Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
354
Views
0
Helpful
10
Replies

Cisco ACS 5.6 - RADIUS with MSCHAP-V2 not working

MarcoLazzarotto
Level 1
Level 1

‎06-17-2024 02:50 AM - edited ‎06-17-2024 03:06 AM

 

I urgently need help with an access problem on ACS with MSCHAP-V2 protocol. The client is connecting to our ASA in AnyConnect and RADIUS authentication is happening between our ACS and the client's Windows server. That client is pushing hard to switch from PAP_ASCII to MSCHAP-V2 for security reasons.

The problem is that the authentication fails every time, and I've been banging my head about it for several weeks, to no avail.
Please check the authentication report from ACS:

REDACTED_jsimpson_mschap_failed_auth.png

I am going to post my configuration below. 
ASA VPN config:

 

tunnel-group <Customer>RemoteSC type remote-access
tunnel-group <Customer>RemoteSC general-attributes
 authentication-server-group New-rad
 secondary-authentication-server-group DUO-ldaps use-primary-username
 default-group-policy <Customer>-Any
 password-management password-expire-in-days 0
tunnel-group <Customer>RemoteSC webvpn-attributes
 group-url https://bhmvpn.<redacted>.com/030 enable
 without-csd
tunnel-group <Customer>RemoteSC ppp-attributes
 authentication ms-chap-v2

 

 RADIUS Identity Store on ACS:

MarcoLazzarotto_0-1718616216504.png

AAA Diagnostics Report in CSV attached.

Preview file
8 KB
0 Helpful
10 Replies 10

marce1000
VIP
VIP

‎06-17-2024 05:28 AM

 

  - Could you post a readable version of the authentication report from ACS  (it is too blurred) , 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

MarcoLazzarotto
Level 1
Level 1
In response to marce1000

‎06-17-2024 05:33 AM

Hi @marce1000 , have you tried downloading the image on your computer? It doesn't look blurry at all to me.

Let me know, otherwise I'll upload it somewhere else.

0 Helpful

marce1000
VIP
VIP
In response to MarcoLazzarotto

‎06-17-2024 05:44 AM

 

         - For me , it's a no go ; even when saved on my computer first ,

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

MarcoLazzarotto
Level 1
Level 1
In response to marce1000

‎06-17-2024 05:47 AM

Sorry, I'm reuploading it as file here.

Preview file
98 KB
0 Helpful

marce1000
VIP
VIP
In response to MarcoLazzarotto

‎06-17-2024 05:55 AM

 

             - Near the bottom it just says :
             >...22063 Wrong password

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

MarcoLazzarotto
Level 1
Level 1
In response to marce1000

‎06-17-2024 06:00 AM

I know, but the same password works very well when the user connects using PAP_ASCII. The issue here is just when using MSCHAP-V2. And this is not happening with 1 user, but with 2 users.

Strangely, I see packets from the ACS to the Domain controller (port 1812) with PAP_ASCII authentication, but I don't see any with MSCHAP-V2 authentication. It almost seems that it is the ACS itself that is breaking the connection, without first making sure whether the password is right or not.

0 Helpful

marce1000
VIP
VIP
In response to MarcoLazzarotto

‎06-17-2024 06:11 AM

 

      - Have a look at this document https://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113485-acs5x-tshoot.html
        and or search for instanced of MSCHAP with find in your browser , look for helpful hints  - if any.
        Also note that ACS is very old and no longer advisable for production environments ,consider migrating to ISE ,

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

MarcoLazzarotto
Level 1
Level 1
In response to marce1000

‎06-17-2024 07:46 AM

I did look that document but I didn't find anything useful.

I can try to disable CHAP and MS-CHAP-V1, enabled by default.
I was comparing a successful (left) with a failed (right) authentication. I don't know if it's of any help.

MarcoLazzarotto_0-1718635548077.png

The messages in the orange square are the same, then the differences begin (the left part didn't stop there, I just cropped it).

 

0 Helpful

MarcoLazzarotto
Level 1
Level 1

‎06-20-2024 05:16 AM

I disabled MS-CHAP-V1 and CHAP on the tunnel-group but that didn't have any effect.

The weird part is that when using MS-CHAP-V2, the ACS is not communicating at all with the RADIUS server.

I also did a dump of packets when the ACS talks with the ASA, but there's nothing helpful as it appears that the decision to reject the user is done inside the ACS.

0 Helpful

andrewswanson
Level 7
Level 7

‎06-20-2024 10:38 AM

Its been a while since I used ACS but I remember running into issues with some client's passwords that contained "special characters".  Has the user tried resetting their password to something alphanumeric to test?

hth

Andy

0 Helpful
Customers Also Viewed These Support Documents