Re: Encryption between ASA and AAA server

emmanuel.shoroma · ‎06-09-2010

Hi,

I have created a SSL VPN and it working perfect. however, it seems like I can't encrypt the user authentication traffic between the ASA and AAA server. any ideas?

Please help.

Regards,

Federico Coto Fajardo · ‎06-09-2010

Hi Emmanuel,

Which authentication method are you using between the ASA and the AAA server for SSL user authentication?

You're saying the authentication works well but in clear text? How are you trying to encrypt this traffic?

Federico.

emmanuel.shoroma · ‎06-09-2010

Hi,

yes the authentication is clear textand working fine. I am trying to encrypt this. I am using the ASDM to configure and I don't have an option to choose betwee PAP, CHAP, MS-CHAP or MS-CHAP V2. it seems like it is defaulted to PAP which is unencrypted.

On the same ASA, I do have the IPsec configurations and with that I can chose the authentication method but can't do that with the SSL-VPN.

Regards,

Federico Coto Fajardo · ‎06-09-2010

Which authentication method do you use for IPsec VPN users that authenticate agains the AAA? (Radius, TACACS+,etc)

Is this AAA an ACS?

Federico.

emmanuel.shoroma · ‎06-10-2010

It is Radius. we are using our AD server.

Federico Coto Fajardo · ‎06-10-2010

Emmanuel,

You have a Radius server authenticating the remote IPsec clients?

If it is just plain Radius packets between the ASA and the AAA server, only the payload gets encrypted (not the entire packet as opposed to TACACS+)

Federico.

emmanuel.shoroma · ‎06-15-2010

Hi, thanks for your help. am I then right to say with Radius the user name will be plain text and the password encrypted using the secret key?

Regards,

Federico Coto Fajardo · ‎06-15-2010

i.e.

Radius encrypts only the payload.

TACACS+ encrypts the entire packet.

Federico.