Altiga3005 not working with PPTP/ACS (Radius)/RSA ACE
We have some trouble with the following solution:Altiga 3005 with PPTP to Cisco Secure ACS (Radius) to RSA ACE for SecurID
The problem is that the unknown users shall go to the RSA Ace server and it seems to not accept MS-CHAP. It works if we force the clients to PAP, but then we cannot use encryption at all. PPTP requires MS-CHAP.
MS-CHAP v1 or 2.
Cisco ACS v2.6 (only has MS_CHAP v1)
RSA Ace server v.5.x
Atliga 3005 v.3.5 k9
Please realize that we know IPSEC is better, but internal politics prevent 3rd party clients and L2TP/IPSEC will not function thru NAT. So we try PPTP but want the SecurID for authentication.
Anyone have an idea how to get these three boxes to work correctly together?
Re: Altiga3005 not working with PPTP/ACS (Radius)/RSA ACE
Unfortunately, you cannot use MS-CHAP (v1 or v2) with PPTP and an RSA ACE server, you must use PAP (as you have discovered). When using PPTP, the 3005 needs to see the password in the clear so it can put it in the SDI authentication request packet (encrypted) to send to the SDI server.
MS-CHAP is a one-way hash of the password. It never gets unencrypted and CAN'T be unencrypted. It has to be sent to the auth server as-is and compared with the one-way hash of the password on the auth server. If the two hashes are identical, then the password is the same and the user is authenticated. As far as I know, the RSA ACE Server does NOT have the capability to accept the password in the SDI authentication request as an MS-CHAP one-way hash. Sorry.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...