MSCHAP Version 2
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Contents
MSCHAP Version 2Last Updated: August 21, 2012
The MSCHAP Version 2 feature (introduced in Cisco IOS Release 12.2(2)XB5) allows Cisco routers to utilize Microsoft Challenge Handshake Authentication Protocol Version 2 (MSCHAP V2) authentication for PPP connections between a computer using a Microsoft Windows operating system and a network access server (NAS). For Cisco IOS Release 12.4(6)T, MSCHAP V2 now supports a new feature: AAA Support for MSCHAPv2 Password Aging. Prior to Cisco IOS Release 12.4(6)T, when Password Authentication Protocol (PAP)-based clients sent username and password values to the authentication, authorization, and accounting (AAA) subsystem, AAA generated an authentication request to the RADIUS server. If the password expired, the RADIUS server replied with an authentication failure message. The reason for the authentication failure was not passed back to AAA subsystem; thus, users were denied access because of authentication failure but were not informed why they were denied access. The Password Aging feature, available in Cisco IOS Release 12.4(6)T, notifies crypto-based clients that the password has expired and provides a generic way for the user to change the password. The Password Aging feature supports only crypto-based clients. Finding Feature InformationYour software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required. Prerequisites for MSCHAP Version 2
In addition, the radius server vsa send authentication command must be configured, allowing the RADIUS client to send a vendor-specific attribute to the RADIUS server. The Change Password feature is supported only for RADIUS authentication.
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q326770 For more information on completing these tasks, see the section "PPP Configuration " in the Cisco IOS Dial Technologies Configuration Guide , Release 12.4T. The RADIUS server must be configured for authentication. Refer to vendor-specific documentation for information on configuring RADIUS authentication on the RADIUS server. Restrictions for MSCHAP Version 2
Information About MSCHAP Version 2MSCHAP V2 authentication is the default authentication method used by the Microsoft Windows 2000 operating system. Cisco routers that support this authentication method enable Microsoft Windows 2000 operating system users to establish remote PPP sessions without configuring an authentication method on the client. MSCHAP V2 authentication introduced an additional feature not available with MSCHAP V1 or standard CHAP authentication: the Change Password feature. This features allows the client to change the account password if the RADIUS server reports that the password has expired. How to Configure MSCHAP Version 2
Configuring MSCHAP V2 AuthenticationTo configure the NAS to accept MSCHAP V2 authentication for local or RADIUS authentication and to allow proper interpretation of authentication failure attributes and vendor-specific RADIUS attributes for RADIUS authentication, use the following commands beginning in global configuration mode. DETAILED STEPS Verifying MSCHAP V2 Configuration
SUMMARY STEPS
DETAILED STEPS
Configuring Password Aging for Crypto-Based ClientsThe AAA security services facilitate a variety of login authentication methods. Use the aaa authentication logincommand to enable AAA authentication no matter which of the supported login authentication methods you decide to use. With the aaa authentication logincommand, you create one or more lists of authentication methods that are tried at login. These lists are applied using the login authentication line configuration command. After the RADIUS server requests a new password, AAA queries the crypto client, which in turn prompts the user to enter a new password. To configure login authentication and password aging for crypto-based clients, use the following commands beginning in global configuration mode.
DETAILED STEPS
Configuration Examples
Configuring Local Authentication ExampleThe following example configures PPP on an asynchronous interface and enables MSCHAP V2 authentication locally: interface Async65 ip address 10.0.0.2 255.0.0.0 encapsulation ppp async mode dedicated no peer default ip address ppp max-bad-auth 3 ppp authentication ms-chap-v2 username client password secret Configuring RADIUS Authentication ExampleThe following example configures PPP on an asynchronous interface and enables MSCHAP V2 authentication via RADIUS: interface Async65 ip address 10.0.0.2 255.0.0.0 encapsulation ppp async mode dedicated no peer default ip address ppp max-bad-auth 3 ppp authentication ms-chap-v2 exit aaa authentication ppp default group radius radius-server host 10.0.0.2 255.0.0.0 radius-server key secret radius-server vsa send authentication Configuring Password Aging with Crypto Authentication ExampleThe following example configures password aging by using AAA with a crypto-based client: aaa authentication login userauthen passwd-expiry group radius ! aaa session-id common ! crypto isakmp policy 3 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group 3000client key cisco123 dns 10.1.1.10 wins 10.1.1.20 domain cisco.com pool ippool acl 153 ! crypto ipsec transform-set myset esp-3des esp-sha-hmac ! crypto dynamic-map dynmap 10 set transform-set myset ! crypto map clientmap client authentication list userauthen ! radius-server host 10.140.15.203 auth-port 1645 acct-port 1646 radius-server domain-stripping prefix-delimiter $ radius-server key cisco123 radius-server vsa send authentication radius-server vsa send authentication 3gpp2 ! end Additional ReferencesRelated Documents
MIBsTechnical Assistance
Feature Information for MSCHAP Version 2The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. © 2012 Cisco Systems, Inc. All rights reserved.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||