Cisco Cisco IOS Software Release 12.4(6)T
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
© 2006 Cisco Systems, Inc. All rights reserved.
MSCHAP Version 2
First Published: January 23, 2003
Last Updated: April 17, 2006
Last Updated: April 17, 2006
The MSCHAP Version 2 feature (introduced in Cisco IOS Release 12.2(2)XB5) allows Cisco routers to
utilize Microsoft Challenge Handshake Authentication Protocol Version 2 (MSCHAP V2)
authentication for PPP connections between a computer using a Microsoft Windows operating system
and a network access server (NAS).
utilize Microsoft Challenge Handshake Authentication Protocol Version 2 (MSCHAP V2)
authentication for PPP connections between a computer using a Microsoft Windows operating system
and a network access server (NAS).
For Cisco IOS Release 12.4(6)T, MSCHAP V2 now supports a new feature: AAA Support for
MSCHAPv2 Password Aging. Prior to Cisco IOS Release 12.4(6)T, when Password Authentication
Protocol (PAP)-based clients sent username and password values to the authentication, authorization,
and accounting (AAA) subsystem, AAA generated an authentication request to the RADIUS server. If
the password expired, the RADIUS server replied with an authentication failure message. The reason for
the authentication failure was not passed back to AAA subsystem; thus, users were denied access
because of authentication failure but were not informed why they were denied access.
MSCHAPv2 Password Aging. Prior to Cisco IOS Release 12.4(6)T, when Password Authentication
Protocol (PAP)-based clients sent username and password values to the authentication, authorization,
and accounting (AAA) subsystem, AAA generated an authentication request to the RADIUS server. If
the password expired, the RADIUS server replied with an authentication failure message. The reason for
the authentication failure was not passed back to AAA subsystem; thus, users were denied access
because of authentication failure but were not informed why they were denied access.
The Password Aging feature, available in Cisco IOS Release 12.4(6)T, notifies crypto-based clients that
the password has expired and provides a generic way for the user to change the password. The Password
Aging feature supports only crypto-based clients.
the password has expired and provides a generic way for the user to change the password. The Password
Aging feature supports only crypto-based clients.
Finding Feature Information in This Module
Your Cisco IOS software release may not support all of the features documented in this module. To reach
links to specific feature documentation in this module and to see a list of the releases in which each feature is
supported, use the
links to specific feature documentation in this module and to see a list of the releases in which each feature is
supported, use the
.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image
support. Access Cisco Feature Navigator at
support. Access Cisco Feature Navigator at
. You must have an account on
Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at
the login dialog box and follow the instructions that appear.
the login dialog box and follow the instructions that appear.