Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

ASA 5510 - RADIUS authentication only using PAP!

Hi All,

I'm trying to move from Local authentication to Radius authentication. I put a check mark on the "MSCHAPv2 Capable" but ASA uses PAP to request for authentication with the Radius server. Authentication is rejected because my IAS server requires Encrypted MSCHAP or MSCHAP v2. I did enable password management but it didn't help.


I'm not a pro so most likely I’m missing something. Any help pointing in the right direction will be appreciated.

Thanks,

Alex

9 REPLIES

Re: ASA 5510 - RADIUS authentication only using PAP!

Hi,

I had this same issue before and the ASA only supported PAP for authentication agaist Radius.

I'm not sure if this behavior has changed with new releases.

I will check it out.

Federico.

New Member

Re: ASA 5510 - RADIUS authentication only using PAP!

I already updated to latest release and it didn't help. I have searched the Internet and found that it is possible to do that but no one can explain how. I'm more than sure that this unit can do it, but i don't know how.

New Member

Re: ASA 5510 - RADIUS authentication only using PAP!

Hi Alex. I have similar issue here. PAP works just fine but MSCHAP over EAP fails. The error message is "15047 MsCHAP is not allowed". The is no explanation for the error. I use ASC internal database though instead of AD.

New Member

Re: ASA 5510 - RADIUS authentication only using PAP!

This is from help:

To enable MS-CHAPv2 as the protocol used between the security appliance and the RADIUS server for a VPN connection, password management must be enabled in the tunnel group general attributes. Enabling password management generates an MS-CHAPv2 authentication request from the security appliance to the RADIUS server. See the description of the password-management command for details.

I finally end up using Kerberos authentication. Works perfectly fine and more secure than PAP. I advise you to do the same unless you can figure out the way to make MSCHAPv2 work.

New Member

Re: ASA 5510 - RADIUS authentication only using PAP!

I think my problem is solved. I forgot to allow MSCHAPv2 under Access Policies/Default Network Access/Allowed Protocols.

New Member

Re: ASA 5510 - RADIUS authentication only using PAP!

I enabled password management and now it is using MS-CHAPv2. Thanks for the pointer energyservices.

New Member

ASA 5510 - RADIUS authentication only using PAP!

I had the same problem, enabling password-managment fixed it.   Documentation, if it exists, is very very difficult to find.  Eventually I got it by reading ASDM Help.

Cisco Employee

Re: ASA 5510 - RADIUS authentication only using PAP!

I tried to explain it here.

https://supportforums.cisco.com/message/4042903#4042903

Thanks Jimmyc for updating thread with your findings

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

MSCHAPv2 works, but test function doesn't!

I realize this topic is quite long in the tooth. But, to help out anyone who's having trouble and ends up here in their search, there is one piece of information you'll want to have.

What energyservices and others have said here is correct regarding enabling "password management" etc.in the tunnel groups > general settings in order to enable MSCHAPv2 connections with your Radius server. It works.

However, be aware that the server test function in the AAA Server Groups area of ASDM continues to use PAP even if you've made changes to your tunnel group configuration. It always uses PAP and if your Radius server is set to allow only MSCHAPv2 connections the test will fail. The only way to accurately test your setup is with an actual VPN client.

10769
Views
30
Helpful
9
Replies
CreatePlease to create content