Microsoft Challenge Handshake Authentication Protocol (MSCHAP) is the
Microsoft version of CHAP. The Cisco NX-OS software also supports MSCHAP
Version 2 (MSCHAP V2). You can use MSCHAP for user logins to a Cisco NX-OS
device through a remote authentication server (RADIUS or TACACS+). MSCHAP V2
only supports user logins to a Cisco NX-OS device through remote
authentication RADIUS servers. If you configure a TACACS+ group with MSCHAP V2,
the AAA default login authentication uses the next configured method, or the
local method, if no other server group is configured.
Note
|
The Cisco NX-OS software may display the following message:
“
Warning: MSCHAP V2 is supported only with Radius.”
This warning message is informational only and does not affect
MSCHAP V2 operation with RADIUS.
|
By default, the Cisco NX-OS device uses Password Authentication
Protocol (PAP) authentication between the Cisco NX-OS device and the remote
server. If you enable MSCHAP or MSCHAP V2, you need to configure your RADIUS
server to recognize the MSCHAP and MSCHAP V2 vendor-specific attributes (VSAs).
This table shows the RADIUS VSAs required for MSCHAP.
Table 4. MSCHAP and MSCHAP V2 RADIUS VSAs
Vendor-ID Number
|
Vendor-Type Number
|
VSA
|
Description
|
311
|
11
|
MSCHAP-Challenge
|
Contains the challenge sent by an AAA server to an MSCHAP or
MSCHAP V2 user. It can be used in both Access-Request and Access-Challenge
packets.
|
211
|
11
|
MSCHAP-Response
|
Contains the response value provided by an MSCHAP or MSCHAP V2
user in response to the challenge. It is only used in Access-Request packets.
|