Watchout, Windows Server 2019 and NPS 2012r2 and ASA VPN with MS-CHAPv2 incompatibility

patoberli · ‎03-01-2019

Hello All

I'm running two Firepower ASA with the ASA code for AnyConnect VPN Access. The Radius servers are Windows Server 2008r2 and Server 2012r2 with the NPS role. The Active Directory servers were running Server 2012r2 and were now replaced with Server 2019.

Once the new AD servers were running, VPN authentication through the NPS servers broke. Wireless, also authenticated with the same radius servers continued to work.

I got it now working by disabling the flag mschapv2-capable from the NPS servers. For whatever reason, with the new AD servers the authentication always failed with "wrong username or password" while mschapv2-capable was enabled.

Please note, I have password-management enabled.

I don't anymore remember why I have MSCHAPv2-capable enabled, but I think I did that years ago to allow umlaut characters in passwords, which wasn't possible without.

Please also note, the new DC servers had various old encryption variants, like TLS1.0, now disabled.

Anybody else had that experience?

Thanks

Patrick

[edit]

Corrected the text about password management, which is enabled. And I checked my internal logs, I indeed enabled this for allowing öäü and % sign in passwords.

Kostyantyn Movchan · ‎05-08-2019

I had the same issue and this helped:

https://support.microsoft.com/uk-ua/help/2811487/lt2p-ipsec-ras-vpn-connections-fail-when-using-ms-chapv2

patoberli · ‎05-08-2019

Thanks. I haven't tested this yet, but it looks like it's deprecated for security reasons. I wonder if there is some successor technology that could be used.