configure a Cisco ASA to use MS-CHAP v2 for RADIUS authentication
Posted
by DrStalker
on Server Fault
See other posts from Server Fault
or by DrStalker
Published on 2010-04-15T08:49:34Z
Indexed on
2010/04/15
8:53 UTC
Read the original article
Hit count: 1220
Cisco ASA5505 8.2(2) Windows 2003 AD server
We want to configure our ASA (10.1.1.1) to authenticate remote VPN users through RADIUS on the Windows AD controller (10.1.1.200)
We have the following entry on the ASA:
aaa-server SYSCON-RADIUS protocol radius
aaa-server SYSCON-RADIUS (inside) host 10.1.1.200
key *****
radius-common-pw *****
When I test a login using the account COMPANY\username I see the users credentials are correct in the security log, but I get the following in the windows system logs:
User COMPANY\myusername was denied access.
Fully-Qualified-User-Name = company.com/CorpUsers/AU/My Name
NAS-IP-Address = 10.1.1.1
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier = <not present>
Client-Friendly-Name = ASA5510
Client-IP-Address = 10.1.1.1
NAS-Port-Type = Virtual
NAS-Port = 7
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = VPN Authentication
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.
My assumption is that the ASA is using PAP authentication, instead of MS-CHAP v2; the credentials are confirmed, the proper Remote Access Policy is being used, but this policy is set to only allow MS-CHAP2. What do we need to do on the ASA to make it us MS-CHAP v2? In the ADSM GUI The "Microsoft CHAP v2 compatible" tickbox is enabled, but I don't know what this corresponds to in the config.
© Server Fault or respective owner