Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
875
Views
0
Helpful
1
Replies

SSH authentication from ASA5505 to ACS 5.3 Not Using PAP

rickyQ
Level 1
Level 1

‎08-09-2012 02:05 PM - edited ‎03-10-2019 07:24 PM

Hello there, i am evaluating ACS 5.3 with an ASA5505, by using password management in the IPSec tunnel config i am able to authenticate the VPN clients using mschapv2, however, the SSH sessions are authenticated using PAP

I have looked for days and days for an answer without success, is this by design?

Cisco documents state that SSH can be authenticated via  TACACS with PAP,CHAP or MSCHAPv1, however, i have no idea how to get this done. It seems to be default to PAP

From Cisco Doc:

TACACS+ Server Support

The security appliance supports TACACS+ authentication with ASCII, PAP, CHAP, and MS-CHAPv1

Ps: I know the "test" feature on ASA uses PAP.

Thanks!

Labels:
0 Helpful
1 Reply 1

Tarik Admani
VIP Alumni
VIP Alumni

‎08-09-2012 02:23 PM

Ricardo,

I think the documentation may leave you hanging in this case, you can use tacacs to authentication PPP connections hence that is why the section in the AAA for management specifies that TACACS supports chap authentication, but in the chart below this is for PPP authentication.

www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/l2tp_ips.html#wp1090907

Table 62-1     AAA Server Support and PPP Authentication Types


AAA Server Type
Supported PPP Authentication Types

LOCAL

PAP, MSCHAPv1, MSCHAPv2

RADIUS

PAP, CHAP, MSCHAPv1, MSCHAPv2, EAP-Proxy

TACACS+

PAP, CHAP, MSCHAPv1

LDAP

PAP

NT

PAP

Kerberos

PAP

SDI

SDI

Hope this helps,

Tarik Admani
*Please rate helpful posts*

0 Helpful
Customers Also Viewed These Support Documents