aaa with chap

marcusaureliusbrutus · 07-07-2009, 01:44 AM

Hi. I have configured a windows server as my NAS and my cisco devices to use aaa when logging in to the routers/switches. I would like to enable some sort of encryption between my cisco devices and win server during authentication(When someone ssh or telnets to the router). I believe ms chap ver 2 is more secured for windows. However i can't find any documentation that would do this. I keep on seeing the option to configure ppp on aaa and configure encap ppp on an interface. The thing is, what if i have several routers and my NAS is located or connected to just one switch interface. Does that mean that i have to enable ppp on every interface on my switches and routers. I apologize if my question may sound dumb but i would really appreciate any help or advise on this.

Thanks in advance.

dtlokee · 07-07-2009, 09:53 AM

Are you using IAS on the windows box with RADIUS from the routers and switches for administrative access? This is a case where PPP CHAP is not going to help you.

marcusaureliusbrutus · 07-07-2009, 09:42 PM

The thing is i am just looking for a way to encrypt communication between the network access server (windows) and my cisco devices while using aaa. Can anybody recommend a solution.

Thanks.

rakem · 07-08-2009, 07:49 AM

Just use SSH. That should encrypt all authentication traffic. I think

dtlokee · 07-08-2009, 02:24 PM

Quote:

Originally Posted by marcusaureliusbrutus

The thing is i am just looking for a way to encrypt communication between the network access server (windows) and my cisco devices while using aaa. Can anybody recommend a solution.

Thanks.

If you are using RADIUS then it will not encrypt the "aaa" packets between the router and the aaa server. If you use TACACS+ then the packets are encrypted. If using RADIUS you could create a IPSec tunnel to the windows server.

I asked for more info and you didn't provide any, I am asking questions so I can help you find the most appropriate solution for what you are trying to do.

marcusaureliusbrutus · 07-08-2009, 07:01 PM

Hi Dtlokee,

I'm sorry i didn't provide additional details. My setup is such a way that i have multiple cisco switches/routers which i telnet to. I intend to enable ssh instead of telnet in the future. But first i wish to encrypt communication between my cisco devices and my aaa windows server. Checking my windows aaa server, it can only support mschap v2 at best. So i guess i'm stuck with mschap v2. So now i wish to enable mschap v2 login authentication on my cisco devices. I will look into your ipsec recommendation.

Thanks in advance.

dtlokee · 07-10-2009, 02:15 PM

ok, the MSCHAP solution will not work for your case, that would only be if you were terminateing a PPP connection on the router like a dial in modem or a serial link with PPP authentication. You most likely have RADIUS configured ("aaa authentication login default group radius" or something like that). RADIUS messages are not encrypted so you would need to look at building a IPSec tunnel but if you have many routers it could become very time consuming. You could also look at a TACACS solution which would be encrypted.