Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Altiga3005 not working with PPTP/ACS (Radius)/RSA ACE

Hello,

We have some trouble with the following solution:Altiga 3005 with PPTP to Cisco Secure ACS (Radius) to RSA ACE for SecurID

The problem is that the unknown users shall go to the RSA Ace server and it seems to not accept MS-CHAP. It works if we force the clients to PAP, but then we cannot use encryption at all. PPTP requires MS-CHAP.

Versions:

MS-CHAP v1 or 2.

Cisco ACS v2.6 (only has MS_CHAP v1)

RSA Ace server v.5.x

Atliga 3005 v.3.5 k9

Please realize that we know IPSEC is better, but internal politics prevent 3rd party clients and L2TP/IPSEC will not function thru NAT. So we try PPTP but want the SecurID for authentication.

Anyone have an idea how to get these three boxes to work correctly together?

Thanks a lot.

Regards,

Rick Locke

Novo Nordisk IT

1 REPLY
New Member

Re: Altiga3005 not working with PPTP/ACS (Radius)/RSA ACE

Unfortunately, you cannot use MS-CHAP (v1 or v2) with PPTP and an RSA ACE server, you must use PAP (as you have discovered). When using PPTP, the 3005 needs to see the password in the clear so it can put it in the SDI authentication request packet (encrypted) to send to the SDI server.

MS-CHAP is a one-way hash of the password. It never gets unencrypted and CAN'T be unencrypted. It has to be sent to the auth server as-is and compared with the one-way hash of the password on the auth server. If the two hashes are identical, then the password is the same and the user is authenticated. As far as I know, the RSA ACE Server does NOT have the capability to accept the password in the SDI authentication request as an MS-CHAP one-way hash. Sorry.

140
Views
0
Helpful
1
Replies