Link to home
Start Free TrialLog in
Avatar of jimmycher
jimmycherFlag for United States of America

asked on

Do I need PAP for a Cisco ASA 5500 FW connecting into a Windows 2008 server, using radius protocol ?

We have an ASA that allows remote VPN users.  It connects to a Windows 2008 server.  That server connects to a radius server, also Windows 2008.  Things work fine if we enable PAP on the radius server, and the remote site server.   If we disable PAP on either one, we lose the ability to authenticate.   Is this unsafe ?
Avatar of arnold
Flag of United States of America image

Pap is a plain text method used to exchange credentials
User to asa within VPN.
Asa transmits radius packets to windows 2008 nds.
Avatar of jimmycher


Hi Arnold,

Not sure what you are saying.  

I have two questions:  

1.  Can you connect using MS-CHAPv2 on all connections?
I've looked at the tunnel-group settings, and the NDS on 2008.
What did I overlook?

2.   If I can not use MS-CHAPv2, is my setup still secure with PAP, and why?

Avatar of arnold
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi Arnold,

The problem is that I have to enable PAP on the Radius Server to get things to work.  User login is as follows:

User in the field users Cisco VPN client to login via ASA-Texas.   ASA-Texas sends the request over a VPN tunnel to ASA-Kansas, which pushes it to the Windows Radius server attached to ASA-Kansas.  It is Windows2008.   Here is the flow-down on the Radius Server:

Server Manager > Roles > Network Policies and Access Services > NPS > Policies > "ConxToOtherServers" (my name for the conx)  > Constraints > Authentication Methods >

At this point I have several boxes I could check, including MS-Chap2 and PAP.  

When I select PAP, things work.
When I unselect PAP, things don't work.

After some research into the ASA, it specifically says that I have to use "password-management" to get MS-CHAP2 to work.  I just found this out.   Under my tunnel-group on the ASA, I have added the statement "password-managment".   This now forces me to enter a domain name on my VPN-client login, which I did not have to do in the past.  Not sure where this domain name is from?

Any thoughts?
Presumably you have a site to site Texas-Kansas.
Does the Texas actually generate a radius request destined to the NPS in Kansas via the site-to-site? Aaa configured on Texas asa with NPS private IP in Kansas?
Puzzling why not use a local NPS in Texas.
Hi Arnold,

Yes, we use site-to-site, all authentication done in Kansas, using private IPs.

Looks like the tunnel-group > password-management commands on the ASA cleared the problem.  NPS now says I am logging in via MS-CHAP2.   The VPN client login still asks for a domain name, as well as the user name and password.   If I leave the domain name blank, all is well.   Can't figure that out, perhaps you have some insight??  

I increased the points for this discussion to 500; truly appreciate the help.   I'll keep fine tuning it, but any other info on ASA/NPS/Radius would be appreciated.
Good work.
The VPN client prompts the user for username, password and domain?
That is the result of the password-management option

When you use the AD domain, does it not validate?
That would suggest that your NPS configuration is where the radius packet with the domain is denied.
Will check AD domain tomorrow; was only looking at Cisco domain.  good point.
Your NPS. might is likely setup to dealt to domain when you had PAP, the additional domain entry might translate to doman\domain you may need to strip domain from the radius packet/ignore it.
The domain was not required until I added the Password-Management line to the tunnel-group attributes subsection.  The line says
password-management password change notification in 14 days.
I don't need the change notification, and would like to eliminate it, but it seems to be part of the command.