Table Of Contents
Supported Standards, MIBs, and RFCs
Configuring MSCHAP V2 Authentication
Verifying MSCHAP V2 Configuration
MSCHAP Version 2
Feature History
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
This document describes the MSCHAP Version 2 feature in Cisco IOS Release 12.2(13)T and includes the following sections:
•Supported Standards, MIBs, and RFCs
Feature Overview
The MSCHAP Version 2 feature in Cisco IOS Release 12.2(13)T introduces the ability of Cisco routers to utilize Microsoft Challenge Handshake Authentication Protocol Version 2 (MSCHAP V2) authentication for PPP connections between a computer using a Microsoft Windows operating system and a network access server (NAS). MSCHAP V2 authentication is an updated version of MSCHAP that is similar to but incompatible with MSCHAP Version 1 (V1). MSCHAP V2 introduces mutual authentication between peers and a change password feature.
Benefits
MSCHAP V2 authentication is the default authentication method used by the Microsoft Windows 2000 operating system. Support of this authentication method on Cisco routers will enable users of the Microsoft Windows 2000 operating system to establish remote PPP sessions without needing to first configure an authentication method on the client.
MSCHAP V2 authentication introduces an additional feature not available with MSCHAP V1 or standard CHAP authentication, the change password feature. This feature allows the client to change the account password if the RADIUS server reports that the password has expired.
Restrictions
The client operating system must support all MSCHAP V2 capabilities.
MSCHAP V2 authentication is not compatible with MSCHAP V1 authentication.
The change password feature is supported only for RADIUS authentication. This feature is not available for local authentication.
In order for the MSCHAP Version 2 feature to correctly interpret the authentication failure attribute sent by the RADIUS server, the ppp max-bad-auth command must be configured and the number of authentication retries must be set at two or more.
In order for the MSCHAP Version 2 feature to support the ability to change a password, the authentication failure attribute sent by the RADIUS server must be correctly interpreted as described in this section. In addition, the radius server vsa send authentication command must be configured, allowing the RADIUS client to send a vendor-specific attribute to the RADIUS server. The change password feature is supported only for RADIUS authentication.
The Microsoft Windows 2000, Microsoft Windows XP, and Microsoft Windows NT operating systems have a known caveat that prevents the change password function from working. This caveat can be fixed by downloading a patch from Microsoft at the following URL:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q326770
Related Documents
•The part "PPP Configuration" in the Cisco IOS Dial Technologies Configuration Guide, Release 12.2.
•Cisco IOS Dial Technologies Command Reference, Release 12.2
•The section "Configuring PPP Authentication Using AAA" in the chapter "Configuring Authentication" in the Cisco IOS Security Configuration Guide, Release 12.2
•The chapter "Configuring RADIUS" in the Cisco IOS Security Configuration Guide, Release 12.2
•Cisco IOS Security Command Reference, Release 12.2
•RFC 1661, The Point-to-Point Protocol (PPP)
•RFC 2548, Microsoft Vendor-specific RADIUS Attributes
Supported Platforms
•Cisco 800 series
•Cisco 1710
•Cisco 2600 series
•Cisco 3600 series
•Cisco 7200 series
•Cisco 7500 series
•Cisco AS5300
•Cisco AS5400
•Cisco AS5800
•Cisco AS5850
Availability of Cisco IOS Software Images
Platform support for particular Cisco IOS software releases is dependent on the availability of the software images for those platforms. Software images for some platforms may be deferred, delayed, or changed without prior notice. For updated information about platform support and availability of software images for each Cisco IOS software release, refer to the online release notes or, if supported, Cisco Feature Navigator.
Supported Standards, MIBs, and RFCs
Standards
No new or modified standards are supported by this feature.
MIBs
No new or modified MIBs are supported by this feature.
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
RFCs
•RFC 2759, Microsoft PPP CHAP Extensions, Version 2
Prerequisites
Before enabling MSCHAP V2 authentication on the NAS, you must perform the following tasks:
•Configure an interface type and enter interface configuration mode by using the interface command.
•Configure the interface for PPP encapsulation by using the encapsulation command.
For more information on completing these tasks, refer to the section "PPP Configuration" in the Cisco IOS Dial Technologies Configuration Guide, Release 12.2.
