Solved: Expired password AnyConnect user using PAP instead of MSCHAP

Travis-Fleming · ‎06-16-2020

Hello,
We have a Cisco 5525-X we are using for AnyConnect. We use a 3rd party AAA server (Aruba ClearPass) we use via RADIUS. We would like the ability to have users working remote update their expiring password via AnyConnect. I've seen that's possible here through RADIUS. We've enabled the "password-management" under the tunnel-group general-attributes. If we sign into VPN with a user who's password is not expired it works just fine and clearpass shows us they used MSCHAP. However if we sign in with a user with an expired password, the authentication method shows as PAP in clearpass and we get a prompt on our anyconnect client that's just asking for "Answer", that is a fill-able form. Below is a "show run all" that highlights more of the settings under our tunnel-group, in particular under the ppp-attributes you can see the "no authentication pap" is in place. Any ideas guys?

tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPN_Users
no ipv6-address-pool
authentication-server-group ATS-ClearPass <------ 3rd party AAA server clearpass--
secondary-authentication-server-group none
no accounting-server-group
default-group-policy DfltGrpPolicy
no dhcp-server
no strip-realm
no nat-assigned-to-public-ip
no scep-enrollment enable
password-management password-expire-in-days 14
no strip-group
no authorization-required
username-from-certificate CN OU
secondary-username-from-certificate CN OU
authentication-attr-from-server primary
authenticated-session-username primary

!

tunnel-group DefaultWEBVPNGroup ppp-attributes
no authentication pap <--------should not use PAP, but does when password is expired---
authentication chap
authentication ms-chap-v1
no authentication ms-chap-v2
no authentication eap-proxy

Travis-Fleming · ‎06-17-2020

Thank you Rob. I actually ended up opening a TAC case and found there is a bug with ClearPass. I have a ticket open with them on the matter. The notes from TAC are as follows:

You are welcome. I’m including the relevant logs from the debug Radius

Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 24 (0x18)
Radius: Vendor ID = 311 (0x00000137)
Radius: Type = 11 (0x0B) MS-CHAP-Challenge
Radius: Length = 18 (0x12)
Radius: Value (String) =

Radius: Length = 58 (0x3A)
Radius: Vendor ID = 311 (0x00000137)
Radius: Type = 25 (0x19) MS-CHAP2-Response
Radius: Length = 52 (0x34)

Radius: Type = 2 (0x02) MS-CHAP-Error
Radius: Length = 16 (0x10)
Radius: Value (String) =
00 45 3d 36 34 38 20 52 3d 30 20 56 3d 33 | .E=648 R=0 V=3
Radius: Type = 24 (0x18) State

The MS-CHAP-Error with message 648 is correct and that's actually what the ASA needs to receive to know that the password has expired, but the server sends this information as a Challenge instead of the supported Reject

The RADIUS server should not be asking the ASA to update the client password; the server should simply reject an expired password and let the ASA take care of the password-management.

View solution in original post

Rob Ingram · ‎06-16-2020

H,

You need to use MSCHAPv2 in order to change the password. It’s currently disabled in your configuration.

Ensure MSCHAPv2 is also permitted as an authentication protocol in Clearpass

HTH

Travis-Fleming · ‎06-17-2020