force use of MSCHAP

Discussion in 'Cisco' started by Dan Lanciani, Apr 12, 2006.

  1. Dan Lanciani

    Dan Lanciani Guest

    If a peer requests a Cisco to authenticate itself with MSCHAPv2 and
    the Cisco does not support MSCHAPv2 (e.g., in IOS older than ~12.2T)
    the Cisco will NAK to conventional CHAP even though if it supports
    MSCHAP. If the peer is not clever enough to suggest MSCHAP then
    authentication may succeed with conventional CHAP, but subsequent
    attempts to negotiate MPPE will fail for lack of keying material.
    (Alternately, the link may simply be terminated because the peer
    requires some MSCHAP variation but doesn't propose v1.)

    Assuming one cannot change the peer's authentication choice ordering
    is there any way to force the Cisco box to NAK to MSCHAP? All the
    configuration options appear to deal with the type of authentication
    that the Cisco will request from the peer and not the reverse.

    Dan Lanciani
    ddl@danlan.*com
     
    Dan Lanciani, Apr 12, 2006
    #1
    1. Advertising

  2. Dan Lanciani

    Merv Guest


    > is there any way to force the Cisco box to NAK to MSCHAP?


    for inbound refusal, checkout these commands:

    ppp chap refuse

    ppp ms-chap refuse

    ppp ms-chap-v2 refuse
     
    Merv, Apr 12, 2006
    #2
    1. Advertising

  3. Dan Lanciani

    Dan Lanciani Guest

    In article <>, (Merv) writes:
    |
    | > is there any way to force the Cisco box to NAK to MSCHAP?
    |
    | for inbound refusal, checkout these commands:
    |
    | ppp chap refuse
    |
    | ppp ms-chap refuse
    |
    | ppp ms-chap-v2 refuse

    I don't have any 'ppp ms-chap*' commands available and 'ppp chap refuse'
    appears to refuse any flavor of chap. I suspect that if I had the 'ppp
    ms-chap*' commands I'd also have MSCHAPv2 support in the image and the
    problem would be moot. :(

    Dan Lanciani
    ddl@danlan.*com
     
    Dan Lanciani, Apr 12, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Adam Ryan
    Replies:
    1
    Views:
    676
    UnH0Ly
    Oct 3, 2004
  2. Replies:
    0
    Views:
    1,657
  3. Replies:
    0
    Views:
    2,127
  4. Replies:
    0
    Views:
    2,191
  5. Replies:
    2
    Views:
    1,239
    Bert Hyman
    Dec 31, 2008
Loading...

Share This Page