On Mar 6, 2017, at 7:55 AM, Lasse Odden <lasse.odden@gmail.com> wrote:
I've set up a two-factor athentication against our Cisco AnyConnect VPN with access-challenge (this works when I use PAP between Cisco and FreeRADIUS).
That's a common scenario.
But with the username and password being sent between the Cisco and the FreeRADIUS-server in cleartext I enabled "Password management" on the Cisco ASA, so it sends the password with MS-CHAPv2.
That's less common.
The Cisco ASA recieves the Challenge and promts for and challenge. When I type in the correct challenge the FreeRADIUS sends an Access-Accept, but the Cisco ASA won't allow it.
Then the Cisco is broken.
My question is if this is allowed by the standard or is it a bug on Cisco's side?
It's definitely allowed by the standard. But probably a situation where the Cisco people never thought about it, and never tried it. Alan DeKok.