MSCHAP Version 2

Available Languages

Download Options

PDF (217.5 KB)
View with Adobe Reader on a variety of devices

Updated:March 29, 2005

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

MSCHAP Version 2

Table Of Contents

MSCHAP Version 2

Feature Overview

Benefits

Restrictions

Related Documents

Supported Platforms

Supported Standards, MIBs, and RFCs

Prerequisites

Configuration Tasks

Configuring MSCHAP V2 Authentication

Verifying MSCHAP V2 Configuration

Configuration Examples

Local Authentication Example

RADIUS Authentication Example

Command Reference

ppp authentication ms-chap-v2

MSCHAP Version 2

Feature History

Release

Modification

12.2(2)XB5

This feature was introduced.

12.2(13)T

This feature was integrated into Cisco IOS Release 12.2(13)T.

12.2(27)SBA

This feature was integrated into Cisco IOS Release 12.2(27)SBA.

Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

This document describes the MSCHAP Version 2 feature in Cisco IOS Release 12.2(13)T and includes the following sections:

•Feature Overview

•Supported Platforms

•Supported Standards, MIBs, and RFCs

•Prerequisites

•Configuration Tasks

•Configuration Examples

•Command Reference

Feature Overview

The MSCHAP Version 2 feature in Cisco IOS Release 12.2(13)T introduces the ability of Cisco routers to utilize Microsoft Challenge Handshake Authentication Protocol Version 2 (MSCHAP V2) authentication for PPP connections between a computer using a Microsoft Windows operating system and a network access server (NAS). MSCHAP V2 authentication is an updated version of MSCHAP that is similar to but incompatible with MSCHAP Version 1 (V1). MSCHAP V2 introduces mutual authentication between peers and a change password feature.

Benefits

MSCHAP V2 authentication is the default authentication method used by the Microsoft Windows 2000 operating system. Support of this authentication method on Cisco routers will enable users of the Microsoft Windows 2000 operating system to establish remote PPP sessions without needing to first configure an authentication method on the client.

MSCHAP V2 authentication introduces an additional feature not available with MSCHAP V1 or standard CHAP authentication, the change password feature. This feature allows the client to change the account password if the RADIUS server reports that the password has expired.

Restrictions

The client operating system must support all MSCHAP V2 capabilities.

MSCHAP V2 authentication is not compatible with MSCHAP V1 authentication.

The change password feature is supported only for RADIUS authentication. This feature is not available for local authentication.

In order for the MSCHAP Version 2 feature to correctly interpret the authentication failure attribute sent by the RADIUS server, the ppp max-bad-auth command must be configured and the number of authentication retries must be set at two or more.

In order for the MSCHAP Version 2 feature to support the ability to change a password, the authentication failure attribute sent by the RADIUS server must be correctly interpreted as described in this section. In addition, the radius server vsa send authentication command must be configured, allowing the RADIUS client to send a vendor-specific attribute to the RADIUS server. The change password feature is supported only for RADIUS authentication.

The Microsoft Windows 2000, Microsoft Windows XP, and Microsoft Windows NT operating systems have a known caveat that prevents the change password function from working. This caveat can be fixed by downloading a patch from Microsoft at the following URL:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q326770

Related Documents

•The part "PPP Configuration" in the Cisco IOS Dial Technologies Configuration Guide, Release 12.2.

•Cisco IOS Dial Technologies Command Reference, Release 12.2

•The section "Configuring PPP Authentication Using AAA" in the chapter "Configuring Authentication" in the Cisco IOS Security Configuration Guide, Release 12.2

•The chapter "Configuring RADIUS" in the Cisco IOS Security Configuration Guide, Release 12.2

•Cisco IOS Security Command Reference, Release 12.2

•RFC 1661, The Point-to-Point Protocol (PPP)

•RFC 2548, Microsoft Vendor-specific RADIUS Attributes

Supported Platforms

•Cisco 800 series

•Cisco 1710

•Cisco 2600 series

•Cisco 3600 series

•Cisco 7200 series

•Cisco 7500 series

•Cisco AS5300

•Cisco AS5400

•Cisco AS5800

•Cisco AS5850

Availability of Cisco IOS Software Images

Platform support for particular Cisco IOS software releases is dependent on the availability of the software images for those platforms. Software images for some platforms may be deferred, delayed, or changed without prior notice. For updated information about platform support and availability of software images for each Cisco IOS software release, refer to the online release notes or, if supported, Cisco Feature Navigator.

