Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4163
Views
5
Helpful
4
Replies

AnyConnect authentication with RADIUS Secure method

Go to solution
ALIAOF_
Level 6
Level 6

‎11-07-2012 08:52 AM - edited ‎02-21-2020 06:28 PM

I have been successfully able to setup Cisco AnyConnect VPN on ASA 5520 with 8.4 code.  I have set it to authenticate against the RADIUS Server (Microsoft Windows 2008 NPS server).  I have noticed one thing, on the server under "Constraints and Authentication Method".  I picked MS-CHAP-v2, but it is considered Less secure authentication methods.  I can click on Add and choose other Authentication methods like Smart Card or other Certificate, PEAP, EAP-MSCHAP v2.  I picked PEAP but then the VPN does not work.

So first of all does it really matter if I just leave it to MS-CHAP-v2?  Because from my understanding is that AnyConnect will authenticate to ASA and then ASA in the backend talks to the RADIUS server so from a security stand point this scenario shouldn't it be sufficient as no un encrypted or less secure information is available to the outside world?

Secondly is there any documentation on using PEAP with Cisco AnyConnect?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
olpeleri
Cisco Employee
Cisco Employee

‎11-07-2012 01:30 PM

Anyconnect supports EAP GTC EAP MD5 and EAP-MSCHAPV2.

From security standpoint, it does not matter much what you will use since IKE will anyway encrypt the traffic between the client and the head end.

Between the head end and the radius, the password will be encrypted as well.

From a to z, you're good to go.

Cheers,

Olivier

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎11-07-2012 09:01 AM

Mohammad,

The schema you're describing will work indeed for SSL and IKEv1 user authentication.

For IKEv2 based IPsec we can perform EAP-based authentication.

I don't believe certificate is an option right now on the ASA. Plus, in case of the first schema the certificate would be from the ASA not from client - since authenttication cedentials/certificate is handled by IKE/SSL process, not within in (if that makes sense).

M.

0 Helpful

Go to solution
ALIAOF_
Level 6
Level 6
In response to Marcin Latosiewicz

‎11-07-2012 10:52 AM

Thank you for the reply, I am currently using SSL/IKEv2 based IPSec.  But once all is finalized I will be putting the essentials license which gives me the IPSec licenses.  So I will eventually be doing IKEv2.  Now everything is working but I need to know that does my scenario i.e using MS-CHAP-v2 on the Microsoft NPS 2008 server for AnyConnect authentication is a security risk as it is less secure?

Or it shouldn't be a problem because authentication information gets encrypted and ASA validates the information in the back end with the RADIUS server?

0 Helpful

Go to solution
olpeleri
Cisco Employee
Cisco Employee

‎11-07-2012 01:30 PM

Anyconnect supports EAP GTC EAP MD5 and EAP-MSCHAPV2.

From security standpoint, it does not matter much what you will use since IKE will anyway encrypt the traffic between the client and the head end.

Between the head end and the radius, the password will be encrypted as well.

From a to z, you're good to go.

Cheers,

Olivier

0 Helpful

Go to solution
ALIAOF_
Level 6
Level 6
In response to olpeleri

‎11-07-2012 01:50 PM

Ok that is what I wanted to confirm since everything will be encrypted any ways no need for me to try to implement EAP-MS-CHAP-v2.  Thank you.

Customers Also Viewed These Support Documents