cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3089
Views
5
Helpful
4
Replies
Highlighted
Frequent Contributor

AnyConnect authentication with RADIUS Secure method

I have been successfully able to setup Cisco AnyConnect VPN on ASA 5520 with 8.4 code.  I have set it to authenticate against the RADIUS Server (Microsoft Windows 2008 NPS server).  I have noticed one thing, on the server under "Constraints and Authentication Method".  I picked MS-CHAP-v2, but it is considered Less secure authentication methods.  I can click on Add and choose other Authentication methods like Smart Card or other Certificate, PEAP, EAP-MSCHAP v2.  I picked PEAP but then the VPN does not work.

So first of all does it really matter if I just leave it to MS-CHAP-v2?  Because from my understanding is that AnyConnect will authenticate to ASA and then ASA in the backend talks to the RADIUS server so from a security stand point this scenario shouldn't it be sufficient as no un encrypted or less secure information is available to the outside world?

Secondly is there any documentation on using PEAP with Cisco AnyConnect?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

AnyConnect authentication with RADIUS Secure method

Anyconnect supports EAP GTC EAP MD5 and EAP-MSCHAPV2.

From security standpoint, it does not matter much what you will use since IKE will anyway encrypt the traffic between the client and the head end.

Between the head end and the radius, the password will be encrypted as well.

From a to z, you're good to go.

Cheers,

Olivier

View solution in original post

4 REPLIES 4
Highlighted
Cisco Employee

AnyConnect authentication with RADIUS Secure method

Mohammad,

The schema you're describing will work indeed for SSL and IKEv1 user authentication.

For IKEv2 based IPsec we can perform EAP-based authentication.

I don't believe certificate is an option right now on the ASA. Plus, in case of the first schema the certificate would be from the ASA not from client - since authenttication cedentials/certificate is handled by IKE/SSL process, not within in (if that makes sense).

M.

Highlighted
Frequent Contributor

AnyConnect authentication with RADIUS Secure method

Thank you for the reply, I am currently using SSL/IKEv2 based IPSec.  But once all is finalized I will be putting the essentials license which gives me the IPSec licenses.  So I will eventually be doing IKEv2.  Now everything is working but I need to know that does my scenario i.e using MS-CHAP-v2 on the Microsoft NPS 2008 server for AnyConnect authentication is a security risk as it is less secure?

Or it shouldn't be a problem because authentication information gets encrypted and ASA validates the information in the back end with the RADIUS server?

Highlighted
Cisco Employee

AnyConnect authentication with RADIUS Secure method

Anyconnect supports EAP GTC EAP MD5 and EAP-MSCHAPV2.

From security standpoint, it does not matter much what you will use since IKE will anyway encrypt the traffic between the client and the head end.

Between the head end and the radius, the password will be encrypted as well.

From a to z, you're good to go.

Cheers,

Olivier

View solution in original post

Highlighted
Frequent Contributor

AnyConnect authentication with RADIUS Secure method

Ok that is what I wanted to confirm since everything will be encrypted any ways no need for me to try to implement EAP-MS-CHAP-v2.  Thank you.