Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3861
Views
4
Helpful
5
Replies

Why do I need PAP enabled on Windows for an ASA5510 to use Radius?

Go to solution
jimmyc_2
Level 1
Level 1

‎09-13-2013 06:14 AM - edited ‎03-11-2019 07:38 PM

We have an ASA that allows remote VPN users. It connects to a Windows 2008 server. That server connects to a radius server, also Windows 2008. Things work fine if we enable PAP on the radius server, and the remote site server. If we disable PAP on either one, we lose the ability to authenticate.

I would prefer to not use PAP.

thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
malshbou
Level 1
Level 1

‎09-18-2013 03:24 AM

Hello,

The ASA supports the following authentication methods with RADIUS:

PAP—For all connection types.

CHAP and MS-CHAPv1—For L2TP-over-IPsec connections.

MS-CHAPv2—For  L2TP-over-IPsec connections, and for regular IPsec remote access  connections when the password management feature is enabled. You can  also use MS-CHAPv2 with clientless connections.

Authentication  Proxy modes—Including RADIUS to Active Directory, RADIUS to RSA/SDI,  RADIUS to Token-server, and RSA/SDI to RADIUS connections,

so the  default is PAP, but you can enable MS-CHAPv2 by configuring "password management" under tunnel-group.

Hope this helps

------------------
Mashal Shboul

------------------ Mashal Shboul

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Tariq Bader
Cisco Employee
Cisco Employee

‎09-17-2013 11:56 PM

Is this an IPSEC remote access VPN terminated on the ASA or just a passing throug VPN traffic ?

can you attach your ASA configuration ?

0 Helpful

Go to solution
malshbou
Level 1
Level 1

‎09-18-2013 03:24 AM

Hello,

The ASA supports the following authentication methods with RADIUS:

PAP—For all connection types.

CHAP and MS-CHAPv1—For L2TP-over-IPsec connections.

MS-CHAPv2—For  L2TP-over-IPsec connections, and for regular IPsec remote access  connections when the password management feature is enabled. You can  also use MS-CHAPv2 with clientless connections.

Authentication  Proxy modes—Including RADIUS to Active Directory, RADIUS to RSA/SDI,  RADIUS to Token-server, and RSA/SDI to RADIUS connections,

so the  default is PAP, but you can enable MS-CHAPv2 by configuring "password management" under tunnel-group.

Hope this helps

------------------
Mashal Shboul

------------------ Mashal Shboul
0 Helpful

Go to solution
Tariq Bader
Cisco Employee
Cisco Employee
In response to malshbou

‎09-18-2013 04:12 AM

Yes Mashal, this is in case we have the VPN terminated on the ASA and not a passing through to a 3rd party VPN termination

This is why we need to verify first.

Thanks for your information.

Tariq

0 Helpful

Go to solution
jimmyc_2
Level 1
Level 1

‎10-01-2013 09:00 AM

Thanks for the info.

Looks like I was missing the command "password-management".   I eventually found this out in the ASDM help section.   MS-Chap2 is now working.

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to jimmyc_2

‎10-02-2013 03:21 AM

yup that was it Jimmyc. Thanks for sharing.

In order to configure ASA to communicate over MSCHAPv2 with  radius, we should have "password-management" under the tunnel-group.  This change would add a new field for the end user to enter the  domain-name, however, it's optional. If you leave it blank, it would use  the local domain.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card