Enabling CHAP Authentication
Enabling CHAP Authentication
To enable CHAP authentication, follow these steps:
Procedure
Step 1
switch# configure terminal
Enters configuration mode.
Step 2
switch(config)# aaa authentication login chap enable
Enables CHAP login authentication.
Step 3
switch# no aaa authentication login chap enable
(Optional) Disables CHAP login authentication.
Example
You can use the show aaa authentication login chap command to display the CHAP authentication
configuration.
switch# show aaa authentication login chap
chap is disabled
MSCHAP Authentication
Microsoft Challenge Handshake Authentication Protocol (MSCHAP) is the Microsoft version of CHAP.
Cisco MDS 9000 Family switches allow user logins to perform remote authentication using different versions
of MSCHAP. MSCHAP is used for authentication on a RADIUS or TACACS+ server, while MSCHAPv2
is used for authentication on a RADIUS server.
About Enabling MSCHAP
By default, the switch uses Password Authentication Protocol (PAP) authentication between the switch and
the remote server. If you enable MSCHAP, you need to configure your RADIUS server to recognize the
MSCHAP vendor-specific attributes. See the
table shows the RADIUS vendor-specific attributes required for MSCHAP.
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
88
Configuring Security Features on an External AAA Server
About Vendor-Specific Attributes, on page
62. The following