the attribute is filled with both a randomly generated challenge as well as the appropriate
MS-CHAPv2 response calculated using the challenge and the passed clear text password. No
User-Password RADIUS attribute will be passed in this case.
Procedure 26-2 Configuring IPsec
Step Task Command(s)
1. Display the current IPsec settings. show ipsec
2. Optionally, change the authentication protocol.
Note: This command is not available if the
security mode setting is C2.
set ipsec authentication {md5 |
sha1}
3. Optionally, change the encryption type. set ipsec encryption {3des | aes128
| aes192 | aes256}
4. Optionally, change the IKE Diffie-Hellman key
exchange group
set ipsec ike dh-group {group-1 |
group-2 | group-5 | group-14}
5. Optionally, change the IKE timeout intervals. set ipsec ike lifetime {[bandwidth
bytes] | [main minutes] | [quick
minutes]}
6. Enable IPsec on one or all RADIUS servers. set radius ipsec enable [index]
7. Optionally, use one of these commands to
disable IPsec on one or all RADIUS servers.
set radius ipsec disable [index]
clear radius ipsec [index]
To Next Page
Loading...
Need help?
General