Manualshelf

Cisco Nexus 5000 Series Switch CLI Software Configuration Guide, NX-OS 4.0(1a)N1 (OL-16597-01, January 2009)

ManualsBrandsHP ManualsStorageCisco MDS 9513 with Supervisor 2 Director Switch
241242243244245246247248249250
Send feedback to nx5000-docfeedback@cisco.com
16-9
Cisco Nexus 5000 Series Switch CLI Software Configuration Guide
OL-16597-01
Chapter 16 Configuring AAA
Configuring AAA
Enabling MSCHAP Authentication
Microsoft Challenge Handshake Authentication Protocol (MSCHAP) is the Microsoft version of CHAP.
You can use MSCHAP for user logins to a Nexus 5000 Series switch through a remote authentication
server (RADIUS or TACACS+).
By default, the Nexus 5000 Series switch uses Password Authentication Protocol (PAP) authentication
between the Nexus 5000 Series switch and the remote server. If you enable MSCHAP, you need to
configure your RADIUS server to recognize the MSCHAP vendor-specific attributes (VSAs). See the
“Using AAA Server VSAs with Nexus 5000 Series Switches” section on page 16-11. Table 16-3
describes the RADIUS VSAs required for MSCHAP.
To enable MSCHAP authentication, perform this task:
Command Purpose
Step 1
switch# configure terminal
Enters configuration mode.
Step 2
switch(config)# aaa authentication login
error-enable
Enables login authentication failure messages. The
default is disabled.
Step 3
switch(config)# exit
Exits configuration mode.
Step 4
switch# show aaa authentication
(Optional) Displays the login failure message
configuration.
Step 5
switch# copy running-config startup-config
(Optional) Copies the running configuration to the
startup configuration.
Table 16-3 MSCHAP RADIUS VSAs
Vendor-ID
Number
Vendor-Type
Number VSA Description
311 11 MSCHAP-Challenge Contains the challenge sent by an AAA server to
an MSCHAP user. It can be used in both
Access-Request and Access-Challenge packets.
211 11 MSCHAP-Response Contains the response value provided by an
MSCHAP user in response to the challenge. It is
only used in Access-Request packets.
Command Purpose
Step 1
switch# configure terminal
Enters configuration mode.
Step 2
switch(config)# aaa authentication login
mschap enable
Enables MS-CHAP authentication. The default is
disabled.
Step 3
switch(config)# exit
Exits configuration mode.
Step 4
switch# show aaa authentication login
mschap
(Optional) Displays the MS-CHAP configuration.
Step 5
switch# copy running-config
startup-config
(Optional) Copies the running configuration to the
startup configuration.