configure a Cisco ASA to use MS-CHAP v2 for RADIUS authentication

Cisco ASA5505 8.2(2) Windows 2003 AD server

We want to configure our ASA ( to authenticate remote VPN users through RADIUS on the Windows AD controller (

We have the following entry on the ASA:

aaa-server SYSCON-RADIUS protocol radius
aaa-server SYSCON-RADIUS (inside) host
 key *****
 radius-common-pw *****

When I test a login using the account COMPANY\username I see the users credentials are correct in the security log, but I get the following in the windows system logs:

User COMPANY\myusername was denied access.
 Fully-Qualified-User-Name = Name
 NAS-IP-Address =
 NAS-Identifier = <not present>
 Called-Station-Identifier = <not present>
 Calling-Station-Identifier = <not present>
 Client-Friendly-Name = ASA5510
 Client-IP-Address =
 NAS-Port-Type = Virtual
 NAS-Port = 7
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = VPN Authentication
 Authentication-Type = PAP
 EAP-Type = <undetermined>
 Reason-Code = 66
 Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.

My assumption is that the ASA is using PAP authentication, instead of MS-CHAP v2; the credentials are confirmed, the proper Remote Access Policy is being used, but this policy is set to only allow MS-CHAP2. What do we need to do on the ASA to make it us MS-CHAP v2? In the ADSM GUI The "Microsoft CHAP v2 compatible" tickbox is enabled, but I don't know what this corresponds to in the config.
Who is Participating?
DrStalkerConnect With a Mentor Author Commented:
We gave up on getting this to work after dealing with cisco support, who just kept repeating the phrases "Radius authentication always uses PAP" before mentioning some settings that don't exist and which they couldn't give us any more information on, but would make Radius authentication use MS-CHap even though it always uses PAP.

Big thumbs down for Cisco support on this.

DrStalkerAuthor Commented:

I tried to add the following to the tunnelgroup:

tunnel-group MYTUNNEL-AD ppp-attributes
 no authentication pap
 no authentication chap
 no authentication ms-chap-v1
 authentication ms-chap-v2

but the "no authentication pap" command doesn't do anything, and doesn't show when I run show tunnel-group... and the ASA is still using PAP

Pete LongTechnical ConsultantCommented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.