Not working characters in user passwords for VPN access

patoberli · ‎09-14-2015

Hello

I'm from a German speaking country and we use Cisco ASA running 9.1(6).6. The issue was also existing in older releases like 8.2.x and 8.4.x.

We discovered that users don't get access (username/password error) when they use an umlaut (äöü) or a percent (%) sign in their passwords.

The ASA authenticates the users on a Windows 2008 R2 based Radius (NPS role).

Are there any compatibility settings that I could make on the ASA side or the NPS side to get passwords with äöü working?

Thanks

patoberli · ‎09-14-2015

Finally I found it!

After testing many settings and stuff I solved it, äöü and % in the password works now!

You have to enable under "Remote Access VPN" - "Network (Client) Access" - "AnyConnect Connection Profiles" in the DefaultWEBVPNGroup profile under Advanced - General the option "Enable Password Management".

Please note that the Radius Server also needs to have enabled MS-CHAP-V2 in the Network Policies (on Server 2008R2 or newer, tested with 2012R2).

This here helped: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/117641-config-asa-00.html

I did not need to enable it in any other AnyConnect Connection Profile to have it working for all :)

patoberli · ‎03-23-2020

Please note, in my case it stopped working when the active directory was upgraded to Server 2016 with recommended security settings. I had to fall back now and äöü isn't working anymore.

So far I haven't found a working and save solution for Server 2016 or newer :(