Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

L2TP ppp authentication protocol for ASA 5510

Is anyone using L2TP for remote access connections to an ASA 5510? If so, what PPP authentication protocol are you using?

Cisco TAC assisted in configuring the L2TP remote access on the ASA, and configured it with PAP saying that was the only protocol that would work because the authentication server we are using is Kerberos (the server is a Windows Active Directory domain controller). I'm wary of using a protocol that sends the password in clear text. Can this be right? Shouldn't I be able to use Chap v1 or 2?

The fos version on the asa is 7.2(1). We're using the cli for configuration.

2 REPLIES
New Member

Re: L2TP ppp authentication protocol for ASA 5510

I can't even get it working with L2TP. Could you perhaps post your config for me to see how you did it? And also did you regedit your XP clients?

New Member

Re: L2TP ppp authentication protocol for ASA 5510

Richard,

The stumbling blocks in our config seemed to be the authentication protocol and the pre shared key. L2tp connections land on the DefaultRAGroup first even if you have a specifically defined remote access tunnel group, (if you have debug turned on during the client login you can see this) so it is the preshared key defined in the default group that needs to be entered in the windows l2tp client. Then the authentication protocol has to be pap, for both the default ra group and your specific tunnel group, with no authentication chap and no authentication ms-chap-v1 specifically defined as well on the asa side. Then in the windows l2tp client, pap has to be the only authentication protocol checked, or the login will fail.

I didn't do anything to the windows registry on the client side, I think sp2 made that not necessary any more.

Unless the login is protected by ipsec I'm not sure why anyone would want to use pap though, and when I asked the Cisco TAC tech if that was the case he said no. And he also claims using anything but pap will make the connection fail, which seems the case when I try to change it. I'm guessing this is a limitation of the asa because of the initial landing on the default ra group, and not a limitation of windows kerberos, even tho the Cisco tech said otherwise.

348
Views
0
Helpful
2
Replies