Avatar of jimmycher
jimmycherFlag for United States of America asked on

Do I need PAP for a Cisco ASA 5500 FW connecting into a Windows 2008 server, using radius protocol ?

We have an ASA that allows remote VPN users.  It connects to a Windows 2008 server.  That server connects to a radius server, also Windows 2008.  Things work fine if we enable PAP on the radius server, and the remote site server.   If we disable PAP on either one, we lose the ability to authenticate.   Is this unsafe ?
CiscoMicrosoft Server AppsVPN

Avatar of undefined
Last Comment

8/22/2022 - Mon

Pap is a plain text method used to exchange credentials
User to asa within VPN.
Asa transmits radius packets to windows 2008 nds.

Hi Arnold,

Not sure what you are saying.  

I have two questions:  

1.  Can you connect using MS-CHAPv2 on all connections?
I've looked at the tunnel-group settings, and the NDS on 2008.
What did I overlook?

2.   If I can not use MS-CHAPv2, is my setup still secure with PAP, and why?


Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy

Hi Arnold,

The problem is that I have to enable PAP on the Radius Server to get things to work.  User login is as follows:

User in the field users Cisco VPN client to login via ASA-Texas.   ASA-Texas sends the request over a VPN tunnel to ASA-Kansas, which pushes it to the Windows Radius server attached to ASA-Kansas.  It is Windows2008.   Here is the flow-down on the Radius Server:

Server Manager > Roles > Network Policies and Access Services > NPS > Policies > "ConxToOtherServers" (my name for the conx)  > Constraints > Authentication Methods >

At this point I have several boxes I could check, including MS-Chap2 and PAP.  

When I select PAP, things work.
When I unselect PAP, things don't work.

After some research into the ASA, it specifically says that I have to use "password-management" to get MS-CHAP2 to work.  I just found this out.   Under my tunnel-group on the ASA, I have added the statement "password-managment".   This now forces me to enter a domain name on my VPN-client login, which I did not have to do in the past.  Not sure where this domain name is from?

Any thoughts?

Presumably you have a site to site Texas-Kansas.
Does the Texas actually generate a radius request destined to the NPS in Kansas via the site-to-site? Aaa configured on Texas asa with NPS private IP in Kansas?
Puzzling why not use a local NPS in Texas.

Hi Arnold,

Yes, we use site-to-site, all authentication done in Kansas, using private IPs.

Looks like the tunnel-group > password-management commands on the ASA cleared the problem.  NPS now says I am logging in via MS-CHAP2.   The VPN client login still asks for a domain name, as well as the user name and password.   If I leave the domain name blank, all is well.   Can't figure that out, perhaps you have some insight??  

I increased the points for this discussion to 500; truly appreciate the help.   I'll keep fine tuning it, but any other info on ASA/NPS/Radius would be appreciated.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.

Good work.

The VPN client prompts the user for username, password and domain?
That is the result of the password-management option

When you use the AD domain, does it not validate?
That would suggest that your NPS configuration is where the radius packet with the domain is denied.

Will check AD domain tomorrow; was only looking at Cisco domain.  good point.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.

Your NPS. might is likely setup to dealt to domain when you had PAP, the additional domain entry might translate to doman\domain you may need to strip domain from the radius packet/ignore it.

The domain was not required until I added the Password-Management line to the tunnel-group attributes subsection.  The line says
password-management password change notification in 14 days.
I don't need the change notification, and would like to eliminate it, but it seems to be part of the command.