Configuring AAA
Step 5
Enabling MSCHAP Authentication
Microsoft Challenge Handshake Authentication Protocol (MSCHAP) is the Microsoft version of CHAP. You
can use MSCHAP for user logins to a Cisco Nexus 5000 Series switch through a remote authentication server
(RADIUS or TACACS+).
By default, the Cisco Nexus 5000 Series switch uses Password Authentication Protocol (PAP) authentication
between the switch and the remote server. If you enable MSCHAP, you need to configure your RADIUS
server to recognize the MSCHAP vendor-specific attributes (VSAs).
The following table describes the RADIUS VSAs required for MSCHAP.
Table 23: MSCHAP RADIUS VSAs
Vendor-ID Number
311
211
To enable MSCHAP authentication, perform this task:
Procedure
Step 1
Step 2
Step 3
OL-16597-01
Command or Action
switch# copy running-config
startup-config
Vendor-Type Number
11
11
Command or Action
switch# configure terminal
switch(config)# aaa authentication login
mschap enable
switch(config)# exit
Cisco Nexus 5000 Series Switch CLI Software Configuration Guide
Enabling MSCHAP Authentication
Purpose
(Optional)
Copies the running configuration to the startup
configuration.
VSA
Description
MSCHAP-Challenge
Contains the challenge
sent by an AAA server to
an MSCHAP user. It can
be used in both
Access-Request and
Access-Challenge
packets.
MSCHAP-Response
Contains the response
value provided by an
MSCHAP user in
response to the challenge.
It is only used in
Access-Request packets.
Purpose
Enters configuration mode.
Enables MS-CHAP authentication. The default
is disabled.
Exits configuration mode.
235