cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3550
Views
4
Helpful
5
Replies

Why do I need PAP enabled on Windows for an ASA5510 to use Radius?

jimmyc_2
Level 1
Level 1

We have an ASA that allows remote VPN users. It connects to a Windows 2008 server. That server connects to a radius server, also Windows 2008. Things work fine if we enable PAP on the radius server, and the remote site server. If we disable PAP on either one, we lose the ability to authenticate.

I would prefer to not use PAP.

thanks.

1 Accepted Solution

Accepted Solutions

malshbou
Level 1
Level 1

Hello,

The ASA supports the following authentication methods with RADIUS:

PAP—For all connection types.

CHAP and MS-CHAPv1—For L2TP-over-IPsec connections.

MS-CHAPv2—For  L2TP-over-IPsec connections, and for regular IPsec remote access  connections when the password management feature is enabled. You can  also use MS-CHAPv2 with clientless connections.

Authentication  Proxy modes—Including RADIUS to Active Directory, RADIUS to RSA/SDI,  RADIUS to Token-server, and RSA/SDI to RADIUS connections,

so the  default is PAP, but you can enable MS-CHAPv2 by configuring "password management" under tunnel-group.

Hope this helps

------------------
Mashal Shboul

------------------ Mashal Shboul

View solution in original post

5 Replies 5

Tariq Bader
Cisco Employee
Cisco Employee

Is this an IPSEC remote access VPN terminated on the ASA or just a passing throug VPN traffic ?

can you attach your ASA configuration ?

malshbou
Level 1
Level 1

Hello,

The ASA supports the following authentication methods with RADIUS:

PAP—For all connection types.

CHAP and MS-CHAPv1—For L2TP-over-IPsec connections.

MS-CHAPv2—For  L2TP-over-IPsec connections, and for regular IPsec remote access  connections when the password management feature is enabled. You can  also use MS-CHAPv2 with clientless connections.

Authentication  Proxy modes—Including RADIUS to Active Directory, RADIUS to RSA/SDI,  RADIUS to Token-server, and RSA/SDI to RADIUS connections,

so the  default is PAP, but you can enable MS-CHAPv2 by configuring "password management" under tunnel-group.

Hope this helps

------------------
Mashal Shboul

------------------ Mashal Shboul

Yes Mashal, this is in case we have the VPN terminated on the ASA and not a passing through to a 3rd party VPN termination

This is why we need to verify first.

Thanks for your information.

Tariq

jimmyc_2
Level 1
Level 1

Thanks for the info.

Looks like I was missing the command "password-management".   I eventually found this out in the ASDM help section.   MS-Chap2 is now working.

yup that was it Jimmyc. Thanks for sharing.

In order to configure ASA to communicate over MSCHAPv2 with  radius, we should have "password-management" under the tunnel-group.  This change would add a new field for the end user to enter the  domain-name, however, it's optional. If you leave it blank, it would use  the local domain.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: