VyOS + Radius + DUO + Active Directory Issue with MS-CHAPv2

WillTraenkle · July 14, 2022, 7:13am

I want to setup VyOS to act as our Remote VPN access appliance.

I currently have ipsec + l2tp configured to allow remote client VPN connections. Local authentication on the VyOS works great.

However, I want to enable radius authentication and point it to a DUO Radius Server that authenticates with Active Directory + DUO 2FA on the back end.

I have it all setup but running into an issue. The log as shown on the DUO radius server is this:

Primary credentials rejected - No password

I reach out to DUO support and this is what the said:

The error “Primary credentials rejected - No password” error appears and Primary authentication will fail if the appliance has the Password Management feature enabled, as this causes the credentials to be sent in MS-CHAPv2. Our [Duo for Cisco Firepower] involves configuration of a Duo Authentication Proxy, which expects this data to be sent in PAP.

How can I configure VyOS to authenticate via Radius and:

Not send credentials in MS-CHAPv2
Send credentials in PAP

Thanks!

a.apostoliuk · July 14, 2022, 9:30am

Maybe this can help you

vyos@vyos# set vpn l2tp remote-access authentication require
Possible completions:
   pap                  Require the peer to authenticate itself using PAP [Password Authentication Protocol].
   chap                 Require the peer to authenticate itself using CHAP [Challenge Handshake Authentication Protocol].
   mschap               Require the peer to authenticate itself using CHAP [Challenge Handshake Authentication Protocol].
   mschap-v2            Require the peer to authenticate itself using MS-CHAPv2 [Microsoft Challenge Handshake Authentication Protocol, Version 2].

WillTraenkle · July 14, 2022, 2:35pm

Very helpful, thanks! I will test and report back with the results.

WillTraenkle · July 14, 2022, 6:03pm

I was able to get it to work by running this VPN client EXE on the Windows client:

C:\Windows\System32\rasphone.exe

And setting Security → Allow these protocols → Unencrypted password (PAP) - CHECK THIS OPTION

However, from the description it seems that passwords will be sent clear text. No bueno. I am working with DUO to see if there is another work around other than adding an NPS server in addition to the DUO Radius Proxy. I am trying to not get into an NPS install unless that is my only option.

As for VyOS, it seems to just be the middle man here and where I need to focus is on the VPN client settings and the DUO Radius Proxy and/or NPS if that ends up being the final solution.

Thanks again for your help!