Re: Cisco ASA VPN and RADIUS MS-CHAPv2 - Page 2

Kliwer · ‎07-10-2024

Hi.

I am trying to use Cisco ASA for VPN connections.

I want to authenticate users by RADIUS server using only MS-CHAPv2.

When using PAP, everything works.

After enabling "password-management" in my RADIUS log I see:

Invalid user: [vpnuser/<no User-Password attribute>]

Why? What can I do?

My tunnel-group config:

tunnel-group DefaultRAGroup general-attributes
authentication-server-group REMOTE
password-management
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPN_Pool
authentication-server-group REMOTE
password-management
tunnel-group DefaultWEBVPNGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2

MHM Cisco World · ‎07-15-2024

I dont think it ASA issue it radius issue'

Did you check radius auth config' as I mention?

You need to allow both encrypt chap and ms-chap-v2

MHM

Kliwer · ‎07-15-2024

I am not gonna change radius to please Cisco ASA. Radius is used by something else primarly.

tvotna · ‎07-16-2024

Cisco sends Access-Request correctly. It's either misconfiguration on the RADIUS server or the server is buggy. I believe that currently you're using CHAP, rather than MS-CHAPv2, and hence password-management (password change feature) doesn't actually work for you.