07-10-2024 03:07 AM
Hi.
I am trying to use Cisco ASA for VPN connections.
I want to authenticate users by RADIUS server using only MS-CHAPv2.
When using PAP, everything works.
After enabling "password-management" in my RADIUS log I see:
Invalid user: [vpnuser/<no User-Password attribute>]
Why? What can I do?
My tunnel-group config:
tunnel-group DefaultRAGroup general-attributes
authentication-server-group REMOTE
password-management
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPN_Pool
authentication-server-group REMOTE
password-management
tunnel-group DefaultWEBVPNGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
07-10-2024 03:55 AM
authentication chap <- without NO
no authentication pap
no authentication ms-chap-v1
authentication ms-chap-v2
07-10-2024 04:12 AM
Now it looks like this:
tunnel-group DefaultRAGroup general-attributes
authentication-server-group REMOTE
password-management
tunnel-group DefaultRAGroup ppp-attributes
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPN_Pool
authentication-server-group REMOTE
password-management
tunnel-group DefaultWEBVPNGroup ppp-attributes
no authentication ms-chap-v1
authentication ms-chap-v2
Still the same message in RADIUS.
07-10-2024 04:24 AM
I dont see below command?
authentication chap
no authentication pap
07-10-2024 04:26 AM
Exactly. They are not in show running-configuration after typing
07-10-2024 04:30 AM
Show run all
Check commands list above
MHM
07-10-2024 04:36 AM
Yes, now they are visible:
tunnel-group DefaultRAGroup ppp-attributes
no authentication pap
authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
no authentication eap-proxy
tunnel-group DefaultWEBVPNGroup ppp-attributes
no authentication pap
authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
no authentication eap-proxy
07-10-2024 10:06 AM
check this notes
Note: The test aaa-server authentication command always uses PAP to send authentication requests to the RADIUS server, there is no way to force the firewall to use MS-CHAPv2 with this command.
MHM
07-10-2024 10:31 AM
I know that. That's why I am testing by initiating connection via AnyConnect (Android)
07-10-2024 11:13 AM
ciscoasa#debug radius
can you share debug when you try access
MHM
07-10-2024 11:26 PM
radius mkreq: 0x20
alloc_rip 0x00007f73a4d317e0
new request 0x20 --> 20 (0x00007f73a4d317e0)
got user 'vpnuser'
got password
add_req 0x00007f73a4d317e0 session 0x20 id 20
RADIUS_REQUEST
radius.c: rad_mkpkt
rad_mkpkt: ip:source-ip=xxx.xxx.xxx.xxx
Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 20 (0x14)
Radius: Length = 746 (0x02EA)
Radius: Vector: 32CACADABDCE9A8CB9B0DC82FBB57F74
Radius: Type = 1 (0x01) User-Name
Radius: Length = 9 (0x09)
Radius: Value (String) =
76 70 6e 75 73 65 72 | vpnuser
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = xxx
Radius: Type = 30 (0x1E) Called-Station-Id
Radius: Length = 15 (0x0F)
Radius: Value (String) = xxx
Radius: Type = 31 (0x1F) Calling-Station-Id
Radius: Length = 15 (0x0F)
Radius: Value (String) = xxx
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
Radius: Type = 66 (0x42) Tunnel-Client-Endpoint
Radius: Length = 15 (0x0F)
Radius: Value (String) = xxx
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 24 (0x18)
Radius: Vendor ID = 311 (0x00000137)
Radius: Type = 11 (0x0B) MS-CHAP-Challenge
Radius: Length = 18 (0x12)
Radius: Value (String) =
e0 a8 52 c3 bd d2 56 09 b0 52 9a 10 48 0c 2d 01 | ..R...V..R..H.-.
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 58 (0x3A)
Radius: Vendor ID = 311 (0x00000137)
Radius: Type = 25 (0x19) MS-CHAP2-Response
Radius: Length = 52 (0x34)
Radius: Value (String) =
00 00 cf e6 60 b2 06 ee e7 68 ca 35 f8 6b 10 d5 | ....`....h.5.k..
53 9f 00 00 00 00 00 00 00 00 55 21 b4 a5 76 d7 | S.........U!..v.
61 52 ac b2 d3 8c ca f7 40 23 89 7d 26 e7 a3 bb | aR......@#.}&...
cf c9 | ..
