Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SSH authentication from ASA5505 to ACS 5.3 Not Using PAP

Hello there, i am evaluating ACS 5.3 with an ASA5505, by using password management in the IPSec tunnel config i am able to authenticate the VPN clients using mschapv2, however, the SSH sessions are authenticated using PAP

I have looked for days and days for an answer without success, is this by design?

Cisco documents state that SSH can be authenticated via  TACACS with PAP,CHAP or MSCHAPv1, however, i have no idea how to get this done. It seems to be default to PAP

From Cisco Doc:

TACACS+ Server Support

The security appliance supports TACACS+ authentication with ASCII, PAP, CHAP, and MS-CHAPv1

Ps: I know the "test" feature on ASA uses PAP.

Thanks!

1 REPLY

SSH authentication from ASA5505 to ACS 5.3 Not Using PAP

Ricardo,

I think the documentation may leave you hanging in this case, you can use tacacs to authentication PPP connections hence that is why the section in the AAA for management specifies that TACACS supports chap authentication, but in the chart below this is for PPP authentication.

www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/l2tp_ips.html#wp1090907

Table 62-1     AAA Server Support and PPP Authentication Types


AAA Server Type
Supported PPP Authentication Types

LOCAL

PAP, MSCHAPv1, MSCHAPv2

RADIUS

PAP, CHAP, MSCHAPv1, MSCHAPv2, EAP-Proxy

TACACS+

PAP, CHAP, MSCHAPv1

LDAP

PAP

NT

PAP

Kerberos

PAP

SDI

SDI

Hope this helps,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
559
Views
0
Helpful
1
Replies