0

Looking over Cisco's documentation, and RFC 1994 (PPP CHAP authentication), my initial guess is "no", because CHAP requires a cleartext password to rehash every time it sends a challenge.

Is this true? If so, is there another way to configure CHAP so it doesn't use the easily-decoded type 7 passwords?

The Cisco device in question uses local authentication, not a TACACS+ or RADIUS server. Would using RADIUS eliminate the problem or just move it to the RADIUS server?

romandas
  • 3,302
  • 8
  • 39
  • 44

1 Answers1

1

Indeed, CHAP needs a cleartext password.

Moving authentication to a Radius server would not eliminate the need of cleartext passwords, but at least all passwords would be stored into a central and secured repository.

petrus
  • 5,297
  • 26
  • 42