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 34 (0x22)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 28 (0x1C)
Radius: Value (String) =
6d 64 6d 2d 74 6c 76 3d 64 65 76 69 63 65 2d 6d | mdm-tlv=device-m
61 63 3d 75 6e 6b 6e 6f 77 6e | ac=unknown
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 39 (0x27)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 33 (0x21)
Radius: Value (String) =
6d 64 6d 2d 74 6c 76 3d 64 65 76 69 63 65 2d 70 | mdm-tlv=device-p
68 6f 6e 65 2d 69 64 3d 75 6e 6b 6e 6f 77 6e | hone-id=unknown
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 39 (0x27)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 33 (0x21)
Radius: Value (String) =
6d 64 6d 2d 74 6c 76 3d 64 65 76 69 63 65 2d 70 | mdm-tlv=device-p
6c 61 74 66 6f 72 6d 3d 61 6e 64 72 6f 69 64 | latform=android
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 42 (0x2A)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 36 (0x24)
Radius: Value (String) =
6d 64 6d 2d 74 6c 76 3d 64 65 76 69 63 65 2d 70 | mdm-tlv=device-p
6c 61 74 66 6f 72 6d 2d 76 65 72 73 69 6f 6e 3d | latform-version=
31 33 | 13
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 43 (0x2B)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 37 (0x25)
Radius: Value (String) =
6d 64 6d 2d 74 6c 76 3d 63 6f 6d 70 75 74 65 72 | mdm-tlv=computer
2d 6e 61 6d 65 3d 47 61 6c 61 78 79 2d 53 32 30 | -name=Galaxy-S20
2d 46 45 | -FE
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 44 (0x2C)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 38 (0x26)
Radius: Value (String) =
6d 64 6d 2d 74 6c 76 3d 64 65 76 69 63 65 2d 74 | mdm-tlv=device-t
79 70 65 3d 73 61 6d 73 75 6e 67 20 53 4d 2d 47 | ype=samsung SM-G
37 38 30 47 | 780G
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 91 (0x5B)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 85 (0x55)
Radius: Value (String) =
xxx | mdm-tlv=device-u
xxx | id=xxx
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 98 (0x62)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 92 (0x5C)
Radius: Value (String) =
xxx | mdm-tlv=device-u
xxx | id-global=xxx
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = xxx
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 49 (0x31)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 43 (0x2B)
Radius: Value (String) =
61 75 64 69 74 2d 73 65 73 73 69 6f 6e 2d 69 64 | audit-session-id
3d 63 30 61 38 30 31 30 31 30 30 30 31 36 30 30 | =c0a801010001600
30 36 36 38 66 37 38 66 34 | 0668f78f4
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 34 (0x22)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 28 (0x1C)
Radius: Value (String) =
xxx | ip:source-ip=xxx
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 26 (0x1A)
Radius: Vendor ID = 3076 (0x00000C04)
Radius: Type = 146 (0x92) Tunnel-Group-Name
Radius: Length = 20 (0x14)
Radius: Value (String) =
44 65 66 61 75 6c 74 57 45 42 56 50 4e 47 72 6f | DefaultWEBVPNGro
75 70 | up
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 12 (0x0C)
Radius: Vendor ID = 3076 (0x00000C04)
Radius: Type = 150 (0x96) Client-Type
Radius: Length = 6 (0x06)
Radius: Value (Integer) = 6 (0x0006)
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 21 (0x15)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 15 (0x0F)
Radius: Value (String) =
63 6f 61 2d 70 75 73 68 3d 74 72 75 65 | coa-push=true
send pkt xxx.xxx.xxx.xxx/1812
rip 0x00007f73a4d317e0 state 7 id 20
rad_vrfy() : response message verified
rip 0x00007f73a4d317e0
: chall_state ''
: state 0x7
: reqauth:
32 ca ca da bd ce 9a 8c b9 b0 dc 82 fb b5 7f 74
: info 0x00007f73a4d31920
session_id 0x20
request_id 0x14
user 'vpnuser'
response '***'
app 0
reason 0
skey 'xxxxxxxxxxxxx'
sip xxx
type 1
RADIUS packet decode (response)
--------------------------------------
Raw packet data (length = 20).....
03 14 00 14 53 f8 2b 42 c1 a6 a0 71 fc 59 63 d7 | ....S.+B...q.Yc.
e0 94 96 d9 | ....
Parsed packet data.....
Radius: Code = 3 (0x03)
Radius: Identifier = 20 (0x14)
Radius: Length = 20 (0x0014)
Radius: Vector: 53F82B42C1A6A071FC5963D7E09496D9
rad_procpkt: REJECT
Failed to find MS-CHAP-ERROR in radius REJECT message while expecting it!
RADIUS_DELETE
remove_req 0x00007f73a4d317e0 session 0x20 id 20
free_rip 0x00007f73a4d317e0
radius: send queue empty
07-11-2024 01:01 AM
Okay, trying for the 4 time...
07-14-2024 04:07 AM
Sorry I dont get your last reply and the link is not safe to open from my mac book
MHM
07-14-2024 04:33 AM
you need to allow both
encrypt CHAP and MS-CHAP-V2
this need it seem the ASA send correct CHAP but the radius is reject it
MHM
07-14-2024 11:36 PM
Okay, it seems once again Cisco is too stupid to make it work as it should.
Thanks for helping.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide