Is anyone using L2TP for remote access connections to an ASA 5510? If so, what PPP authentication protocol are you using?
Cisco TAC assisted in configuring the L2TP remote access on the ASA, and configured it with PAP saying that was the only protocol that would work because the authentication server we are using is Kerberos (the server is a Windows Active Directory domain controller). I'm wary of using a protocol that sends the password in clear text. Can this be right? Shouldn't I be able to use Chap v1 or 2?
The fos version on the asa is 7.2(1). We're using the cli for configuration.
The stumbling blocks in our config seemed to be the authentication protocol and the pre shared key. L2tp connections land on the DefaultRAGroup first even if you have a specifically defined remote access tunnel group, (if you have debug turned on during the client login you can see this) so it is the preshared key defined in the default group that needs to be entered in the windows l2tp client. Then the authentication protocol has to be pap, for both the default ra group and your specific tunnel group, with no authentication chap and no authentication ms-chap-v1 specifically defined as well on the asa side. Then in the windows l2tp client, pap has to be the only authentication protocol checked, or the login will fail.
I didn't do anything to the windows registry on the client side, I think sp2 made that not necessary any more.
Unless the login is protected by ipsec I'm not sure why anyone would want to use pap though, and when I asked the Cisco TAC tech if that was the case he said no. And he also claims using anything but pap will make the connection fail, which seems the case when I try to change it. I'm guessing this is a limitation of the asa because of the initial landing on the default ra group, and not a limitation of windows kerberos, even tho the Cisco tech said otherwise.