BugZero | Cisco BugID CSCtr85499 - Radius MS-CHAPV2 with challenge fails w/ Invalid A...

Symptom

When a radius server is configured on ASA to use MS-CHAPv2 (mschapv2) and if the server after accepting the initial password, then provides a challenge (for example when using one time password), then ASA will fail the second authentication request with the following debug message: Invalid authenticator received. Failing authentication.

Conditions

* Radius authentication with ms-chapv2 enabled (ie. password management enabled on the tunnel-group) * Radius server sends challenge request * Radius server sends MS-CHAP2-Success attribute in final Access-Accept

Workaround

Disable ms-chapv2 on the ASA - but this will prevent radius password changes. Two options: 1) no password-mangement on the tunnel-group 2) no mschapv2-capable on the aaa-server configuration.

Cisco - Defect ID: CSCtr85499

Radius MS-CHAPV2 with challenge fails w/ Invalid Authenticator debug

Cisco - Defect ID: CSCtr85499

Radius MS-CHAPV2 with challenge fails w/ Invalid Authenticator debug

Last updated on March 7th, 2024

BugZero Risk Score
6.2 Medium

Bug Details

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco Defects

Ready to prevent the next vendor outage?

Cisco - Defect ID: CSCtr85499

Radius MS-CHAPV2 with challenge fails w/ Invalid Authenticator debug

Cisco - Defect ID: CSCtr85499

Radius MS-CHAPV2 with challenge fails w/ Invalid Authenticator debug

Last updated on March 7th, 2024

BugZero Risk Score6.2 Medium

Bug Details

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco Defects

Ready to prevent the next vendor outage?

BugZero Risk Score
6.2 Medium