Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1950
Views
0
Helpful
1
Replies

ASA cut through proxy with RADIUS challenge response?

Ian Boxsell
Level 1
Level 1

‎11-16-2010 09:01 PM - edited ‎03-10-2019 05:34 PM

Have this working for IPSEC VPN on same box (tested on 8.2.1 and 8.2.3)

Want to do cut through proxy with challenge response - same ASA and same RADUIS server but using aaa authentication match command and this is what happens...

It looks like the ASA sends a completely different radius authentication request than with VPN authentication request. Is there any way to specify what request is sent?

What the RADIUS Server sees with ASA VPN auth - THIS WORKS OK (included for comparison)

Date: 15/11/2010
Time: 3:53:57 PM
Type: Information
Source: Server
Category: RADIUS
Code: I-006001
Description: A RADIUS Access-Request has been received.
AMID: 0xC8500B80B3D8F49C6CB37E5D32DA6682
Details:
Source Location : 10.xx.21.24
Client Location : 10.xx.21.230:1025
Request ID : 31
Password Protocol : PAP
Input Details : RADIUS Code:1, RADIUS Id:31, , User-Name:xxxx, User-Password:******, NAS-IP-Address:10.xx.21.230, NAS-Port:31, NAS-Port-Type:Virtual, vendor(9):attrib(1):0x1A2000000009011A69703A736F757263652D69703D31302E32312E352E313137, Calling-Station-Id:ip:source-ip=10.21.5.117
Action : Process

What the RADIUS Server sees with ASA cut thru - THIS FAILS (any help V welcome)

Date: 17/11/2010
Time: 2:29:31 PM
Type: Warning
Source: Server
Category: RADIUS
Code: W-006001
Description: An invalid RADIUS packet has been received.
AMID: 0xC19D988F83365F20151C3F6339DEC74B
Details:
Source Location : 10.xx.21.24:1812 (Authentication)
Client Location : 10.xx.21.230:1025
Reason : The sub-protocol of the received RADIUS packet cannot be determined
Request ID : 33
Input Details : 0x01210066055A8B6881266714BDB20380B9FE5FAC01066962333504060AC815E60506000000203D06000000051A2000000009011A69703A736F757263652D69703D31302E34302E352E3131311F1A69703A736F757263652D69703D31302E34302E352E313131
Request Type : Access-Request

Thanks in advance

IB

Labels:
0 Helpful
1 Reply 1

Herbert Baerten
Cisco Employee
Cisco Employee

‎11-29-2010 02:57 PM

Hi Ian,

sorry for the late reaction - do you still need help with this?

The difference between the working (VPN) auth and the failing (CTP) auth seems to be that VPN is using PAP (so no challenge-response!) while the CTP is using MS-Chapv2

So my guess is that your Radius server does not support MS-Chapv2. If that is the case then you may want to try this:

aaa-server  () host 
 no mschapv2-capable

Although this command is not really meant to be used in this scenario, so I'm not sure if it will work but I'm hoping it will make the ASA revert to PAP for all auth requests to this host.

Note that you won't be doing challenge/response, so your passwords will be transmitted over the wire (encrypted).

hth

Herbert

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents