We've just discovered if we include special charterer £ in the password, the user won't be able to login, and once we remove that symbol the user can login normally.
We've tested the password with following special characters %?-_<+>#@&$* ! and there was no issue to login.
We're using RADIUS to authenticate VPN users against Windows 2016 AD, and we have set AD to 15 Characters for password length.
ASA version 9.12, AnyConnect version 4.8
Is this a know bug in the ASA/AnyConnect? if so, is there a fix/workaround for it ?
It seem that it has something to do with encoding so there are certain characters that do not work. You can use this website to check as to which characters will cause you problems: https://www.charset.org/utf8-to-latin-converter. Input your password into the UTF-8 field and convert to Latin. If you get a result then the password will work. If you don't get a result, it is because a special character within your password cannot be converted and thus is invalid for use.
Alternatively you can input in the Latin field and convert to UTF-8. You will always get an output but some characters get changed which is likely the case that is happening here. For example, £ becomes Â£ while é becomes Ã©
Thanks so much for your reply.
My client stated that It’s strange as they're sure that the users were using the £ symbol before. There was no change on the ASA,AnyConnect nor to the RADIUS/AD. It's kind of mystery.
What you can do, switch to PAP instead of CHAP in the radius configuration on the ASA. If I remember correctly, that way the ASA doesn't anymore also encrypt the password and it should work. The password should still be encrypted with the radius shared secret, but make sure it's a long one!
@patoberliActually I would recommend moving to MS-CHAPv2. I just tested this in detail and was able to recreate the problem and was able to solve it by using MS-CHAPv2 instead of PAP for the RADIUS authentication of the VPN users. Here's how to do it:
1. First make sure that your RADIUS server will accept MS-CHAPv2 from the ASA. I'm using Microsoft's Network Policy Server (NPS) as my RADIUS server so I just need to edit the "Constraints" for my "Network Policy"
2. Next go to the tunnel-group general-attributes and enable password-management:
tunnel-group RA-VPN general-attributes password-management
Now you can use those fancy characters! Also, now when users connect and their domain password has expired, they will be able to reset their password through AnyConnect
Please consider rating all helpful replies
I think I couldn't do enable this, because I'm using MFA on the NPS 2019 server (with Microsoft Azure AD) via Radius. I don't anymore remember it, but there was a reason why I had to disable ms-chapv2 on the ASA.