Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4940
Views
0
Helpful
4
Replies

VPN Remote Access - Use PAP instead of MSCHAP

ari82
Level 1
Level 1

‎09-24-2019 05:08 AM - edited ‎02-21-2020 09:31 AM

Hi there,

 

i'm looking for a way to use PAP instead of MSCHAP for our VPN Remote Access.

We've configured the Authentication with Cisco Anyconnect over an Radius Server (RSA).

RSA couldn't work with MSCHAP so i'm looking for the settings to change the Settings in Firepower Configuration from MSCHAP to PAP

 

We use FP 6.4 at a 2100 device.

1 person had this problem
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-24-2019 07:42 AM - edited ‎09-24-2019 07:44 AM

It appears there is a "hidden" section of the config (only show up with "show run all" that includes the pap setting. As you can see below it is disabled by default:

> show version
---------[ vftd-new.ccielab.mrneteng.com ]----------
Model                     : Cisco Firepower Threat Defense for VMWare (75) Version 6.4.0.5 (Build 23)
UUID                      : 69c94e8a-92d2-11e7-b4ad-db36033706e7
Rules update version      : 2019-09-18-001-vrt
VDB version               : 327
----------------------------------------------------

> show running-config all tunnel-group | begin ppp-attributes
tunnel-group DefaultRAGroup ppp-attributes
 no authentication pap
 authentication chap
 authentication ms-chap-v1
 no authentication ms-chap-v2
 no authentication eap-proxy

I haven't tried it but you may be able to deploy a Flexconfig to change that setting.

Note that PAP is less secure in that the username and password as transmitted in clear text. Kind of ironic for a "secure" VPN.

0 Helpful

ari82
Level 1
Level 1
In response to Marvin Rhoads

‎09-27-2019 05:37 AM

We use a two factor authentication.

So the first step ist to authenticate to again a Radius for Active Directory Authetication.

 

The second step is to autheticate agains another Radius for Token Authentication.

 

But for second step it's absolutely necessary to speak PAP.

Of course for our AD Authentication we need MSCHAP.

 

But there seems to be no way to configure this in Firepower?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ari82

‎09-27-2019 05:54 AM

Did you try what I suggested?

0 Helpful

ari82
Level 1
Level 1
In response to Marvin Rhoads

‎09-27-2019 06:05 AM - edited ‎09-27-2019 06:07 AM

PAP can be enabled by disable Option "Enable Password Management" in VPN Connection Profile.

 

But i think, then everthing is running with PAP (also AD Authetication).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card