The RADIUS server must be configured for authentication. Refer to vendor-specific documentation for information on configuring RADIUS authentication on the RADIUS server.
Configuration Tasks
See the following sections for configuration tasks for the MSCHAP Version 2 feature. Each task in the list is identified as either required or optional.
•Configuring MSCHAP V2 Authentication (required)
•Verifying MSCHAP V2 Configuration (optional)
Configuring MSCHAP V2 Authentication
MSCHAP V2 authentication requires prior configuration of an interface type and PPP encapsulation. For more information on configuring PPP, refer to the part "PPP Configuration" in the Cisco IOS Dial Technologies Configuration Guide, Release 12.2.
To configure the NAS to accept MSCHAP V2 authentication for local or RADIUS authentication, and to allow proper interpretation of authentication failure attributes and vendor-specific RADIUS attributes for RADIUS authentication, use the following commands beginning in global configuration mode:
Verifying MSCHAP V2 Configuration
To verify that the MSCHAP Version 2 feature is configured properly, perform the following steps:
Step 1 Enter the show running-config command with the interface type number keyword and argument combination to verify the configuration of MSCHAP V2 as the authentication method for that interface:
Router# show running-config interface async 65interface Asynch65ip address 10.0.0.2 255.0.0.0encapsulation pppasync mode dedicatedno peer default ip addressppp max-bad-auth 3ppp authentication ms-chap-v2Step 2 Enter the debug ppp command with the negotiation keyword to verify successful MSCHAP V2 negotiation:
Router# debug ppp negotiation*Jan 15 13:24:43.999:Se0/0 PPP:Using configured call direction*Jan 15 13:24:43.999:Se0/0 PPP:Treating connection as a callin*Jan 15 13:24:43.999:Se0/0 PPP:Phase is ESTABLISHING, Passive Open*Jan 15 13:24:43.999:Se0/0 LCP:State is Listen*Jan 15 13:24:44.023:Se0/0 LCP:I CONFREQ [Listen] id 1 len 14*Jan 15 13:24:44.023:Se0/0 LCP: MRU 1492 (0x010405D4)*Jan 15 13:24:44.023:Se0/0 LCP: MagicNumber 0x308783B9 (0x0506308783B9)*Jan 15 13:24:44.023:Se0/0 LCP:O CONFREQ [Listen] id 1 len 19*Jan 15 13:24:44.023:Se0/0 LCP: MRU 1492 (0x010405D4)*Jan 15 13:24:44.023:Se0/0 LCP: AuthProto MS-CHAP-V2 (0x0305C22381)*Jan 15 13:24:44.023:Se0/0 LCP: MagicNumber 0x308A180D (0x0506308A180D)*Jan 15 13:24:44.027:Se0/0 LCP:O CONFACK [Listen] id 1 len 14*Jan 15 13:24:44.027:Se0/0 LCP: MRU 1492 (0x010405D4)*Jan 15 13:24:44.027:Se0/0 LCP: MagicNumber 0x308783B9 (0x0506308783B9)*Jan 15 13:24:44.027:Se0/0 LCP:I CONFACK [ACKsent] id 1 len 19*Jan 15 13:24:44.027:Se0/0 LCP: MRU 1492 (0x010405D4)*Jan 15 13:24:44.027:Se0/0 LCP: AuthProto MS-CHAP-V2 (0x0305C22381)*Jan 15 13:24:44.027:Se0/0 LCP: MagicNumber 0x308A180D (0x0506308A180D)*Jan 15 13:24:44.027:Se0/0 LCP:State is Open*Jan 15 13:24:44.027:Se0/0 PPP:Phase is AUTHENTICATING, by this end*Jan 15 13:24:44.027:Se0/0 MS-CHAP-V2:O CHALLENGE id 1 len 24 from "lac"*Jan 15 13:24:44.031:Se0/0 MS-CHAP-V2:I RESPONSE id 1 len 58 from "haag"*Jan 15 13:24:44.031:Se0/0 PPP:Phase is FORWARDING, Attempting Forward*Jan 15 13:24:44.031:Se0/0 PPP:Phase is AUTHENTICATING, Unauthenticated User*Jan 15 13:24:44.039:Se0/0 PPP:Phase is FORWARDING, Attempting Forward*Jan 15 13:24:44.043:Se0/0 PPP:Phase is AUTHENTICATING, Authenticated User*Jan 15 13:24:44.043:Se0/0 MS-CHAP-V2:O SUCCESS id 1 len 46 msg is "S=4EE927A06B0D624448F27B4BDDA51B5620396EC3"*Jan 15 13:24:44.043:Se0/0 PPP:Phase is UPStep 3 Enter the debug ppp command with the authentication keyword to verify successful MSCHAP V2 authentication:
