Sending Access-Challenge instead of Access-Accept using MS-CHAPv2

Lasse Odden lasse.odden at gmail.com
Mon Mar 6 13:55:35 CET 2017


Hello!

This is my first post in the maillist (that have solved all of my earlier
problems), but now I'm not sure if my error is my mistake, Cisco's mistake
or FreeRADIUS's mistake.

I've set up a two-factor athentication against our Cisco AnyConnect VPN
with access-challenge (this works when I use PAP between Cisco and
FreeRADIUS).
But with the username and password being sent between the Cisco and the
FreeRADIUS-server in cleartext I enabled "Password management" on the Cisco
ASA, so it sends the password with MS-CHAPv2.

The authentication of the user works with MS-CHAPv2.

To make the FreeRADIUS send an challenge after the authentication of the
user I did this in sites-enabled/default:

authenticate {

....

        Auth-Type MS-CHAP {
                mschap
                challenge
        }

....
}


The Cisco ASA recieves the Challenge and promts for and challenge. When I
type in the correct challenge the FreeRADIUS sends an Access-Accept, but
the Cisco ASA won't allow it.

My question is if this is allowed by the standard or is it a bug on Cisco's
side?


Regards,
Lasse Odden


More information about the Freeradius-Users mailing list