Sending Access-Challenge instead of Access-Accept using MS-CHAPv2
Alan DeKok
aland at deployingradius.com
Mon Mar 6 14:54:03 CET 2017
On Mar 6, 2017, at 7:55 AM, Lasse Odden <lasse.odden at gmail.com> wrote:
> I've set up a two-factor athentication against our Cisco AnyConnect VPN
> with access-challenge (this works when I use PAP between Cisco and
> FreeRADIUS).
That's a common scenario.
> But with the username and password being sent between the Cisco and the
> FreeRADIUS-server in cleartext I enabled "Password management" on the Cisco
> ASA, so it sends the password with MS-CHAPv2.
That's less common.
> The Cisco ASA recieves the Challenge and promts for and challenge. When I
> type in the correct challenge the FreeRADIUS sends an Access-Accept, but
> the Cisco ASA won't allow it.
Then the Cisco is broken.
> My question is if this is allowed by the standard or is it a bug on Cisco's
> side?
It's definitely allowed by the standard. But probably a situation where the Cisco people never thought about it, and never tried it.
Alan DeKok.
More information about the Freeradius-Users
mailing list