09-08-2010 08:17 AM - edited 03-10-2019 05:23 PM
Hello,
I have a problem to make a Cisco Router 2921 communicate to a radius server using PAP.
Our customer is using SMSPasscode which requires Challenge response request using PAP only.
It is working like that: the remote users are logging on the HUB location network with Cisco VPN client and they authenticate using their windows login.
Then they receive an SMS with a code which they enter in order to etablich the VPN communication with the HUB location.
I attach the EasyVPN server config of the Cisco 2921: EasyVPNConfigForRadiusAuthentication.txt
I also attach a debug of the communication between the radius server and the Cisco 2921 when a remote user attempt to connect via Cisco VPN client:
DebugCisco2921_WithRadiusServer.txt
As you can see from the debug (see the radius part debug) there is some CHAP communication initiating from the Cisco Router.
Our Customer was using an Cisco ASA until now as a EasyVPN server and everything was working find. I think the ASA is using PAP as default to communicate with radius but I am not sure.
Any ideas for configuring the Cisco 2921 to use PAP to communicate with the radius server?
Best Regards,
Laurent
09-10-2010 04:16 AM
Hi,
I have an update to this post:
Our customer are using SMSPasscode in combination with their EasyVPN
remote users.
The problem is that the EasyVPN remote users cannot use their UPN windows username(for
example: jkl@domain.dk) cause the router is talking MS-CHAP V2. We would like to change
this to MS-CHAP V1 or PAP.
The other issues is that the EasyVPN remote users are being asked for domain name when
they try to log on. Would it be possibe to remove the domain field from the Cisco router
challenge to EasyVPN remote users.
Last issue is that the Cisco Router 2921 ask the remote users to enter the Pin code 2
times instead for one.
Thanks again for your help.
Regards,
Laurent
09-13-2010 12:02 AM
Hi,
So I fix the issue. The issue was due to passwd-expiry:
aaa authentication login EasyVPN_SMSPasscode_XauthVPN passwd-expiry group SMSPasscode. See link:
http://www.cisco.com/en/US/customer/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/prod_white_paper0900aecd80478ad7.html
Passwd-expiry cause the router to use MS-CHAPV2 and tells the VPN client that their Microsoft Windows password has expired.
It my case with SMSPasscode that is using PAP this was not working so I removed passwd-expiry.
Best Regards,
Laurent
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: