03-09-2010 09:42 PM
Hi All,
I'm trying to move from Local authentication to Radius authentication. I put a check mark on the "MSCHAPv2 Capable" but ASA uses PAP to request for authentication with the Radius server. Authentication is rejected because my IAS server requires Encrypted MSCHAP or MSCHAP v2. I did enable password management but it didn't help.
I'm not a pro so most likely I’m missing something. Any help pointing in the right direction will be appreciated.
Thanks,
Alex
03-10-2010 11:09 AM
Hi,
I had this same issue before and the ASA only supported PAP for authentication agaist Radius.
I'm not sure if this behavior has changed with new releases.
I will check it out.
Federico.
03-10-2010 12:23 PM
I already updated to latest release and it didn't help. I have searched the Internet and found that it is possible to do that but no one can explain how. I'm more than sure that this unit can do it, but i don't know how.
03-12-2010 03:55 PM
Hi Alex. I have similar issue here. PAP works just fine but MSCHAP over EAP fails. The error message is "15047 MsCHAP is not allowed". The is no explanation for the error. I use ASC internal database though instead of AD.
03-12-2010 04:56 PM
This is from help:
To enable MS-CHAPv2 as the protocol used between the security appliance and the RADIUS server for a VPN connection, password management must be enabled in the tunnel group general attributes. Enabling password management generates an MS-CHAPv2 authentication request from the security appliance to the RADIUS server. See the description of the password-management command for details.
I finally end up using Kerberos authentication. Works perfectly fine and more secure than PAP. I advise you to do the same unless you can figure out the way to make MSCHAPv2 work.
03-13-2010 10:46 AM
I think my problem is solved. I forgot to allow MSCHAPv2 under Access Policies/Default Network Access/Allowed Protocols.
01-15-2019 04:25 PM
I'm having the same exact problem where my NPS server is only getting PAP from my VPN ASA...if I disable PAP on NPA Radius server, authentication will never work. How did you fix this?
03-29-2010 02:35 PM
I enabled password management and now it is using MS-CHAPv2. Thanks for the pointer energyservices.
09-15-2013 07:54 PM
I had the same problem, enabling password-managment fixed it. Documentation, if it exists, is very very difficult to find. Eventually I got it by reading ASDM Help.
09-22-2013 02:19 AM
I tried to explain it here.
https://supportforums.cisco.com/message/4042903#4042903
Thanks Jimmyc for updating thread with your findings
~BR
Jatin Katyal
**Do rate helpful posts**
04-28-2015 12:11 PM - edited 09-21-2017 03:42 AM
I realize this topic is quite long in the tooth. But, to help out anyone who's having trouble and ends up here in their search, there is one piece of information you'll want to have.
What energyservices and others have said here is correct regarding enabling "password management" etc.in the tunnel groups > general settings in order to enable MSCHAPv2 connections with your Radius server. It works.
However, be aware that the server test function in the AAA Server Groups area of ASDM continues to use PAP even if you've made changes to your tunnel group configuration. It always uses PAP and if your Radius server is set to allow only MSCHAPv2 connections the test will fail. The only way to accurately test your setup is with an actual VPN client.
10-01-2019 02:24 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide