Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5592
Views
0
Helpful
4
Replies

How to get ASA 5510 to use CHAP via RADIUS authenication

Go to solution
herijoensen
Level 1
Level 1

‎01-14-2012 01:10 PM - edited ‎03-10-2019 06:43 PM

I've setup my ASA 5510 to use AAA to my Windows Server 2008 NAP. After many hours of troubleshooting I got my setup to work. The only thing I'm not satsified with at the moment is, that RADIUS is using PAP for communicating between ASA5510 and W2K8/NAP.

I've tried ticking the box "Microsoft CHAPv2 Capable" box under Users/AAA => AAA Server Groups => Edit AAA Server.

From EventViewer on W2K8/NAP I get Event ID 6278 and 6272., see attached file

Does anyone know how I change from the PAP to the CHAP protocol?

PS: ASA 5510 running ASA version 8.2(4) and ASDM version 6.3(5)

Labels:
120580-ID 6272 and 6278.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
camejia
Level 3
Level 3
In response to herijoensen

‎01-17-2012 10:06 AM

Hello,

The best practice for Device management would be to implement TACACS+ as it encrypts all the packet information and not only the Username Password as RADIUS does. With RADIUS you will only get the behavior you are getting right now.

As per your concern in regards to PAP and RADIUS please review the RFC 2865 information included below:

2.2.  Interoperation with PAP and CHAP

   For PAP, the NAS takes the PAP ID and password and sends them in an
   Access-Request packet as the User-Name and User-Password. The NAS MAY
   include the Attributes Service-Type = Framed-User and Framed-Protocol
   = PPP as a hint to the RADIUS server that PPP service is expected.

   For CHAP, the NAS generates a random challenge (preferably 16 octets)
   and sends it to the user, who returns a CHAP response along with a
   CHAP ID and CHAP username.  The NAS then sends an Access-Request
   packet to the RADIUS server with the CHAP username as the User-Name
   and with the CHAP ID and CHAP response as the CHAP-Password
   (Attribute 3).  The random challenge can either be included in the
   CHAP-Challenge attribute or, if it is 16 octets long, it can be
   placed in the Request Authenticator field of the Access-Request
   packet.  The NAS MAY include the Attributes Service-Type = Framed-
   User and Framed-Protocol = PPP as a hint to the RADIUS server that
   PPP service is expected.

   The RADIUS server looks up a password based on the User-Name,
   encrypts the challenge using MD5 on the CHAP ID octet, that password,
   and the CHAP challenge (from the CHAP-Challenge attribute if present,
   otherwise from the Request Authenticator), and compares that result
   to the CHAP-Password.  If they match, the server sends back an
   Access-Accept, otherwise it sends back an Access-Reject.

   If the RADIUS server is unable to perform the requested
   authentication it MUST return an Access-Reject.  For example, CHAP
   requires that the user's password be available in cleartext to the
   server so that it can encrypt the CHAP challenge and compare that to
   the CHAP response.  If the password is not available in cleartext to
   the RADIUS server then the server MUST send an Access-Reject to the
   client.

Hope this clarifies it. If you feel that the appropriate answer has been provided please mark the post as "Answered" for future reference for our Community members.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
camejia
Level 3
Level 3

‎01-16-2012 09:15 AM

Hello,

If you are authenticating VPN Access then you can configure "password-management" under the Tunnel Group for the ASA to use MSCHAPv2.

If you are performing the "test" command or using the "test" feature of the ASDM AAA server that request will always be over PAP.

If you are using RADIUS for Management access on the ASA then the request will only encrypt the password. This applies for Telnet/SSH connections but for VPN you might want to try the above suggestion.

Hope this helps.

Regards.

0 Helpful

Go to solution
herijoensen
Level 1
Level 1
In response to camejia

‎01-17-2012 09:56 AM

Thanks for your answer.

My focus on RADIUS for management access.

The connection between ASA 5510 and my W2K8/NAP is encrypted with a radius-key (its a preshared key). Where is the PAP then used?

Anyone how know whats bestpratice in this area?

0 Helpful

Go to solution
camejia
Level 3
Level 3
In response to herijoensen

‎01-17-2012 10:06 AM

Hello,

The best practice for Device management would be to implement TACACS+ as it encrypts all the packet information and not only the Username Password as RADIUS does. With RADIUS you will only get the behavior you are getting right now.

As per your concern in regards to PAP and RADIUS please review the RFC 2865 information included below:

2.2.  Interoperation with PAP and CHAP

   For PAP, the NAS takes the PAP ID and password and sends them in an
   Access-Request packet as the User-Name and User-Password. The NAS MAY
   include the Attributes Service-Type = Framed-User and Framed-Protocol
   = PPP as a hint to the RADIUS server that PPP service is expected.

   For CHAP, the NAS generates a random challenge (preferably 16 octets)
   and sends it to the user, who returns a CHAP response along with a
   CHAP ID and CHAP username.  The NAS then sends an Access-Request
   packet to the RADIUS server with the CHAP username as the User-Name
   and with the CHAP ID and CHAP response as the CHAP-Password
   (Attribute 3).  The random challenge can either be included in the
   CHAP-Challenge attribute or, if it is 16 octets long, it can be
   placed in the Request Authenticator field of the Access-Request
   packet.  The NAS MAY include the Attributes Service-Type = Framed-
   User and Framed-Protocol = PPP as a hint to the RADIUS server that
   PPP service is expected.

   The RADIUS server looks up a password based on the User-Name,
   encrypts the challenge using MD5 on the CHAP ID octet, that password,
   and the CHAP challenge (from the CHAP-Challenge attribute if present,
   otherwise from the Request Authenticator), and compares that result
   to the CHAP-Password.  If they match, the server sends back an
   Access-Accept, otherwise it sends back an Access-Reject.

   If the RADIUS server is unable to perform the requested
   authentication it MUST return an Access-Reject.  For example, CHAP
   requires that the user's password be available in cleartext to the
   server so that it can encrypt the CHAP challenge and compare that to
   the CHAP response.  If the password is not available in cleartext to
   the RADIUS server then the server MUST send an Access-Reject to the
   client.

Hope this clarifies it. If you feel that the appropriate answer has been provided please mark the post as "Answered" for future reference for our Community members.

0 Helpful

Go to solution
herijoensen
Level 1
Level 1
In response to camejia

‎01-17-2012 10:10 AM

Thanks for the quick reply

0 Helpful
Customers Also Viewed These Support Documents