cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5196
Views
0
Helpful
4
Replies

How to get ASA 5510 to use CHAP via RADIUS authenication

herijoensen
Level 1
Level 1

I've setup my ASA 5510 to use AAA to my Windows Server 2008 NAP. After many hours of troubleshooting I got my setup to work. The only thing I'm not satsified with at the moment is, that RADIUS is using PAP for communicating between ASA5510 and W2K8/NAP.

I've tried ticking the box "Microsoft CHAPv2 Capable" box under Users/AAA => AAA Server Groups => Edit AAA Server.

From EventViewer on W2K8/NAP I get Event ID 6278 and 6272., see attached file

Does anyone know how I change from the PAP to the CHAP protocol?

PS: ASA 5510 running ASA version 8.2(4) and ASDM version 6.3(5)

1 Accepted Solution

Accepted Solutions

Hello,

The best practice for Device management would be to implement TACACS+ as it encrypts all the packet information and not only the Username Password as RADIUS does. With RADIUS you will only get the behavior you are getting right now.

As per your concern in regards to PAP and RADIUS please review the RFC 2865 information included below:

2.2.  Interoperation with PAP and CHAP

   For PAP, the NAS takes the PAP ID and password and sends them in an
   Access-Request packet as the User-Name and User-Password. The NAS MAY
   include the Attributes Service-Type = Framed-User and Framed-Protocol
   = PPP as a hint to the RADIUS server that PPP service is expected.

   For CHAP, the NAS generates a random challenge (preferably 16 octets)
   and sends it to the user, who returns a CHAP response along with a
   CHAP ID and CHAP username.  The NAS then sends an Access-Request
   packet to the RADIUS server with the CHAP username as the User-Name
   and with the CHAP ID and CHAP response as the CHAP-Password
   (Attribute 3).  The random challenge can either be included in the
   CHAP-Challenge attribute or, if it is 16 octets long, it can be
   placed in the Request Authenticator field of the Access-Request
   packet.  The NAS MAY include the Attributes Service-Type = Framed-
   User and Framed-Protocol = PPP as a hint to the RADIUS server that
   PPP service is expected.

   The RADIUS server looks up a password based on the User-Name,
   encrypts the challenge using MD5 on the CHAP ID octet, that password,
   and the CHAP challenge (from the CHAP-Challenge attribute if present,
   otherwise from the Request Authenticator), and compares that result
   to the CHAP-Password.  If they match, the server sends back an
   Access-Accept, otherwise it sends back an Access-Reject.

   If the RADIUS server is unable to perform the requested
   authentication it MUST return an Access-Reject.  For example, CHAP
   requires that the user's password be available in cleartext to the
   server so that it can encrypt the CHAP challenge and compare that to
   the CHAP response.  If the password is not available in cleartext to
   the RADIUS server then the server MUST send an Access-Reject to the
   client.

Hope this clarifies it. If you feel that the appropriate answer has been provided please mark the post as "Answered" for future reference for our Community members.

View solution in original post

4 Replies 4

camejia
Level 3
Level 3

Hello,

If you are authenticating VPN Access then you can configure "password-management" under the Tunnel Group for the ASA to use MSCHAPv2.

If you are performing the "test" command or using the "test" feature of the ASDM AAA server that request will always be over PAP.

If you are using RADIUS for Management access on the ASA then the request will only encrypt the password. This applies for Telnet/SSH connections but for VPN you might want to try the above suggestion.

Hope this helps.

Regards.

Thanks for your answer.

My focus on RADIUS for management access.

The connection between ASA 5510 and my W2K8/NAP is encrypted with a radius-key (its a preshared key). Where is the PAP then used?

Anyone how know whats bestpratice in this area?

Hello,

The best practice for Device management would be to implement TACACS+ as it encrypts all the packet information and not only the Username Password as RADIUS does. With RADIUS you will only get the behavior you are getting right now.

As per your concern in regards to PAP and RADIUS please review the RFC 2865 information included below:

2.2.  Interoperation with PAP and CHAP

   For PAP, the NAS takes the PAP ID and password and sends them in an
   Access-Request packet as the User-Name and User-Password. The NAS MAY
   include the Attributes Service-Type = Framed-User and Framed-Protocol
   = PPP as a hint to the RADIUS server that PPP service is expected.

   For CHAP, the NAS generates a random challenge (preferably 16 octets)
   and sends it to the user, who returns a CHAP response along with a
   CHAP ID and CHAP username.  The NAS then sends an Access-Request
   packet to the RADIUS server with the CHAP username as the User-Name
   and with the CHAP ID and CHAP response as the CHAP-Password
   (Attribute 3).  The random challenge can either be included in the
   CHAP-Challenge attribute or, if it is 16 octets long, it can be
   placed in the Request Authenticator field of the Access-Request
   packet.  The NAS MAY include the Attributes Service-Type = Framed-
   User and Framed-Protocol = PPP as a hint to the RADIUS server that
   PPP service is expected.

   The RADIUS server looks up a password based on the User-Name,
   encrypts the challenge using MD5 on the CHAP ID octet, that password,
   and the CHAP challenge (from the CHAP-Challenge attribute if present,
   otherwise from the Request Authenticator), and compares that result
   to the CHAP-Password.  If they match, the server sends back an
   Access-Accept, otherwise it sends back an Access-Reject.

   If the RADIUS server is unable to perform the requested
   authentication it MUST return an Access-Reject.  For example, CHAP
   requires that the user's password be available in cleartext to the
   server so that it can encrypt the CHAP challenge and compare that to
   the CHAP response.  If the password is not available in cleartext to
   the RADIUS server then the server MUST send an Access-Reject to the
   client.

Hope this clarifies it. If you feel that the appropriate answer has been provided please mark the post as "Answered" for future reference for our Community members.

Thanks for the quick reply

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: