ASA 5510 - RADIUS authentication only using PAP!

Unanswered Question
Mar 9th, 2010
User Badges:

Hi All,

I'm trying to move from Local authentication to Radius authentication. I put a check mark on the "MSCHAPv2 Capable" but ASA uses PAP to request for authentication with the Radius server. Authentication is rejected because my IAS server requires Encrypted MSCHAP or MSCHAP v2. I did enable password management but it didn't help.

I'm not a pro so most likely I’m missing something. Any help pointing in the right direction will be appreciated.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Federico Coto F... Wed, 03/10/2010 - 11:09
User Badges:
  • Green, 3000 points or more


I had this same issue before and the ASA only supported PAP for authentication agaist Radius.

I'm not sure if this behavior has changed with new releases.

I will check it out.


energyservices Wed, 03/10/2010 - 12:23
User Badges:

I already updated to latest release and it didn't help. I have searched the Internet and found that it is possible to do that but no one can explain how. I'm more than sure that this unit can do it, but i don't know how.

20vek Fri, 03/12/2010 - 15:55
User Badges:

Hi Alex. I have similar issue here. PAP works just fine but MSCHAP over EAP fails. The error message is "15047 MsCHAP is not allowed". The is no explanation for the error. I use ASC internal database though instead of AD.

energyservices Fri, 03/12/2010 - 16:56
User Badges:

This is from help:

To enable MS-CHAPv2 as the protocol used between the security appliance and the RADIUS server for a VPN connection, password management must be enabled in the tunnel group general attributes. Enabling password management generates an MS-CHAPv2 authentication request from the security appliance to the RADIUS server. See the description of the password-management command for details.

I finally end up using Kerberos authentication. Works perfectly fine and more secure than PAP. I advise you to do the same unless you can figure out the way to make MSCHAPv2 work.

20vek Sat, 03/13/2010 - 10:46
User Badges:

I think my problem is solved. I forgot to allow MSCHAPv2 under Access Policies/Default Network Access/Allowed Protocols.

jimmyc_2 Sun, 09/15/2013 - 19:54
User Badges:

I had the same problem, enabling password-managment fixed it.   Documentation, if it exists, is very very difficult to find.  Eventually I got it by reading ASDM Help.

Brian Sullivan Tue, 04/28/2015 - 12:11
User Badges:

I realize this topic is quite long in the tooth. But, to help out anyone who's having trouble and ends up here in their search, there is one piece of information you'll want to have.

What folks have said here is correct regarding enabling "password management" the tunnel groups > general settings in order to enable MSCHAPv2 connections with your Radius server. It works.

However, be aware that the server test function in the AAA Server Groups area of ASDM continues to use PAP even if you've made changes to your tunnel group configuration. It always uses PAP and if your Radius server is set to allow only MSCHAPv2 connections the test will fail. The only way to accurately test your setup is with an actual VPN client.


This Discussion

Related Content