configure a Cisco ASA to use MS-CHAP v2 for RADIUS authentication

Posted by DrStalker on Server Fault See other posts from Server Fault or by DrStalker
Published on 2010-04-15T08:49:34Z Indexed on 2010/04/15 8:53 UTC
Read the original article Hit count: 1220

Filed under:
|
|
|

Cisco ASA5505 8.2(2) Windows 2003 AD server

We want to configure our ASA (10.1.1.1) to authenticate remote VPN users through RADIUS on the Windows AD controller (10.1.1.200)

We have the following entry on the ASA:

aaa-server SYSCON-RADIUS protocol radius
aaa-server SYSCON-RADIUS (inside) host 10.1.1.200
 key *****
 radius-common-pw *****

When I test a login using the account COMPANY\username I see the users credentials are correct in the security log, but I get the following in the windows system logs:

User COMPANY\myusername was denied access.
 Fully-Qualified-User-Name = company.com/CorpUsers/AU/My Name
 NAS-IP-Address = 10.1.1.1
 NAS-Identifier = <not present> 
 Called-Station-Identifier = <not present> 
 Calling-Station-Identifier = <not present> 
 Client-Friendly-Name = ASA5510
 Client-IP-Address = 10.1.1.1
 NAS-Port-Type = Virtual
 NAS-Port = 7
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows 
 Authentication-Server = <undetermined> 
 Policy-Name = VPN Authentication
 Authentication-Type = PAP
 EAP-Type = <undetermined> 
 Reason-Code = 66
 Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.

My assumption is that the ASA is using PAP authentication, instead of MS-CHAP v2; the credentials are confirmed, the proper Remote Access Policy is being used, but this policy is set to only allow MS-CHAP2. What do we need to do on the ASA to make it us MS-CHAP v2? In the ADSM GUI The "Microsoft CHAP v2 compatible" tickbox is enabled, but I don't know what this corresponds to in the config.

© Server Fault or respective owner

Related posts about asa

Related posts about cisco