Supported Standards, MIBs, and RFCs

Standards

No new or modified standards are supported by this feature.

MIBs

No new or modified MIBs are supported by this feature.

To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

RFCs

•RFC 2759, Microsoft PPP CHAP Extensions, Version 2

Prerequisites

Before enabling MSCHAP V2 authentication on the NAS, you must perform the following tasks:

•Configure an interface type and enter interface configuration mode by using the interface command.

•Configure the interface for PPP encapsulation by using the encapsulation command.

For more information on completing these tasks, refer to the section "PPP Configuration" in the Cisco IOS Dial Technologies Configuration Guide, Release 12.2.

The RADIUS server must be configured for authentication. Refer to vendor-specific documentation for information on configuring RADIUS authentication on the RADIUS server.

Configuration Tasks

See the following sections for configuration tasks for the MSCHAP Version 2 feature. Each task in the list is identified as either required or optional.

•Configuring MSCHAP V2 Authentication (required)

•Verifying MSCHAP V2 Configuration (optional)

Configuring MSCHAP V2 Authentication

MSCHAP V2 authentication requires prior configuration of an interface type and PPP encapsulation. For more information on configuring PPP, refer to the part "PPP Configuration" in the Cisco IOS Dial Technologies Configuration Guide, Release 12.2.

To configure the NAS to accept MSCHAP V2 authentication for local or RADIUS authentication, and to allow proper interpretation of authentication failure attributes and vendor-specific RADIUS attributes for RADIUS authentication, use the following commands beginning in global configuration mode:

Command

Purpose

Step 1

Router# radius-server vsa send authentication

Configures the NAS to recognize and use vendor-specific attributes.

Step 2

Router# interface type number

Configures an interface type and enters interface configuration mode.

Step 3

Router(config-if)# ppp max-bad-auth number

Configures a point-to-point interface not to reset itself immediately after an authentication failure but instead to allow a specified number of authentication retries.

The number argument must be set to a value of at least 2 for authentication failure attributes to be interpreted by the NAS.

Step 4

Router(config-if)# ppp authentication ms-chap-v2

Enables MSCHAP V2 authentication on a NAS.

Verifying MSCHAP V2 Configuration

To verify that the MSCHAP Version 2 feature is configured properly, perform the following steps:

