Configuring Security Features on an External AAA Server
CHAP Authentication
• The timeout and retransmit parameters of the merged configuration are the largest values found per server
and global configuration.
Note
The test parameter will be distributed through CFS for TACACS+ Daemon only. If the fabric contains only
NX-OS Release 5.0 switches, then the test parameters will be distributed. If the fabric contains switches
running 5.0 versions and some running NX-OS 4.x release, the test parameters will be not distributed.
Caution
If there is a conflict between two switches in the server ports configured, the merge fails.
Use the show radius distribution status command to view the status of the RADIUS fabric merge as shown
in the following example.
Displays the RADIUS Fabric Merge Status
switch# show radius distribution status
distribution : enabled
session ongoing: no
session db: does not exist
merge protocol status: merge response received
merge error: conflict: server dmtest2 has auth-port 1812 on this switch and 1999
on remote
last operation: enable
last operation status: success
Displays the TACACS+ Fabric Merge Status
Use the show tacacs+ distribution status command to view the status of the TACACS+ fabric
merge as shown in the following example.
switch# show tacacs+ distribution status
distribution : enabled
session ongoing: no
session db: does not exist
merge protocol status: merge activation done
last operation: enable
last operation status: success
CHAP Authentication
CHAP (Challenge Handshake Authentication Protocol) is a challenge-response authentication protocol that
uses the industry-standard Message Digest 5 (MD5) hashing scheme to encrypt the response. CHAP is used
by various vendors of network access servers and clients. A server running routing and Remote Access supports
CHAP so that remote access clients that require CHAP are authenticated. CHAP is supported as an
authentication method in this release.
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
87