Router# debug ppp authentication*Jan 15 13:26:28.659:Se0/0 PPP:Authorization required*Jan 15 13:26:28.659:Se0/0 PPP:Using configured call direction*Jan 15 13:26:28.659:Se0/0 PPP:Treating connection as a callin*Jan 15 13:26:28.687:Se0/0 MS-CHAP-V2:O CHALLENGE id 1 len 24 from "lac"*Jan 15 13:26:28.691:Se0/0 MS-CHAP-V2:I RESPONSE id 1 len 58 from "haag"*Jan 15 13:26:28.691:Se0/0 PPP:Sent MSCHAP-V2 LOGIN Request to AAA*Jan 15 13:26:28.695:Se0/0 PPP:Received LOGIN Response from AAA = PASS*Jan 15 13:26:28.703:Se0/0 MS-CHAP-V2:O SUCCESS id 1 len 46 msg is "S=87F5A4BE
Configuration Examples
This section provides the following configuration examples:
•RADIUS Authentication Example
Local Authentication Example
The following example configures PPP on an asynchronous interface and enables MSCHAP V2 authentication locally:
interface Async65ip address 10.0.0.2 255.0.0.0encapsulation pppasync mode dedicatedno peer default ip addressppp max-bad-auth 3ppp authentication ms-chap-v2username client password secretRADIUS Authentication Example
The following example configures PPP on an asynchronous interface and enables MSCHAP V2 authentication via RADIUS:
interface Async65ip address 10.0.0.2 255.0.0.0encapsulation pppasync mode dedicatedno peer default ip addressppp max-bad-auth 3ppp authentication ms-chap-v2exitaaa authentication ppp default group radiusradius-server host 10.0.0.2 255.0.0.0radius-server key secretradius-server vsa send authenticationCommand Reference
This section documents the following new command. All other commands used with this feature are documented in the Cisco IOS Release 12.2 command reference publications.
•ppp authentication ms-chap-v2
ppp authentication ms-chap-v2
To enable Microsoft Challenge Handshake Authentication Protocol Version 2 (MSCHAP V2) authentication on a network access server (NAS), use the ppp authentication ms-chap-v2 command in interface configuration mode. To disable MSCHAP V2 authentication, use the no form of this command.
ppp authentication ms-chap-v2
no ppp authentication ms-chap-v2
Syntax Description
This command has no arguments or keywords.
Defaults
MSCHAP V2 authentication is disabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
To enable MSCHAP V2 authentication, first configure PPP on the NAS. For the NAS to properly interpret authentication failure attributes and vendor-specific attributes, the ppp max-bad-auth command must be configured to allow at least two authentication retries and the radius-server vsa send command and authentication keyword must be enabled. The NAS must be able to interpret authentication failure attributes and vendor-specific attributes to support the ability to change an expired password.
Examples
The following example configures PPP on an asynchronous interface and enables MSCHAP V2 authentication locally:
interface Async65ip address 10.0.0.2 255.0.0.0encapsulation pppasync mode dedicatedno peer default ip addressppp max-bad-auth 3ppp authentication ms-chap-v2username client password secretThe following example configures PPP on an asynchronous interface and enables MSCHAP V2 authentication via RADIUS:
interface Async65ip address 10.0.0.2 255.0.0.0encapsulation pppasync mode dedicatedno peer default ip addressppp max-bad-auth 3ppp authentication ms-chap-v2exitaaa authentication ppp default group radiusradius-server host 10.0.0.2 255.0.0.0radius-server key secretradius-server vsa send authenticationRelated Commands
Copyright © 2002-2005 Cisco Systems, Inc. All rights reserved.