Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
981
Views
0
Helpful
2
Replies

Force Radius and Cisco Router 2921 to use PAP

lap
Level 2
Level 2

‎09-08-2010 08:17 AM - edited ‎03-10-2019 05:23 PM

Hello,

I have a problem to make a Cisco Router 2921 communicate to a radius server using PAP.

Our customer is using SMSPasscode which requires Challenge response request using PAP only.

It is working like that: the remote users are logging on the HUB location network with Cisco VPN client and they authenticate using their windows login.

Then they receive an SMS with a code which they enter in order to etablich the VPN communication with the HUB location.

I attach the EasyVPN server config of the Cisco 2921: EasyVPNConfigForRadiusAuthentication.txt

I also attach a debug of the communication between the radius server and the Cisco 2921 when a remote user attempt to connect via Cisco VPN client:

DebugCisco2921_WithRadiusServer.txt

As you can see from the debug (see the radius part debug) there is some CHAP communication initiating from the Cisco Router.

Our Customer was using an Cisco ASA until now as a EasyVPN server and everything was working find. I think the ASA is using PAP as default to communicate with radius but I am not sure.

Any ideas for configuring the Cisco 2921 to use PAP to communicate with the radius server?

Best Regards,

Laurent

Labels:
71764-EasyVPNConfigForRadiusAuthentication.txt.zip
71763-DebugCisco2921_WithRadiusServer.txt.zip
0 Helpful
2 Replies 2

lap
Level 2
Level 2

‎09-10-2010 04:16 AM

Hi,

I have an update to this post:

Our customer are using SMSPasscode in combination with their EasyVPN
remote users. 
The problem is that the EasyVPN remote users cannot use their UPN windows username(for
example: jkl@domain.dk) cause the router is talking MS-CHAP V2. We would like to change
this to MS-CHAP V1 or PAP.

The other issues is that the EasyVPN remote users are being asked for domain name when
they try to log on. Would it be possibe to remove the domain field from the Cisco router
challenge to EasyVPN remote users.

Last issue is that the Cisco Router 2921 ask the remote users to enter the Pin code 2
times instead for one.



Thanks again for your help.

Regards,
Laurent

0 Helpful

lap
Level 2
Level 2
In response to lap

‎09-13-2010 12:02 AM

Hi,

So I fix the issue. The issue was due to passwd-expiry:

aaa authentication login EasyVPN_SMSPasscode_XauthVPN passwd-expiry group SMSPasscode. See link:

http://www.cisco.com/en/US/customer/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/prod_white_paper0900aecd80478ad7.html

Passwd-expiry cause the router to use MS-CHAPV2 and tells the VPN client that their Microsoft Windows password has expired.

It my case with SMSPasscode that is using PAP this was not working so I removed passwd-expiry.

Best Regards,

Laurent

0 Helpful
Customers Also Viewed These Support Documents