configure a Cisco ASA to use MS-CHAP v2 for RADIUS authentication

Cisco ASA5505 8.2(2) Windows 2003 AD server

We want to configure our ASA ( to authenticate remote VPN users through RADIUS on the Windows AD controller (

We have the following entry on the ASA:

aaa-server SYSCON-RADIUS protocol radius
aaa-server SYSCON-RADIUS (inside) host
 key *****
 radius-common-pw *****

When I test a login using the account COMPANY\username I see the users credentials are correct in the security log, but I get the following in the windows system logs:

User COMPANY\myusername was denied access.
 Fully-Qualified-User-Name = Name
 NAS-IP-Address =
 NAS-Identifier = <not present>
 Called-Station-Identifier = <not present>
 Calling-Station-Identifier = <not present>
 Client-Friendly-Name = ASA5510
 Client-IP-Address =
 NAS-Port-Type = Virtual
 NAS-Port = 7
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = VPN Authentication
 Authentication-Type = PAP
 EAP-Type = <undetermined>
 Reason-Code = 66
 Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.

My assumption is that the ASA is using PAP authentication, instead of MS-CHAP v2; the credentials are confirmed, the proper Remote Access Policy is being used, but this policy is set to only allow MS-CHAP2. What do we need to do on the ASA to make it us MS-CHAP v2? In the ADSM GUI The "Microsoft CHAP v2 compatible" tickbox is enabled, but I don't know what this corresponds to in the config.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DrStalkerAuthor Commented:

I tried to add the following to the tunnelgroup:

tunnel-group MYTUNNEL-AD ppp-attributes
 no authentication pap
 no authentication chap
 no authentication ms-chap-v1
 authentication ms-chap-v2

but the "no authentication pap" command doesn't do anything, and doesn't show when I run show tunnel-group... and the ASA is still using PAP

Pete LongTechnical ConsultantCommented:
DrStalkerAuthor Commented:
We gave up on getting this to work after dealing with cisco support, who just kept repeating the phrases "Radius authentication always uses PAP" before mentioning some settings that don't exist and which they couldn't give us any more information on, but would make Radius authentication use MS-CHap even though it always uses PAP.

Big thumbs down for Cisco support on this.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.