Step 1 Enter the show running-config command with the interface type number keyword and argument combination to verify the configuration of MSCHAP V2 as the authentication method for that interface:
Router# show running-config interface async 65
interface Asynch65
ip address 10.0.0.2 255.0.0.0
encapsulation ppp
async mode dedicated
no peer default ip address
ppp max-bad-auth 3
ppp authentication ms-chap-v2
Step 2 Enter the debug ppp command with the negotiation keyword to verify successful MSCHAP V2 negotiation:
Router# debug ppp negotiation
*Jan 15 13:24:43.999:Se0/0 PPP:Using configured call direction
*Jan 15 13:24:43.999:Se0/0 PPP:Treating connection as a callin
*Jan 15 13:24:43.999:Se0/0 PPP:Phase is ESTABLISHING, Passive Open
*Jan 15 13:24:43.999:Se0/0 LCP:State is Listen
*Jan 15 13:24:44.023:Se0/0 LCP:I CONFREQ [Listen] id 1 len 14
*Jan 15 13:24:44.023:Se0/0 LCP:   MRU 1492 (0x010405D4)
*Jan 15 13:24:44.023:Se0/0 LCP:   MagicNumber 0x308783B9 (0x0506308783B9)
*Jan 15 13:24:44.023:Se0/0 LCP:O CONFREQ [Listen] id 1 len 19
*Jan 15 13:24:44.023:Se0/0 LCP:   MRU 1492 (0x010405D4)
*Jan 15 13:24:44.023:Se0/0 LCP:   AuthProto MS-CHAP-V2 (0x0305C22381)
*Jan 15 13:24:44.023:Se0/0 LCP:   MagicNumber 0x308A180D (0x0506308A180D)
*Jan 15 13:24:44.027:Se0/0 LCP:O CONFACK [Listen] id 1 len 14
*Jan 15 13:24:44.027:Se0/0 LCP:   MRU 1492 (0x010405D4)
*Jan 15 13:24:44.027:Se0/0 LCP:   MagicNumber 0x308783B9 (0x0506308783B9)
*Jan 15 13:24:44.027:Se0/0 LCP:I CONFACK [ACKsent] id 1 len 19
*Jan 15 13:24:44.027:Se0/0 LCP:   MRU 1492 (0x010405D4)
*Jan 15 13:24:44.027:Se0/0 LCP:   AuthProto MS-CHAP-V2 (0x0305C22381)
*Jan 15 13:24:44.027:Se0/0 LCP:   MagicNumber 0x308A180D (0x0506308A180D)
*Jan 15 13:24:44.027:Se0/0 LCP:State is Open
*Jan 15 13:24:44.027:Se0/0 PPP:Phase is AUTHENTICATING, by this end
*Jan 15 13:24:44.027:Se0/0 MS-CHAP-V2:O CHALLENGE id 1 len 24 from "lac"
*Jan 15 13:24:44.031:Se0/0 MS-CHAP-V2:I RESPONSE id 1 len 58 from "haag"
*Jan 15 13:24:44.031:Se0/0 PPP:Phase is FORWARDING, Attempting Forward
*Jan 15 13:24:44.031:Se0/0 PPP:Phase is AUTHENTICATING, Unauthenticated User
*Jan 15 13:24:44.039:Se0/0 PPP:Phase is FORWARDING, Attempting Forward
*Jan 15 13:24:44.043:Se0/0 PPP:Phase is AUTHENTICATING, Authenticated User
*Jan 15 13:24:44.043:Se0/0 MS-CHAP-V2:O SUCCESS id 1 len 46 msg is 
"S=4EE927A06B0D624448F27B4BDDA51B5620396EC3"
*Jan 15 13:24:44.043:Se0/0 PPP:Phase is UP
Step 3 Enter the debug ppp command with the authentication keyword to verify successful MSCHAP V2 authentication:
Router# debug ppp authentication
*Jan 15 13:26:28.659:Se0/0 PPP:Authorization required
*Jan 15 13:26:28.659:Se0/0 PPP:Using configured call direction
*Jan 15 13:26:28.659:Se0/0 PPP:Treating connection as a callin
*Jan 15 13:26:28.687:Se0/0 MS-CHAP-V2:O CHALLENGE id 1 len 24 from "lac"
*Jan 15 13:26:28.691:Se0/0 MS-CHAP-V2:I RESPONSE id 1 len 58 from "haag"
*Jan 15 13:26:28.691:Se0/0 PPP:Sent MSCHAP-V2 LOGIN Request to AAA
*Jan 15 13:26:28.695:Se0/0 PPP:Received LOGIN Response from AAA = PASS
*Jan 15 13:26:28.703:Se0/0 MS-CHAP-V2:O SUCCESS id 1 len 46 msg is "S=87F5A4BE
Configuration Examples

This section provides the following configuration examples:

•Local Authentication Example

•RADIUS Authentication Example

Local Authentication Example

The following example configures PPP on an asynchronous interface and enables MSCHAP V2 authentication locally:
interface Async65
  ip address 10.0.0.2 255.0.0.0
  encapsulation ppp
  async mode dedicated
  no peer default ip address
  ppp max-bad-auth 3
  ppp authentication ms-chap-v2
  username client password secret
RADIUS Authentication Example

The following example configures PPP on an asynchronous interface and enables MSCHAP V2 authentication via RADIUS:
interface Async65
  ip address 10.0.0.2 255.0.0.0
  encapsulation ppp
  async mode dedicated
  no peer default ip address
  ppp max-bad-auth 3
  ppp authentication ms-chap-v2
  exit
aaa authentication ppp default group radius
 radius-server host 10.0.0.2 255.0.0.0
 radius-server key secret
 radius-server vsa send authentication
Command Reference

This section documents the following new command. All other commands used with this feature are documented in the Cisco IOS Release 12.2 command reference publications.

