Cisco ASA VPN and RADIUS MS-CHAPv2

Kliwer · ‎07-10-2024

Hi.

I am trying to use Cisco ASA for VPN connections.

I want to authenticate users by RADIUS server using only MS-CHAPv2.

When using PAP, everything works.

After enabling "password-management" in my RADIUS log I see:

Invalid user: [vpnuser/<no User-Password attribute>]

Why? What can I do?

My tunnel-group config:

tunnel-group DefaultRAGroup general-attributes
authentication-server-group REMOTE
password-management
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPN_Pool
authentication-server-group REMOTE
password-management
tunnel-group DefaultWEBVPNGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2

MHM Cisco World · ‎07-10-2024

authentication chap <- without NO

no authentication pap
no authentication ms-chap-v1
authentication ms-chap-v2

Kliwer · ‎07-10-2024

Now it looks like this:

tunnel-group DefaultRAGroup general-attributes
authentication-server-group REMOTE
password-management
tunnel-group DefaultRAGroup ppp-attributes
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPN_Pool
authentication-server-group REMOTE
password-management
tunnel-group DefaultWEBVPNGroup ppp-attributes
no authentication ms-chap-v1
authentication ms-chap-v2

Still the same message in RADIUS.

MHM Cisco World · ‎07-10-2024

I dont see below command?

authentication chap

no authentication pap

Kliwer · ‎07-10-2024

Exactly. They are not in show running-configuration after typing

MHM Cisco World · ‎07-10-2024

Show run all

Check commands list above

MHM

Kliwer · ‎07-10-2024

Yes, now they are visible:

tunnel-group DefaultRAGroup ppp-attributes
no authentication pap
authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
no authentication eap-proxy

tunnel-group DefaultWEBVPNGroup ppp-attributes
no authentication pap
authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
no authentication eap-proxy

MHM Cisco World · ‎07-10-2024

check this notes

Note: The test aaa-server authentication command always uses PAP to send authentication requests to the RADIUS server, there is no way to force the firewall to use MS-CHAPv2 with this command.

MHM

Kliwer · ‎07-10-2024

I know that. That's why I am testing by initiating connection via AnyConnect (Android)

MHM Cisco World · ‎07-10-2024

ciscoasa#debug radius

can you share debug when you try access

MHM

Kliwer · ‎07-10-2024

radius mkreq: 0x20
alloc_rip 0x00007f73a4d317e0
    new request 0x20 --> 20 (0x00007f73a4d317e0)
got user 'vpnuser'
got password
add_req 0x00007f73a4d317e0 session 0x20 id 20
RADIUS_REQUEST
radius.c: rad_mkpkt
rad_mkpkt: ip:source-ip=xxx.xxx.xxx.xxx

Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 20 (0x14)
Radius: Length = 746 (0x02EA)
Radius: Vector: 32CACADABDCE9A8CB9B0DC82FBB57F74
Radius: Type = 1 (0x01) User-Name
Radius: Length = 9 (0x09)
Radius: Value (String) =
76 70 6e 75 73 65 72                               |  vpnuser
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = xxx
Radius: Type = 30 (0x1E) Called-Station-Id
Radius: Length = 15 (0x0F)
Radius: Value (String) = xxx
Radius: Type = 31 (0x1F) Calling-Station-Id
Radius: Length = 15 (0x0F)
Radius: Value (String) = xxx
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
Radius: Type = 66 (0x42) Tunnel-Client-Endpoint
Radius: Length = 15 (0x0F)
Radius: Value (String) = xxx
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 24 (0x18)
Radius: Vendor ID = 311 (0x00000137)
Radius: Type = 11 (0x0B) MS-CHAP-Challenge
Radius: Length = 18 (0x12)
Radius: Value (String) =
e0 a8 52 c3 bd d2 56 09 b0 52 9a 10 48 0c 2d 01    |  ..R...V..R..H.-.
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 58 (0x3A)
Radius: Vendor ID = 311 (0x00000137)
Radius: Type = 25 (0x19) MS-CHAP2-Response
Radius: Length = 52 (0x34)
Radius: Value (String) =
00 00 cf e6 60 b2 06 ee e7 68 ca 35 f8 6b 10 d5    |  ....`....h.5.k..
53 9f 00 00 00 00 00 00 00 00 55 21 b4 a5 76 d7    |  S.........U!..v.
61 52 ac b2 d3 8c ca f7 40 23 89 7d 26 e7 a3 bb    |  aR......@#.}&...
cf c9                                              |  ..
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 34 (0x22)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 28 (0x1C)
Radius: Value (String) =
6d 64 6d 2d 74 6c 76 3d 64 65 76 69 63 65 2d 6d    |  mdm-tlv=device-m
61 63 3d 75 6e 6b 6e 6f 77 6e                      |  ac=unknown
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 39 (0x27)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 33 (0x21)
Radius: Value (String) =
6d 64 6d 2d 74 6c 76 3d 64 65 76 69 63 65 2d 70    |  mdm-tlv=device-p
68 6f 6e 65 2d 69 64 3d 75 6e 6b 6e 6f 77 6e       |  hone-id=unknown
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 39 (0x27)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 33 (0x21)
Radius: Value (String) =
6d 64 6d 2d 74 6c 76 3d 64 65 76 69 63 65 2d 70    |  mdm-tlv=device-p
6c 61 74 66 6f 72 6d 3d 61 6e 64 72 6f 69 64       |  latform=android
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 42 (0x2A)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 36 (0x24)
Radius: Value (String) =
6d 64 6d 2d 74 6c 76 3d 64 65 76 69 63 65 2d 70    |  mdm-tlv=device-p
6c 61 74 66 6f 72 6d 2d 76 65 72 73 69 6f 6e 3d    |  latform-version=
31 33                                              |  13
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 43 (0x2B)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 37 (0x25)
Radius: Value (String) =
6d 64 6d 2d 74 6c 76 3d 63 6f 6d 70 75 74 65 72    |  mdm-tlv=computer
2d 6e 61 6d 65 3d 47 61 6c 61 78 79 2d 53 32 30    |  -name=Galaxy-S20
2d 46 45                                           |  -FE
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 44 (0x2C)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 38 (0x26)
Radius: Value (String) =
6d 64 6d 2d 74 6c 76 3d 64 65 76 69 63 65 2d 74    |  mdm-tlv=device-t
79 70 65 3d 73 61 6d 73 75 6e 67 20 53 4d 2d 47    |  ype=samsung SM-G
37 38 30 47                                        |  780G
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 91 (0x5B)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 85 (0x55)
Radius: Value (String) =
xxx    |  mdm-tlv=device-u
xxx    |  id=xxx
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 98 (0x62)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 92 (0x5C)
Radius: Value (String) =
xxx    |  mdm-tlv=device-u
xxx    |  id-global=xxx
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = xxx
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 49 (0x31)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 43 (0x2B)
Radius: Value (String) =
61 75 64 69 74 2d 73 65 73 73 69 6f 6e 2d 69 64    |  audit-session-id
3d 63 30 61 38 30 31 30 31 30 30 30 31 36 30 30    |  =c0a801010001600
30 36 36 38 66 37 38 66 34                         |  0668f78f4
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 34 (0x22)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 28 (0x1C)
Radius: Value (String) =
xxx    |  ip:source-ip=xxx
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 26 (0x1A)
Radius: Vendor ID = 3076 (0x00000C04)
Radius: Type = 146 (0x92) Tunnel-Group-Name
Radius: Length = 20 (0x14)
Radius: Value (String) =
44 65 66 61 75 6c 74 57 45 42 56 50 4e 47 72 6f    |  DefaultWEBVPNGro
75 70                                              |  up
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 12 (0x0C)
Radius: Vendor ID = 3076 (0x00000C04)
Radius: Type = 150 (0x96) Client-Type
Radius: Length = 6 (0x06)
Radius: Value (Integer) = 6 (0x0006)
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 21 (0x15)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 15 (0x0F)
Radius: Value (String) =
63 6f 61 2d 70 75 73 68 3d 74 72 75 65             |  coa-push=true
send pkt xxx.xxx.xxx.xxx/1812
rip 0x00007f73a4d317e0 state 7 id 20
rad_vrfy() : response message verified
rip 0x00007f73a4d317e0
 : chall_state ''
 : state 0x7
 : reqauth:
     32 ca ca da bd ce 9a 8c b9 b0 dc 82 fb b5 7f 74
 : info 0x00007f73a4d31920
     session_id 0x20
     request_id 0x14
     user 'vpnuser'
     response '***'
     app 0
     reason 0
     skey 'xxxxxxxxxxxxx'
     sip xxx
     type 1

RADIUS packet decode (response)

--------------------------------------
Raw packet data (length = 20).....
03 14 00 14 53 f8 2b 42 c1 a6 a0 71 fc 59 63 d7    |  ....S.+B...q.Yc.
e0 94 96 d9                                        |  ....

Parsed packet data.....
Radius: Code = 3 (0x03)
Radius: Identifier = 20 (0x14)
Radius: Length = 20 (0x0014)
Radius: Vector: 53F82B42C1A6A071FC5963D7E09496D9
rad_procpkt: REJECT
Failed to find MS-CHAP-ERROR in radius REJECT message while expecting it!
RADIUS_DELETE
remove_req 0x00007f73a4d317e0 session 0x20 id 20
free_rip 0x00007f73a4d317e0
radius: send queue empty

Kliwer · ‎07-11-2024

Okay, trying for the 4 time...

https://pastebin.com/VFjde2MZ

MHM Cisco World · ‎07-14-2024

Sorry I dont get your last reply and the link is not safe to open from my mac book
MHM

MHM Cisco World · ‎07-14-2024

you need to allow both
encrypt CHAP and MS-CHAP-V2
this need it seem the ASA send correct CHAP but the radius is reject it

MHM

Kliwer · ‎07-14-2024

Okay, it seems once again Cisco is too stupid to make it work as it should.

Thanks for helping.