Does FDM support configuration of the MS-CHAPv2

rlbf001 · ‎09-05-2021

Dear Team,

Does anyone know how to enable MS-CHAPv2 authentication (instead of PAP) for the Identity Source in the FDM ?

Recently we have upgraded our ASA-5508X to FTD and everything works like a charm except one thing - our NPS/Radius server was configured to accept only PEAP or MS-CHAPv2. Once we've attached the device to the network - none of the anyconnect users was able to authenticate. A quick look at the NPS Event Log shows that the device is sending only PAP request (Password Authentication Protocol) instead of MS-CHAPv2. I spent last few days trying to find resolution in the Cisco official documentation. I was scrolling all web pages of the configuration - same thing - no option to enable more secure protocol.

Any help would be greatly appreciated.

Best regards,

Jacek

Chakshu Piplani · ‎09-06-2021

I do see an enhancement defect for this:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi51607

Regards,

Chakshu

rlbf001 · ‎09-06-2021

Yep - so do I.

Even though it has a status = Fixed - which probably means - yes we are aware of the issue - yes we will fix it as an enhancement someday (because using PAP in 2021 is so cool and so secure). But there is no hotfix available yet - I would be so happy if someone proves that I'm wrong.

Great job Cisco - keep it up !

Luckily for us there is a workaround for that - disable all radius authentication/identity sources and use LDAPS which indeed supports TLS negotiation against our Active Directory infrastructure.

Best regards,

Jacek

Marvin Rhoads · ‎09-08-2021

I believe you can do this while continuing to use RADIUS if you enable "password management" in the connection profile. It will then force the connection to be secured with MSCHAPv2 indirectly as the feature requires using that protocol.

Here's a reference from the ASA command reference - the LINA code in FTD sues the same bits:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/I-R/asa-command-ref-I-R/pa-pn-commands.html#wp2035813333

Also see this old but relevant thread:

https://community.cisco.com/t5/vpn/asa-5510-radius-authentication-only-using-pap/td-p/1377856

..and this document:

https://community.cisco.com/t5/security-documents/password-management-with-ldap-vs-radius-for-vpn-users/ta-p/3147278

rlbf001 · ‎09-11-2021

Hello,

I'm afraid that enabling the password policy is not possible from the FDM Level. Probably it is possible from the FMC but not from the FDM itself.

This article states that even configuring a smart object from the FDM is "prohibited" which looks like this case indeed:

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/fdm/fptd-fdm-config-guide-640/fptd-fdm-advanced.html

Anyways while awaiting for the Cisco to deliver a fix - we've delivered a "hardware" resolution to this problem (still using RADIUS) - a designated switch connected to designated ports on the Primary and Backup NPS servers + designated ports on the FTD itself (used only to send authentication requests). Now the risk of wire-tapping was substantially minimized - obviously this is NOT a perfect solution but this is better than "no solution"

Kind regards,

Jacek

jbentley462 · ‎09-24-2021

rlbf001

What firmware are you running? We have a Firepower 1125 appliance running 7.0.0-94. The bug mentioned above says it for 6.22 or 6.2.2.2. Is there a possible fix for the newer firmware?

-Jeff

Marvin Rhoads · ‎10-05-2021

The ability to use MS-CHAP v2 with FDM (including AD password management via LDAP or RADIUS) is coming in Firepower 7.1 later this year.

Peter Koltl · ‎10-28-2024

I found "password-management" in FDM 7.4.1.1

(Connection Profile AAA Advanced settings)