DHCHAP / FC-SP Cannot Use SHA-1 as the Hash Algorithm

Caution RADIUS and TACACS+ protocols always use MD5 for CHAP authentication. Using SHA-1 as the hash algorithm may prevent RADIUS and TACACS+ usage—even if these AAA protocols are enabled for DHCHAP authentication. Personally I think its a bit misleading, because unless someone can offer up an exception, I believe that it will not work, not may not work. T11 goes on to explain this in their document Annex-A FC-SP RADIUS Implementation Guide (Informative). Here is some relevant information from the document.

A.3.3 Digest AlgorithmUse of SHA-1 is allowed in FC-SP but will lead to interoperability issues with existing implementations that are built around MD5. MD5 is needed for interoperation with existing RADIUS Server implementations. Since SHA-1 is stronger than MD5, it can be used where legacy interoperation is not needed. Both algorithms can coexist in the same SAN. Basically the document gives the architecture of the FC-SP protocol with regard to RADIUS and gives several examples where in order to support SHA-1 the protocol would need to be modified in such a way that would break legacy RADIUS implementations. Just something to keep in mind when configuring FC-SP with SHA-1 and using AAA RADIUS or TACACS+. This limitation does not exist with local authentication.