•ppp authentication ms-chap-v2

ppp authentication ms-chap-v2

To enable Microsoft Challenge Handshake Authentication Protocol Version 2 (MSCHAP V2) authentication on a network access server (NAS), use the ppp authentication ms-chap-v2 command in interface configuration mode. To disable MSCHAP V2 authentication, use the no form of this command.

ppp authentication ms-chap-v2

no ppp authentication ms-chap-v2

Syntax Description

This command has no arguments or keywords.

Defaults

MSCHAP V2 authentication is disabled.

Command Modes

Interface configuration

Command History

Release

Modification

12.2(2)XB5

This command was introduced.

12.2(13)T

This command was integrated into Cisco IOS Release 12.2(13)T.

12.2(27)SBA

This command was integrated into Cisco IOS Release 12.2(27)SBA.

Usage Guidelines

To enable MSCHAP V2 authentication, first configure PPP on the NAS. For the NAS to properly interpret authentication failure attributes and vendor-specific attributes, the ppp max-bad-auth command must be configured to allow at least two authentication retries and the radius-server vsa send command and authentication keyword must be enabled. The NAS must be able to interpret authentication failure attributes and vendor-specific attributes to support the ability to change an expired password.

Examples

The following example configures PPP on an asynchronous interface and enables MSCHAP V2 authentication locally:
interface Async65
 ip address 10.0.0.2 255.0.0.0
 encapsulation ppp
 async mode dedicated
 no peer default ip address
 ppp max-bad-auth 3
 ppp authentication ms-chap-v2
 username client password secret
The following example configures PPP on an asynchronous interface and enables MSCHAP V2 authentication via RADIUS:
interface Async65
 ip address 10.0.0.2 255.0.0.0
 encapsulation ppp
 async mode dedicated
 no peer default ip address
 ppp max-bad-auth 3
 ppp authentication ms-chap-v2
 exit
aaa authentication ppp default group radius
 radius-server host 10.0.0.2 255.0.0.0
 radius-server key secret
 radius-server vsa send authentication
Related Commands

Command

Description

debug aaa authentication

Displays information on AAA/TACACS+ authorization.

debug ppp

Displays information on traffic and exchanges in a network that is implementing PPP.

debug radius

Displays information associated with RADIUS.

ppp max-bad-auth

Configures a point-to-point interface not to reset itself immediately after an authentication failure but instead to allow a specified number of authentication retries.

radius-server vsa send

Configures the network access server to recognize and use VSAs.

Copyright © 2002-2005 Cisco Systems, Inc. All rights reserved.

Release	Modification
12.2(2)XB5	This feature was introduced.
12.2(13)T	This feature was integrated into Cisco IOS Release 12.2(13)T.
12.2(27)SBA	This feature was integrated into Cisco IOS Release 12.2(27)SBA.

	Command	Purpose
Step 1	Router# radius-server vsa send authentication	Configures the NAS to recognize and use vendor-specific attributes.
Step 2	Router# interface type number	Configures an interface type and enters interface configuration mode.
Step 3	Router(config-if)# ppp max-bad-auth number	Configures a point-to-point interface not to reset itself immediately after an authentication failure but instead to allow a specified number of authentication retries. The number argument must be set to a value of at least 2 for authentication failure attributes to be interpreted by the NAS.
Step 4	Router(config-if)# ppp authentication ms-chap-v2	Enables MSCHAP V2 authentication on a NAS.

Release	Modification
12.2(2)XB5	This command was introduced.
12.2(13)T	This command was integrated into Cisco IOS Release 12.2(13)T.
12.2(27)SBA	This command was integrated into Cisco IOS Release 12.2(27)SBA.

Command	Description
debug aaa authentication	Displays information on AAA/TACACS+ authorization.
debug ppp	Displays information on traffic and exchanges in a network that is implementing PPP.
debug radius	Displays information associated with RADIUS.
ppp max-bad-auth	Configures a point-to-point interface not to reset itself immediately after an authentication failure but instead to allow a specified number of authentication retries.
radius-server vsa send	Configures the network access server to recognize and use VSAs.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)