Help: ASA 5520 VPN with Radius authentication only using PAP!

Unanswered Question
Jan 13th, 2010

Hello.

I am creating a Remote Access VPN group with Radius authentication.  Even though I put a check mark on the "Microsoft CHAPv2 Capable", the ASA uses PAP to request for authentication with our Radius server!  Authentication is rejected because our Radius server requires Encrypted CHAP or CHAP v2.

What am I missing?  Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
hdashnau Wed, 01/13/2010 - 18:00

There are some aaa attributes on the tunnel you can try to adjust:

tunnel-group   ppp-attributes

asa(config-ppp)# authentication ?

tunnel-group-ppp mode commands/options:
  chap        Enable ppp authentication protocol CHAP
  eap-proxy   Enable ppp authentication to be proxied to an EAP enabled RADIUS
              server
  ms-chap-v1  Enable ppp authentication protocol MS-CHAP version 1
  ms-chap-v2  Enable ppp authentication protocol MS-CHAP version 2
  pap         Enable ppp authentication protocol PAP

If setting the above doesn't work, try to enable password-management which will require the ASA to send mschap-v2 plus you get the added benefit of the feature which is explained here:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1879916

-heather

mlewis1 Wed, 01/13/2010 - 19:29

Thanks.

I'm using ASDM to configure the VPN group but I don't see these additional options!  I'll try CLI tomorrow.

mlewis1 Thu, 01/14/2010 - 07:42

Okay.  I have made the change to the tunnel group but still ASA is still sending negotiating PAP to the radius server.  Below is the attributes of the tunnel group.  What am I missing?  Thanks in advance.

tunnel-group Test-Admin type remote-access
tunnel-group Test-Admin general-attributes
address-pool (inside) Test-Users-Pool
address-pool Test-Users-Pool
authentication-server-group Radius
authentication-server-group (inside) Radius
default-group-policy Test-Admin
tunnel-group Test-Admin ipsec-attributes
pre-shared-key *
tunnel-group Test-Admin ppp-attributes
authentication ms-chap-v2

mlewis1 Thu, 01/14/2010 - 10:54

I just fixed this!!!

I added the following:

tunnel-group Test-Admin ppp-attributes
  authentication eap-proxy
!

Actions

This Discussion

Related Content