topic Re: Cisco ACS 5.6 - RADIUS with MSCHAP-V2 not working in Network Access Control

Cisco ACS 5.6 - RADIUS with MSCHAP-V2 not working

MarcoLazzarotto — Mon, 17 Jun 2024 10:06:17 GMT

I urgently need help with an access problem on ACS with MSCHAP-V2 protocol. The client is connecting to our ASA in AnyConnect and RADIUS authentication is happening between our ACS and the client's Windows server. That client is pushing hard to switch from PAP_ASCII to MSCHAP-V2 for security reasons.

The problem is that the authentication fails every time, and I've been banging my head about it for several weeks, to no avail.
Please check the authentication report from ACS:

I am going to post my configuration below.
ASA VPN config:

tunnel-group <Customer>RemoteSC type remote-access tunnel-group <Customer>RemoteSC general-attributes authentication-server-group New-rad secondary-authentication-server-group DUO-ldaps use-primary-username default-group-policy <Customer>-Any password-management password-expire-in-days 0 tunnel-group <Customer>RemoteSC webvpn-attributes group-url https://bhmvpn.<redacted>.com/030 enable without-csd tunnel-group <Customer>RemoteSC ppp-attributes authentication ms-chap-v2

RADIUS Identity Store on ACS:

AAA Diagnostics Report in CSV attached.

Re: Cisco ACS 5.6 - RADIUS with MSCHAP-V2 not working

Mark Elsen — Mon, 17 Jun 2024 12:28:24 GMT

- Could you post a readable version of the authentication report from ACS (it is too blurred) ,

Re: Cisco ACS 5.6 - RADIUS with MSCHAP-V2 not working

MarcoLazzarotto — Mon, 17 Jun 2024 12:33:18 GMT

Hi @Mark Elsen , have you tried downloading the image on your computer? It doesn't look blurry at all to me.

Let me know, otherwise I'll upload it somewhere else.

Re: Cisco ACS 5.6 - RADIUS with MSCHAP-V2 not working

Mark Elsen — Mon, 17 Jun 2024 12:44:38 GMT

- For me , it's a no go ; even when saved on my computer first ,

Re: Cisco ACS 5.6 - RADIUS with MSCHAP-V2 not working

MarcoLazzarotto — Mon, 17 Jun 2024 12:47:06 GMT

Sorry, I'm reuploading it as file here.

Re: Cisco ACS 5.6 - RADIUS with MSCHAP-V2 not working

Mark Elsen — Mon, 17 Jun 2024 12:55:42 GMT

- Near the bottom it just says :
>...22063 Wrong password ,

Re: Cisco ACS 5.6 - RADIUS with MSCHAP-V2 not working

MarcoLazzarotto — Mon, 17 Jun 2024 13:00:00 GMT

I know, but the same password works very well when the user connects using PAP_ASCII. The issue here is just when using MSCHAP-V2. And this is not happening with 1 user, but with 2 users.

Strangely, I see packets from the ACS to the Domain controller (port 1812) with PAP_ASCII authentication, but I don't see any with MSCHAP-V2 authentication. It almost seems that it is the ACS itself that is breaking the connection, without first making sure whether the password is right or not.

Re: Cisco ACS 5.6 - RADIUS with MSCHAP-V2 not working

Mark Elsen — Mon, 17 Jun 2024 13:11:52 GMT

- Have a look at this document https://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113485-acs5x-tshoot.html
and or search for instanced of MSCHAP with find in your browser , look for helpful hints - if any.
Also note that ACS is very old and no longer advisable for production environments ,consider migrating to ISE ,

Re: Cisco ACS 5.6 - RADIUS with MSCHAP-V2 not working

MarcoLazzarotto — Mon, 17 Jun 2024 14:46:32 GMT

I did look that document but I didn't find anything useful.

I can try to disable CHAP and MS-CHAP-V1, enabled by default.
I was comparing a successful (left) with a failed (right) authentication. I don't know if it's of any help.

The messages in the orange square are the same, then the differences begin (the left part didn't stop there, I just cropped it).

Re: Cisco ACS 5.6 - RADIUS with MSCHAP-V2 not working

MarcoLazzarotto — Thu, 20 Jun 2024 12:16:46 GMT

I disabled MS-CHAP-V1 and CHAP on the tunnel-group but that didn't have any effect.

The weird part is that when using MS-CHAP-V2, the ACS is not communicating at all with the RADIUS server.

I also did a dump of packets when the ACS talks with the ASA, but there's nothing helpful as it appears that the decision to reject the user is done inside the ACS.

Re: Cisco ACS 5.6 - RADIUS with MSCHAP-V2 not working

andrewswanson — Thu, 20 Jun 2024 17:38:05 GMT

Its been a while since I used ACS but I remember running into issues with some client's passwords that contained "special characters". Has the user tried resetting their password to something alphanumeric to test?

hth

Andy