Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to get ASA 5510 to use CHAP via RADIUS authenication

I've setup my ASA 5510 to use AAA to my Windows Server 2008 NAP. After many hours of troubleshooting I got my setup to work. The only thing I'm not satsified with at the moment is, that RADIUS is using PAP for communicating between ASA5510 and W2K8/NAP.

I've tried ticking the box "Microsoft CHAPv2 Capable" box under Users/AAA => AAA Server Groups => Edit AAA Server.

From EventViewer on W2K8/NAP I get Event ID 6278 and 6272., see attached file

Does anyone know how I change from the PAP to the CHAP protocol?

PS: ASA 5510 running ASA version 8.2(4) and ASDM version 6.3(5)

Everyone's tags (6)
1 ACCEPTED SOLUTION

Accepted Solutions
Silver

How to get ASA 5510 to use CHAP via RADIUS authenication

Hello,

The best practice for Device management would be to implement TACACS+ as it encrypts all the packet information and not only the Username Password as RADIUS does. With RADIUS you will only get the behavior you are getting right now.

As per your concern in regards to PAP and RADIUS please review the RFC 2865 information included below:

2.2.  Interoperation with PAP and CHAP

   For PAP, the NAS takes the PAP ID and password and sends them in an
   Access-Request packet as the User-Name and User-Password. The NAS MAY
   include the Attributes Service-Type = Framed-User and Framed-Protocol
   = PPP as a hint to the RADIUS server that PPP service is expected.

   For CHAP, the NAS generates a random challenge (preferably 16 octets)
   and sends it to the user, who returns a CHAP response along with a
   CHAP ID and CHAP username.  The NAS then sends an Access-Request
   packet to the RADIUS server with the CHAP username as the User-Name
   and with the CHAP ID and CHAP response as the CHAP-Password
   (Attribute 3).  The random challenge can either be included in the
   CHAP-Challenge attribute or, if it is 16 octets long, it can be
   placed in the Request Authenticator field of the Access-Request
   packet.  The NAS MAY include the Attributes Service-Type = Framed-
   User and Framed-Protocol = PPP as a hint to the RADIUS server that
   PPP service is expected.

   The RADIUS server looks up a password based on the User-Name,
   encrypts the challenge using MD5 on the CHAP ID octet, that password,
   and the CHAP challenge (from the CHAP-Challenge attribute if present,
   otherwise from the Request Authenticator), and compares that result
   to the CHAP-Password.  If they match, the server sends back an
   Access-Accept, otherwise it sends back an Access-Reject.

   If the RADIUS server is unable to perform the requested
   authentication it MUST return an Access-Reject.  For example, CHAP
   requires that the user's password be available in cleartext to the
   server so that it can encrypt the CHAP challenge and compare that to
   the CHAP response.  If the password is not available in cleartext to
   the RADIUS server then the server MUST send an Access-Reject to the
   client.

Hope this clarifies it. If you feel that the appropriate answer has been provided please mark the post as "Answered" for future reference for our Community members.

4 REPLIES
Silver

How to get ASA 5510 to use CHAP via RADIUS authenication

Hello,

If you are authenticating VPN Access then you can configure "password-management" under the Tunnel Group for the ASA to use MSCHAPv2.

If you are performing the "test" command or using the "test" feature of the ASDM AAA server that request will always be over PAP.

If you are using RADIUS for Management access on the ASA then the request will only encrypt the password. This applies for Telnet/SSH connections but for VPN you might want to try the above suggestion.

Hope this helps.

Regards.

New Member

How to get ASA 5510 to use CHAP via RADIUS authenication

Thanks for your answer.

My focus on RADIUS for management access.

The connection between ASA 5510 and my W2K8/NAP is encrypted with a radius-key (its a preshared key). Where is the PAP then used?

Anyone how know whats bestpratice in this area?

Silver

How to get ASA 5510 to use CHAP via RADIUS authenication

Hello,

The best practice for Device management would be to implement TACACS+ as it encrypts all the packet information and not only the Username Password as RADIUS does. With RADIUS you will only get the behavior you are getting right now.

As per your concern in regards to PAP and RADIUS please review the RFC 2865 information included below:

2.2.  Interoperation with PAP and CHAP

   For PAP, the NAS takes the PAP ID and password and sends them in an
   Access-Request packet as the User-Name and User-Password. The NAS MAY
   include the Attributes Service-Type = Framed-User and Framed-Protocol
   = PPP as a hint to the RADIUS server that PPP service is expected.

   For CHAP, the NAS generates a random challenge (preferably 16 octets)
   and sends it to the user, who returns a CHAP response along with a
   CHAP ID and CHAP username.  The NAS then sends an Access-Request
   packet to the RADIUS server with the CHAP username as the User-Name
   and with the CHAP ID and CHAP response as the CHAP-Password
   (Attribute 3).  The random challenge can either be included in the
   CHAP-Challenge attribute or, if it is 16 octets long, it can be
   placed in the Request Authenticator field of the Access-Request
   packet.  The NAS MAY include the Attributes Service-Type = Framed-
   User and Framed-Protocol = PPP as a hint to the RADIUS server that
   PPP service is expected.

   The RADIUS server looks up a password based on the User-Name,
   encrypts the challenge using MD5 on the CHAP ID octet, that password,
   and the CHAP challenge (from the CHAP-Challenge attribute if present,
   otherwise from the Request Authenticator), and compares that result
   to the CHAP-Password.  If they match, the server sends back an
   Access-Accept, otherwise it sends back an Access-Reject.

   If the RADIUS server is unable to perform the requested
   authentication it MUST return an Access-Reject.  For example, CHAP
   requires that the user's password be available in cleartext to the
   server so that it can encrypt the CHAP challenge and compare that to
   the CHAP response.  If the password is not available in cleartext to
   the RADIUS server then the server MUST send an Access-Reject to the
   client.

Hope this clarifies it. If you feel that the appropriate answer has been provided please mark the post as "Answered" for future reference for our Community members.

New Member

How to get ASA 5510 to use CHAP via RADIUS authenication

Thanks for the quick reply

3010
Views
0
Helpful
4
Replies
CreatePlease login to create content