Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Help: ASA 5520 VPN with Radius authentication only using PAP!

Hello.

I am creating a Remote Access VPN group with Radius authentication.  Even though I put a check mark on the "Microsoft CHAPv2 Capable", the ASA uses PAP to request for authentication with our Radius server!  Authentication is rejected because our Radius server requires Encrypted CHAP or CHAP v2.

What am I missing?  Thanks in advance.

Everyone's tags (1)
4 REPLIES
Cisco Employee

Re: Help: ASA 5520 VPN with Radius authentication only using PAP

There are some aaa attributes on the tunnel you can try to adjust:

tunnel-group   ppp-attributes

asa(config-ppp)# authentication ?

tunnel-group-ppp mode commands/options:
  chap        Enable ppp authentication protocol CHAP
  eap-proxy   Enable ppp authentication to be proxied to an EAP enabled RADIUS
              server
  ms-chap-v1  Enable ppp authentication protocol MS-CHAP version 1
  ms-chap-v2  Enable ppp authentication protocol MS-CHAP version 2
  pap         Enable ppp authentication protocol PAP

If setting the above doesn't work, try to enable password-management which will require the ASA to send mschap-v2 plus you get the added benefit of the feature which is explained here:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1879916

-heather

New Member

Re: Help: ASA 5520 VPN with Radius authentication only using PAP

Thanks.

I'm using ASDM to configure the VPN group but I don't see these additional options!  I'll try CLI tomorrow.

New Member

Re: Help: ASA 5520 VPN with Radius authentication only using PAP

Okay.  I have made the change to the tunnel group but still ASA is still sending negotiating PAP to the radius server.  Below is the attributes of the tunnel group.  What am I missing?  Thanks in advance.

tunnel-group Test-Admin type remote-access
tunnel-group Test-Admin general-attributes
address-pool (inside) Test-Users-Pool
address-pool Test-Users-Pool
authentication-server-group Radius
authentication-server-group (inside) Radius
default-group-policy Test-Admin
tunnel-group Test-Admin ipsec-attributes
pre-shared-key *
tunnel-group Test-Admin ppp-attributes
authentication ms-chap-v2

New Member

Re: Help: ASA 5520 VPN with Radius authentication only using PAP

I just fixed this!!!

I added the following:

tunnel-group Test-Admin ppp-attributes
  authentication eap-proxy
!

7341
Views
5
Helpful
4
Replies