Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Why do I need PAP enabled on Windows for an ASA5510 to use Radius?

We have an ASA that allows remote VPN users. It connects to a Windows 2008 server. That server connects to a radius server, also Windows 2008. Things work fine if we enable PAP on the radius server, and the remote site server. If we disable PAP on either one, we lose the ability to authenticate.

I would prefer to not use PAP.

thanks.

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Why do I need PAP enabled on Windows for an ASA5510 to use Radi

Hello,

The ASA supports the following authentication methods with RADIUS:

PAP—For all connection types.

CHAP and MS-CHAPv1—For L2TP-over-IPsec connections.

MS-CHAPv2—For  L2TP-over-IPsec connections, and for regular IPsec remote access  connections when the password management feature is enabled. You can  also use MS-CHAPv2 with clientless connections.

Authentication  Proxy modes—Including RADIUS to Active Directory, RADIUS to RSA/SDI,  RADIUS to Token-server, and RSA/SDI to RADIUS connections,

so the  default is PAP, but you can enable MS-CHAPv2 by configuring "password management" under tunnel-group.

Hope this helps

------------------
Mashal Shboul

------------------ Mashal Shboul
5 REPLIES
New Member

Why do I need PAP enabled on Windows for an ASA5510 to use Radi

Is this an IPSEC remote access VPN terminated on the ASA or just a passing throug VPN traffic ?

can you attach your ASA configuration ?

Bronze

Why do I need PAP enabled on Windows for an ASA5510 to use Radi

Hello,

The ASA supports the following authentication methods with RADIUS:

PAP—For all connection types.

CHAP and MS-CHAPv1—For L2TP-over-IPsec connections.

MS-CHAPv2—For  L2TP-over-IPsec connections, and for regular IPsec remote access  connections when the password management feature is enabled. You can  also use MS-CHAPv2 with clientless connections.

Authentication  Proxy modes—Including RADIUS to Active Directory, RADIUS to RSA/SDI,  RADIUS to Token-server, and RSA/SDI to RADIUS connections,

so the  default is PAP, but you can enable MS-CHAPv2 by configuring "password management" under tunnel-group.

Hope this helps

------------------
Mashal Shboul

------------------ Mashal Shboul
New Member

Why do I need PAP enabled on Windows for an ASA5510 to use Radi

Yes Mashal, this is in case we have the VPN terminated on the ASA and not a passing through to a 3rd party VPN termination

This is why we need to verify first.

Thanks for your information.

Tariq

New Member

Why do I need PAP enabled on Windows for an ASA5510 to use Radi

Thanks for the info.

Looks like I was missing the command "password-management".   I eventually found this out in the ASDM help section.   MS-Chap2 is now working.

Cisco Employee

Why do I need PAP enabled on Windows for an ASA5510 to use Radi

yup that was it Jimmyc. Thanks for sharing.

In order to configure ASA to communicate over MSCHAPv2 with  radius, we should have "password-management" under the tunnel-group.  This change would add a new field for the end user to enter the  domain-name, however, it's optional. If you leave it blank, it would use  the local domain.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
450
Views
4
Helpful
5
Replies