Enabling Chap Authentication - Cisco Nexus 9000 Series Configuration Manual
Nx-os security configuration guide, release 9.x
Hide thumbs
Also See for Nexus 9000 Series:
- Configuration manual (276 pages) ,
- Troubleshooting manual (126 pages) ,
- Quick start configuration manual (6 pages)
Table of Contents
Advertisement
Configuring AAA
Command or Action
switch(config)# show login on-failure log
Step 5
(Optional) show login on-successful log
Example:
switch(config)# show login on-successful log
Step 6
(Optional) copy running-config startup-config
Example:
switch(config)# copy running-config startup-config
Enabling CHAP Authentication
The Cisco NX-OS software supports the Challenge Handshake Authentication Protocol (CHAP), a
challenge-response authentication protocol that uses the industry-standard Message Digest (MD5) hashing
scheme to encrypt responses. You can use CHAP for user logins to a Cisco NX-OS device through a remote
authentication server (RADIUS or TACACS+).
By default, the Cisco NX-OS device uses Password Authentication Protocol (PAP) authentication between
the Cisco NX-OS device and the remote server. If you enable CHAP, you need to configure your RADIUS
or TACACS+ server to recognize the CHAP vendor-specific attributes (VSAs).
Note
Cisco Nexus 9K Series switches support the CLI command, aaa authentication login ascii-authentication, only
for TACAAS+, but not for RADIUS. Ensure that you have disabled aaa authentication login ascii-authentication
switch so that the default authentication, PAP, is enabled. Otherwise, you will see syslog errors. For example:
2017 Jun 14 16:14:15 N9K-1 %RADIUS-2-RADIUS_NO_AUTHEN_INFO: ASCII authentication not supported
2017 Jun 14 16:14:16 N9K-1 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed from
192.168.12.34 - dcos_sshd[16804]
This table shows the RADIUS and TACACS+ VSAs required for CHAP.
Table 5: CHAP RADIUS and TACACS+ VSAs
Vendor-ID
Number
311
211
Before you begin
Disable AAA ASCII authentication for logins.
Vendor-Type
VSA
Number
11
CHAP-Challenge
11
CHAP-Response
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
Purpose
Displays whether the switch is configured to log successful
authentication messages to the syslog server.
Copies the running configuration to the startup
configuration.
Description
Contains the challenge sent by an AAA server to a
CHAP user. It can be used in both Access-Request
and Access-Challenge packets.
Contains the response value provided by a CHAP
user in response to the challenge. It is used only in
Access-Request packets.
Enabling CHAP Authentication
23
- Quick Links:
- Radius and Tacacs+ Security Protocols
Hide quick links:
Advertisement
Table of Contents
