1. Home
  2. Cisco Systems
  3. force use of MSCHAP

force use of MSCHAP

If a peer requests a Cisco to authenticate itself with MSCHAPv2 and the Cisco does not support MSCHAPv2 (e.g., in IOS older than ~12.2T) the Cisco will NAK to conventional CHAP even though if it supports MSCHAP. If the peer is not clever enough to suggest MSCHAP then authentication may succeed with conventional CHAP, but subsequent attempts to negotiate MPPE will fail for lack of keying material. (Alternately, the link may simply be terminated because the peer requires some MSCHAP variation but doesn't propose v1.)

Assuming one cannot change the peer's authentication choice ordering is there any way to force the Cisco box to NAK to MSCHAP? All the configuration options appear to deal with the type of authentication that the Cisco will request from the peer and not the reverse.

Dan Lanciani ddl@danlan.*com

Reply to
Dan Lanciani
Loading thread data ...

for inbound refusal, checkout these commands:

ppp chap refuse

ppp ms-chap refuse

ppp ms-chap-v2 refuse

Reply to
Merv

In article , snipped-for-privacy@rogers.com (Merv) writes: | | > is there any way to force the Cisco box to NAK to MSCHAP? | | for inbound refusal, checkout these commands: | | ppp chap refuse | | ppp ms-chap refuse | | ppp ms-chap-v2 refuse

I don't have any 'ppp ms-chap*' commands available and 'ppp chap refuse' appears to refuse any flavor of chap. I suspect that if I had the 'ppp ms-chap*' commands I'd also have MSCHAPv2 support in the image and the problem would be moot. :(

Dan Lanciani ddl@danlan.*com

Reply to
Dan Lanciani

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.