Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member


When using a RADIUS to authentication a VPN user with user accounts in Active Directory, do you have to use MS-CHAP 2 to avoid entering username / pw twice? For my test, I can login using my network ID with unencrypted password but when I use MS-CHAP 2 I cannot login. Is this something that needs to be enabled on the PIX?

for example, let's say I log into ACME VPN - steps will be

1. connect to ACME VPN using group username / pw

2. when prompted for username password, I enter in network username / pw

3. connected to VPN / tunnel created

4. when trying to open a network share on a server nydc02 I'm prompted for username / pw again

Basically I'm trying to avoid step #4 so that I only have to enter in a username / pw one time.



A Virtual Private Dial-up Network (VPDN) allows a private network dial in service to span across to remote access servers (defined as the L2TP Access Concentrator [LAC]). When a Point-to-Point Protocol (PPP) client dials into a LAC, the LAC determines that it should forward that PPP session on to an L2TP Network Server (LNS) for that client, which then authenticates the user and starts the PPP negotiation. Once PPP setup has completed, all frames are sent through the LAC to the client and the LNS.

New Member


Our experience is yes, we must log on twice. First the remote user must log onto his workstation with cached AD domain credentials (because there is no connectivity to the DC). Next, the workstation attempts to establish the connection to the VPN concentrator, which then passes the connection request to the RADIUS server. He then gets prompted again (by the RADIUS) for his actual domain credentials. After the second login he is authenticated into the domain. After the first, he is only authenticated into the local workstation.

CreatePlease to create content