The ranting of an IT Professional

Nov 26 2009   10:40PM GMT

Cisco ASA L2TP issues with LDAP authentication

Jason Tramer Jason Tramer Profile: Jason Tramer

So I configured my ASA to provide L2TP remote access VPN. I originally set it up with a local user database and it worked fine. After I decided to tie it in to LDAP so I could authenticate against Active Directory. I set up my LDAp integration and used the built-in test tool to make sure it worked, and it did. However every time I tried to log in with a AD account I got authentication failures. So I eventually gave up and placed a call with Cisco TAC and do you know what I found out? If you want to use LDAP authentication with L2TP RA vpn you have to use PAP because LDAP authentication isn’t supported with CHAP. The practical effect of this is that when your ASA sends the passwords to your DC it is in clear text.

Cisco kind of has you over the barrel when it comes to RA vpn. You could go with SSL vpn but the licences are hideously expensive. You could do IPSec vpn but they don’t have a 64 bit client nor are they planning on making one from what I heard. You could do L2TP but if you want LDAP integration you have to send passwords in clear text unless you set up LDAP over SSL. Not to mention that the ASA’s no longer even support PPTP.

It is more then a little annoying I have to say.

1  Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Kryptoer
    When I first attempted to create a remote VPN configuration on a Cisco ASA with a L2TP/IPSEC config I ran into similar problems as described in the post. However after several weeks of work I eventually was able to configure a L2TP/IPSEC config that successfully supported MSCHAP V2 password encryption that authenticated against Active Directory. Basically native MS Windows VPN client on all platforms. The key pieces were that I used RADIUS on the ASA tunnel configuration and configured Microsoft Network Policy Server as a RADIUS server with group policies. The important configuration parameters that need to be enabled on the Cisco ASA follow. Hope this helps. tunnel-group DefaultRAGroup general-attributes address-pool remote_vpn_pool authentication-server-group RADIUS default-group-policy ragroup password-management tunnel-group DefaultRAGroup ppp-attributes authentication ms-chap-v2
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: