Do I need PAP for a Cisco ASA 5500 FW connecting into a Windows 2008 server, using radius protocol ?

We have an ASA that allows remote VPN users.  It connects to a Windows 2008 server.  That server connects to a radius server, also Windows 2008.  Things work fine if we enable PAP on the radius server, and the remote site server.   If we disable PAP on either one, we lose the ability to authenticate.   Is this unsafe ?
jimmycherAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
Pap is a plain text method used to exchange credentials
User to asa within VPN.
Asa transmits radius packets to windows 2008 nds.
0
jimmycherAuthor Commented:
Hi Arnold,

Not sure what you are saying.  


I have two questions:  

1.  Can you connect using MS-CHAPv2 on all connections?
I've looked at the tunnel-group settings, and the NDS on 2008.
What did I overlook?

2.   If I can not use MS-CHAPv2, is my setup still secure with PAP, and why?

Thanks.
0
arnoldCommented:
Your NDS sever sits on a DC?
Radius authentication does not depend on either PAP/nor ms chap.
Not sure how or why the asa is connecting to a windows2008 server that is not an NDS server.


Not sure where you are disabling the pap option.
Can not visualize your setup/configuration from asa through NDS.

Usually, ASA has a configured remote VPN, likely with xuser that uses AAA with radius server the NDS server for auth and accounting.

Let me invert your question, what is troubling you that requires you to disable the PAP/MSCHAPv2?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Do You Have a Trusted Wireless Environment?

A Trusted Wireless Environment is a framework for building a complete Wi-Fi network that is fast, easy to manage, and secure.

jimmycherAuthor Commented:
Hi Arnold,

The problem is that I have to enable PAP on the Radius Server to get things to work.  User login is as follows:

User in the field users Cisco VPN client to login via ASA-Texas.   ASA-Texas sends the request over a VPN tunnel to ASA-Kansas, which pushes it to the Windows Radius server attached to ASA-Kansas.  It is Windows2008.   Here is the flow-down on the Radius Server:

Server Manager > Roles > Network Policies and Access Services > NPS > Policies > "ConxToOtherServers" (my name for the conx)  > Constraints > Authentication Methods >

At this point I have several boxes I could check, including MS-Chap2 and PAP.  

When I select PAP, things work.
When I unselect PAP, things don't work.


After some research into the ASA, it specifically says that I have to use "password-management" to get MS-CHAP2 to work.  I just found this out.   Under my tunnel-group on the ASA, I have added the statement "password-managment".   This now forces me to enter a domain name on my VPN-client login, which I did not have to do in the past.  Not sure where this domain name is from?

Any thoughts?
0
arnoldCommented:
Presumably you have a site to site Texas-Kansas.
Does the Texas actually generate a radius request destined to the NPS in Kansas via the site-to-site? Aaa configured on Texas asa with NPS private IP in Kansas?
Puzzling why not use a local NPS in Texas.
0
jimmycherAuthor Commented:
Hi Arnold,

Yes, we use site-to-site, all authentication done in Kansas, using private IPs.

Looks like the tunnel-group > password-management commands on the ASA cleared the problem.  NPS now says I am logging in via MS-CHAP2.   The VPN client login still asks for a domain name, as well as the user name and password.   If I leave the domain name blank, all is well.   Can't figure that out, perhaps you have some insight??  

I increased the points for this discussion to 500; truly appreciate the help.   I'll keep fine tuning it, but any other info on ASA/NPS/Radius would be appreciated.
Regards,
0
jimmycherAuthor Commented:
Good work.
0
arnoldCommented:
The VPN client prompts the user for username, password and domain?
That is the result of the password-management option
https://supportforums.cisco.com/thread/230479

When you use the AD domain, does it not validate?
That would suggest that your NPS configuration is where the radius packet with the domain is denied.
0
jimmycherAuthor Commented:
Will check AD domain tomorrow; was only looking at Cisco domain.  good point.
0
arnoldCommented:
Your NPS. might is likely setup to dealt to domain when you had PAP, the additional domain entry might translate to doman\domain you may need to strip domain from the radius packet/ignore it.
0
jimmycherAuthor Commented:
The domain was not required until I added the Password-Management line to the tunnel-group attributes subsection.  The line says
password-management password change notification in 14 days.
I don't need the change notification, and would like to eliminate it, but it seems to be part of the command.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.