https://community.cisco.com/t5/network-security/vpn-remote-access-use-pap-instead-of-mschap/m-p/3929460#M925294 <P>It appears there is a "hidden" section of the config (only show up with "show run all" that includes the pap setting. As you can see below it is disabled by default:</P> <PRE>&gt; show version ---------[ vftd-new.ccielab.mrneteng.com ]---------- Model : Cisco Firepower Threat Defense for VMWare (75) Version 6.4.0.5 (Build 23) UUID : 69c94e8a-92d2-11e7-b4ad-db36033706e7 Rules update version : 2019-09-18-001-vrt VDB version : 327 ---------------------------------------------------- &gt; show running-config all tunnel-group | begin ppp-attributes tunnel-group DefaultRAGroup ppp-attributes <STRONG> no authentication pap</STRONG> authentication chap authentication ms-chap-v1 no authentication ms-chap-v2 no authentication eap-proxy</PRE> <P>I haven't tried it but you may be able to deploy a Flexconfig to change that setting.</P> <P>Note that PAP is less secure in that the username and password as transmitted in clear text. Kind of ironic for a "secure" VPN.</P> Tue, 24 Sep 2019 14:44:53 GMT Marvin Rhoads 2019-09-24T14:44:53Z https://community.cisco.com/t5/network-security/vpn-remote-access-use-pap-instead-of-mschap/m-p/3929322#M925293 <P>Hi there,</P><P>&nbsp;</P><P>i'm looking for a way to use PAP instead of MSCHAP for our VPN Remote Access.</P><P>We've configured the Authentication with Cisco Anyconnect over an Radius Server (RSA).</P><P>RSA couldn't work with MSCHAP so i'm looking for the settings to change the Settings in Firepower Configuration from MSCHAP to PAP</P><P>&nbsp;</P><P>We use FP 6.4 at a 2100 device.</P> Fri, 21 Feb 2020 17:31:06 GMT https://community.cisco.com/t5/network-security/vpn-remote-access-use-pap-instead-of-mschap/m-p/3929322#M925293 ari82 2020-02-21T17:31:06Z https://community.cisco.com/t5/network-security/vpn-remote-access-use-pap-instead-of-mschap/m-p/3929460#M925294 <P>It appears there is a "hidden" section of the config (only show up with "show run all" that includes the pap setting. As you can see below it is disabled by default:</P> <PRE>&gt; show version ---------[ vftd-new.ccielab.mrneteng.com ]---------- Model : Cisco Firepower Threat Defense for VMWare (75) Version 6.4.0.5 (Build 23) UUID : 69c94e8a-92d2-11e7-b4ad-db36033706e7 Rules update version : 2019-09-18-001-vrt VDB version : 327 ---------------------------------------------------- &gt; show running-config all tunnel-group | begin ppp-attributes tunnel-group DefaultRAGroup ppp-attributes <STRONG> no authentication pap</STRONG> authentication chap authentication ms-chap-v1 no authentication ms-chap-v2 no authentication eap-proxy</PRE> <P>I haven't tried it but you may be able to deploy a Flexconfig to change that setting.</P> <P>Note that PAP is less secure in that the username and password as transmitted in clear text. Kind of ironic for a "secure" VPN.</P> Tue, 24 Sep 2019 14:44:53 GMT https://community.cisco.com/t5/network-security/vpn-remote-access-use-pap-instead-of-mschap/m-p/3929460#M925294 Marvin Rhoads 2019-09-24T14:44:53Z https://community.cisco.com/t5/network-security/vpn-remote-access-use-pap-instead-of-mschap/m-p/3931434#M925295 <P>We use a two factor authentication.</P><P>So the first step ist to authenticate to again a Radius for Active Directory Authetication.</P><P>&nbsp;</P><P>The second step is to autheticate agains another Radius for Token Authentication.</P><P>&nbsp;</P><P>But for second step it's&nbsp;absolutely necessary to speak PAP.</P><P>Of course for our AD Authentication we need MSCHAP.</P><P>&nbsp;</P><P>But there seems to be no way to configure this in Firepower?</P> Fri, 27 Sep 2019 12:37:37 GMT https://community.cisco.com/t5/network-security/vpn-remote-access-use-pap-instead-of-mschap/m-p/3931434#M925295 ari82 2019-09-27T12:37:37Z https://community.cisco.com/t5/network-security/vpn-remote-access-use-pap-instead-of-mschap/m-p/3931443#M925296 <P>Did you try what I suggested?</P> Fri, 27 Sep 2019 12:54:13 GMT https://community.cisco.com/t5/network-security/vpn-remote-access-use-pap-instead-of-mschap/m-p/3931443#M925296 Marvin Rhoads 2019-09-27T12:54:13Z https://community.cisco.com/t5/network-security/vpn-remote-access-use-pap-instead-of-mschap/m-p/3931455#M925297 <P>PAP can be enabled by disable Option "<SPAN>Enable Password Management" in VPN Connection Profile.</SPAN></P><P>&nbsp;</P><P><SPAN>But i think, then everthing is running with PAP (also AD A</SPAN>uthetication<SPAN>).</SPAN></P> Fri, 27 Sep 2019 13:07:56 GMT https://community.cisco.com/t5/network-security/vpn-remote-access-use-pap-instead-of-mschap/m-p/3931455#M925297 ari82 2019-09-27T13:07:56Z