If using the AuthLite RADIUS service

AuthLite's RADIUS service expects two-factor authentication requests to use the MS-CHAPv2 protocol, but there is no obvious way to turn this on in a Cisco ASA.

These instructions assume Cisco ASDM v6.2 but can be easily generalized by an IOS expert.

  • In the "AAA Server" configuration dialog for your RADIUS server, you should select the "Microsoft CHAPv2 Capable" checkbox. But this alone won't make the ASA use this protocol.
  • In the "Connection Profile" (tunnel group), navigate to Advanced -> General, and select "Enable password management". Even though we are not working with password reset/expiration at all, this setting is required in order to make the ASA use MS-CHAPv2.

If using the IAS/NPS plugin (AuthLite v1.2 or higher)

You don't need to worry about this-- you can simply use a PAP connection rule in IAS/NPS, since this is what most RADIUS clients expect.

The Cisco VPN client (unless grossly misconfigured) will be using IPsec so it is not necessary to use MS-CHAPv2. (In a basic PPTP tunnel, by contrast, MS-CHAPv2 must be used to protect the confidentiality of the passwords and secure the VPN tunnel.)