Help: ASA 5520 VPN with Radius authentication only using PAP!

Unanswered Question
Jan 13th, 2010
User Badges:


I am creating a Remote Access VPN group with Radius authentication.  Even though I put a check mark on the "Microsoft CHAPv2 Capable", the ASA uses PAP to request for authentication with our Radius server!  Authentication is rejected because our Radius server requires Encrypted CHAP or CHAP v2.

What am I missing?  Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
hdashnau Wed, 01/13/2010 - 18:00
User Badges:
  • Cisco Employee,

There are some aaa attributes on the tunnel you can try to adjust:

tunnel-group   ppp-attributes

asa(config-ppp)# authentication ?

tunnel-group-ppp mode commands/options:
  chap        Enable ppp authentication protocol CHAP
  eap-proxy   Enable ppp authentication to be proxied to an EAP enabled RADIUS
  ms-chap-v1  Enable ppp authentication protocol MS-CHAP version 1
  ms-chap-v2  Enable ppp authentication protocol MS-CHAP version 2
  pap         Enable ppp authentication protocol PAP

If setting the above doesn't work, try to enable password-management which will require the ASA to send mschap-v2 plus you get the added benefit of the feature which is explained here:


mlewis1 Wed, 01/13/2010 - 19:29
User Badges:


I'm using ASDM to configure the VPN group but I don't see these additional options!  I'll try CLI tomorrow.

mlewis1 Thu, 01/14/2010 - 07:42
User Badges:

Okay.  I have made the change to the tunnel group but still ASA is still sending negotiating PAP to the radius server.  Below is the attributes of the tunnel group.  What am I missing?  Thanks in advance.

tunnel-group Test-Admin type remote-access
tunnel-group Test-Admin general-attributes
address-pool (inside) Test-Users-Pool
address-pool Test-Users-Pool
authentication-server-group Radius
authentication-server-group (inside) Radius
default-group-policy Test-Admin
tunnel-group Test-Admin ipsec-attributes
pre-shared-key *
tunnel-group Test-Admin ppp-attributes
authentication ms-chap-v2

mlewis1 Thu, 01/14/2010 - 10:54
User Badges:

I just fixed this!!!

I added the following:

tunnel-group Test-Admin ppp-attributes
  authentication eap-proxy


This Discussion

Related Content