ASA 5510 - RADIUS authentication only using PAP!

energyservices · ‎03-09-2010

Hi All,

I'm trying to move from Local authentication to Radius authentication. I put a check mark on the "MSCHAPv2 Capable" but ASA uses PAP to request for authentication with the Radius server. Authentication is rejected because my IAS server requires Encrypted MSCHAP or MSCHAP v2. I did enable password management but it didn't help.

I'm not a pro so most likely I’m missing something. Any help pointing in the right direction will be appreciated.

Thanks,

Alex

Federico Coto Fajardo · ‎03-10-2010

Hi,

I had this same issue before and the ASA only supported PAP for authentication agaist Radius.

I'm not sure if this behavior has changed with new releases.

I will check it out.

Federico.

energyservices · ‎03-10-2010

I already updated to latest release and it didn't help. I have searched the Internet and found that it is possible to do that but no one can explain how. I'm more than sure that this unit can do it, but i don't know how.

20vek · ‎03-12-2010

Hi Alex. I have similar issue here. PAP works just fine but MSCHAP over EAP fails. The error message is "15047 MsCHAP is not allowed". The is no explanation for the error. I use ASC internal database though instead of AD.

energyservices · ‎03-12-2010

This is from help:

To enable MS-CHAPv2 as the protocol used between the security appliance and the RADIUS server for a VPN connection, password management must be enabled in the tunnel group general attributes. Enabling password management generates an MS-CHAPv2 authentication request from the security appliance to the RADIUS server. See the description of the password-management command for details.

I finally end up using Kerberos authentication. Works perfectly fine and more secure than PAP. I advise you to do the same unless you can figure out the way to make MSCHAPv2 work.

20vek · ‎03-13-2010

I think my problem is solved. I forgot to allow MSCHAPv2 under Access Policies/Default Network Access/Allowed Protocols.

Amafsha1 · ‎01-15-2019

I'm having the same exact problem where my NPS server is only getting PAP from my VPN ASA...if I disable PAP on NPA Radius server, authentication will never work. How did you fix this?

jgood · ‎03-29-2010

I enabled password management and now it is using MS-CHAPv2. Thanks for the pointer energyservices.

jimmyc_2 · ‎09-15-2013

I had the same problem, enabling password-managment fixed it. Documentation, if it exists, is very very difficult to find. Eventually I got it by reading ASDM Help.

Jatin Katyal · ‎09-22-2013

I tried to explain it here.

https://supportforums.cisco.com/message/4042903#4042903

Thanks Jimmyc for updating thread with your findings

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Brian Sullivan · ‎04-28-2015

I realize this topic is quite long in the tooth. But, to help out anyone who's having trouble and ends up here in their search, there is one piece of information you'll want to have.

What energyservices and others have said here is correct regarding enabling "password management" etc.in the tunnel groups > general settings in order to enable MSCHAPv2 connections with your Radius server. It works.

However, be aware that the server test function in the AAA Server Groups area of ASDM continues to use PAP even if you've made changes to your tunnel group configuration. It always uses PAP and if your Radius server is set to allow only MSCHAPv2 connections the test will fail. The only way to accurately test your setup is with an actual VPN client.

travisr · ‎10-01-2019

Thank you! This was the last piece of the puzzle for me.