MSCHAP Authentication
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
last operation: enable
last operation status: success
Use the show tacacs+ distribution status command to view the status of the TACACS+ fabric merge as
shown in
Example 32-12 Displays the TACACS+ Fabric Merge Status
switch# show tacacs+ distribution status
distribution : enabled
session ongoing: no
session db: does not exist
merge protocol status: merge activation done
last operation: enable
last operation status: success
MSCHAP Authentication
Microsoft Challenge Handshake Authentication Protocol (MSCHAP) is the Microsoft version of CHAP.
You can use MSCHAP for user logins to an MDS switch through a remote authentication server
(RADIUS or TACACS+).
About Enabling MSCHAP
By default, the switch uses Password Authentication Protocol (PAP) authentication between the switch
and the remote server. If you enable MSCHAP, you need to configure your RADIUS server to recognize
the MSCHAP vendor-specific attributes. See the
page
Table 32-2
MSCHAP RADIUS Vendor-Specific Attributes
Vendor-ID
Number
Vendor-Type Number
311
11
211
11
To enable MSCHAP authentication, follow these steps:
Command
Step 1
switch# config t
Step 2
switch(config)# aaa authentication login
mschap enable
Cisco MDS 9000 Family CLI Configuration Guide
32-34
Example
32-12.
32-14.
Table 32-2
shows the RADIUS vendor-specific attributes required for MSCHAP.
Vendor-Specific Attribute
MSCHAP-Challenge
MSCHAP-Response
Chapter 32
Configuring RADIUS and TACACS+
"About Vendor-Specific Attributes" section on
Description
Contains the challenge sent by an AAA server to an
MSCHAP user. It can be used in both
Access-Request and Access-Challenge packets.
Contains the response value provided by an user in
response to the challenge. It is only used in
Access-Request packets.
Purpose
Enters configuration mode.
Enables MSCHAP login authentication.
OL-16184-01, Cisco MDS SAN-OS Release 3.x