01-13-2010 01:12 PM
Hello.
I am creating a Remote Access VPN group with Radius authentication. Even though I put a check mark on the "Microsoft CHAPv2 Capable", the ASA uses PAP to request for authentication with our Radius server! Authentication is rejected because our Radius server requires Encrypted CHAP or CHAP v2.
What am I missing? Thanks in advance.
01-13-2010 06:00 PM
There are some aaa attributes on the tunnel you can try to adjust:
tunnel-group
asa(config-ppp)# authentication ?
tunnel-group-ppp mode commands/options:
chap Enable ppp authentication protocol CHAP
eap-proxy Enable ppp authentication to be proxied to an EAP enabled RADIUS
server
ms-chap-v1 Enable ppp authentication protocol MS-CHAP version 1
ms-chap-v2 Enable ppp authentication protocol MS-CHAP version 2
pap Enable ppp authentication protocol PAP
If setting the above doesn't work, try to enable password-management which will require the ASA to send mschap-v2 plus you get the added benefit of the feature which is explained here:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1879916
-heather
01-13-2010 07:29 PM
Thanks.
I'm using ASDM to configure the VPN group but I don't see these additional options! I'll try CLI tomorrow.
01-14-2010 07:42 AM
Okay. I have made the change to the tunnel group but still ASA is still sending negotiating PAP to the radius server. Below is the attributes of the tunnel group. What am I missing? Thanks in advance.
tunnel-group Test-Admin type remote-access
tunnel-group Test-Admin general-attributes
address-pool (inside) Test-Users-Pool
address-pool Test-Users-Pool
authentication-server-group Radius
authentication-server-group (inside) Radius
default-group-policy Test-Admin
tunnel-group Test-Admin ipsec-attributes
pre-shared-key *
tunnel-group Test-Admin ppp-attributes
authentication ms-chap-v2
01-14-2010 10:54 AM
I just fixed this!!!
I added the following:
tunnel-group Test-Admin ppp-attributes
authentication eap-proxy
!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: