Sending Access-Challenge instead of Access-Accept using MS-CHAPv2

Alan DeKok aland at
Mon Mar 6 14:54:03 CET 2017

On Mar 6, 2017, at 7:55 AM, Lasse Odden <lasse.odden at> wrote:
> I've set up a two-factor athentication against our Cisco AnyConnect VPN
> with access-challenge (this works when I use PAP between Cisco and
> FreeRADIUS).

  That's a common scenario.

> But with the username and password being sent between the Cisco and the
> FreeRADIUS-server in cleartext I enabled "Password management" on the Cisco
> ASA, so it sends the password with MS-CHAPv2.

  That's less common.

> The Cisco ASA recieves the Challenge and promts for and challenge. When I
> type in the correct challenge the FreeRADIUS sends an Access-Accept, but
> the Cisco ASA won't allow it.

  Then the Cisco is broken.

> My question is if this is allowed by the standard or is it a bug on Cisco's
> side?

  It's definitely allowed by the standard.  But probably a situation where the Cisco people never thought about it, and never tried it.

  Alan DeKok.

More information about the Freeradius-Users mailing list