Force Radius and Cisco Router 2921 to use PAP

Unanswered Question


I have a problem to make a Cisco Router 2921 communicate to a radius server using PAP.

Our customer is using SMSPasscode which requires Challenge response request using PAP only.

It is working like that: the remote users are logging on the HUB location network with Cisco VPN client and they authenticate using their windows login.

Then they receive an SMS with a code which they enter in order to etablich the VPN communication with the HUB location.

I attach the EasyVPN server config of the Cisco 2921: EasyVPNConfigForRadiusAuthentication.txt

I also attach a debug of the communication between the radius server and the Cisco 2921 when a remote user attempt to connect via Cisco VPN client:


As you can see from the debug (see the radius part debug) there is some CHAP communication initiating from the Cisco Router.

Our Customer was using an Cisco ASA until now as a EasyVPN server and everything was working find. I think the ASA is using PAP as default to communicate with radius but I am not sure.

Any ideas for configuring the Cisco 2921 to use PAP to communicate with the radius server?

Best Regards,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


I have an update to this post:

Our customer are using SMSPasscode in combination with their EasyVPN
remote users.
The problem is that the EasyVPN remote users cannot use their UPN windows username(for
example: [email protected]) cause the router is talking MS-CHAP V2. We would like to change
this to MS-CHAP V1 or PAP.

The other issues is that the EasyVPN remote users are being asked for domain name when
they try to log on. Would it be possibe to remove the domain field from the Cisco router
challenge to EasyVPN remote users.

Last issue is that the Cisco Router 2921 ask the remote users to enter the Pin code 2
times instead for one.

Thanks again for your help.



This Discussion