Posted by: Jason Tramer
ASA, CHAP, Cisco, Ipsec, L2TP, LDAP, PAP, PPTP, RA, Remote Access, ssl, VPN
So I configured my ASA to provide L2TP remote access VPN. I originally set it up with a local user database and it worked fine. After I decided to tie it in to LDAP so I could authenticate against Active Directory. I set up my LDAp integration and used the built-in test tool to make sure it worked, and it did. However every time I tried to log in with a AD account I got authentication failures. So I eventually gave up and placed a call with Cisco TAC and do you know what I found out? If you want to use LDAP authentication with L2TP RA vpn you have to use PAP because LDAP authentication isn’t supported with CHAP. The practical effect of this is that when your ASA sends the passwords to your DC it is in clear text.
Cisco kind of has you over the barrel when it comes to RA vpn. You could go with SSL vpn but the licences are hideously expensive. You could do IPSec vpn but they don’t have a 64 bit client nor are they planning on making one from what I heard. You could do L2TP but if you want LDAP integration you have to send passwords in clear text unless you set up LDAP over SSL. Not to mention that the ASA’s no longer even support PPTP.
It is more then a little annoying I have to say.