cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8642
Views
5
Helpful
4
Replies

Help: ASA 5520 VPN with Radius authentication only using PAP!

mlewis1
Level 1
Level 1

Hello.

I am creating a Remote Access VPN group with Radius authentication.  Even though I put a check mark on the "Microsoft CHAPv2 Capable", the ASA uses PAP to request for authentication with our Radius server!  Authentication is rejected because our Radius server requires Encrypted CHAP or CHAP v2.

What am I missing?  Thanks in advance.

4 Replies 4

hdashnau
Cisco Employee
Cisco Employee

There are some aaa attributes on the tunnel you can try to adjust:

tunnel-group   ppp-attributes

asa(config-ppp)# authentication ?

tunnel-group-ppp mode commands/options:
  chap        Enable ppp authentication protocol CHAP
  eap-proxy   Enable ppp authentication to be proxied to an EAP enabled RADIUS
              server
  ms-chap-v1  Enable ppp authentication protocol MS-CHAP version 1
  ms-chap-v2  Enable ppp authentication protocol MS-CHAP version 2
  pap         Enable ppp authentication protocol PAP

If setting the above doesn't work, try to enable password-management which will require the ASA to send mschap-v2 plus you get the added benefit of the feature which is explained here:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1879916

-heather

Thanks.

I'm using ASDM to configure the VPN group but I don't see these additional options!  I'll try CLI tomorrow.

Okay.  I have made the change to the tunnel group but still ASA is still sending negotiating PAP to the radius server.  Below is the attributes of the tunnel group.  What am I missing?  Thanks in advance.

tunnel-group Test-Admin type remote-access
tunnel-group Test-Admin general-attributes
address-pool (inside) Test-Users-Pool
address-pool Test-Users-Pool
authentication-server-group Radius
authentication-server-group (inside) Radius
default-group-policy Test-Admin
tunnel-group Test-Admin ipsec-attributes
pre-shared-key *
tunnel-group Test-Admin ppp-attributes
authentication ms-chap-v2

I just fixed this!!!

I added the following:

tunnel-group Test-Admin ppp-attributes
  authentication eap-proxy
!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: