L2TP: iOS is using CHAP (or MD5-CHAP) as it's authentication method instead of MS-CHAPv2

Question

Level 1

0 points

L2TP: iOS is using CHAP (or MD5-CHAP) as it's authentication method instead of MS-CHAPv2

I am responsible for integrating iOS VPN L2TP connectivity into our environment.

I refer you to the Enterprise Deployment Guide: http://manuals.info.apple.com/en_US/Enterprise_Deployment_Guide.pdf

On page 10 it is stated "L2TP/IPSec with user authentication by MS-CHAPV2 Password".

However in my testing I have found that the iOS is using CHAP (or MD5-CHAP) as it's authentication method instead of MS-CHAPv2.

Are my findings correct?

Let me provide evidence as to why I have come to this conclusion.

My firwall device is a SonicWALL TZ210.

I have a Windows 2008 R2 server with the Network Policy Server (NPS) role installed and configured. This is my RADIUS server. It is configured to accept the authentication methods MS-CHAP (v1) or MS-CHAP-v2.

The TZ210 uses the NPS RADIUS server to authenticate users connecting a L2TP VPN.

To test that this configuration is working as expected I was able to configure Windows XP with a L2TP VPN connection. Doesn’t require certificates, just requires the shared secret option to be selected + the protocol to be MS-CHAPv2.

With the Windows XP machine I am able to connect using the L2TP VPN.

To confirm the authentication method that is being sent to the TZ210 I type my password incorrectly. Here is the output from the TZ210:

Info L2TP Server L2TP Server : L2TP Session Established. yyy.yyy.yyy.yyy, 1701 xxx.xxx.xxx.xxx, 1701 LocalSessionID=0xbf67, RemoteSessionId=0x1
Info PPP PPP: Starting CHAP authentication
Info Remote Authentication User login denied - RADIUS authentication failure yyy.yyy.yyy.yyy, 0, X1 (testuser) xxx.xxx.xxx.xxx, 0, X1 testuser, TCP Port: 0
Info PPP PPP: MS-CHAP authentication failed - check username / password
Info L2TP Server L2TP Server: RADIUS/LDAP reports Authentication Failure yyy.yyy.yyy.yyy, 1701 (testuser) xxx.xxx.xxx.xxx, 1701 Host Name :XPPro, User Name :testuser, Auth Algorithm :MS-CHAP

Specifically I want to highlight on the last line "Auth Algorithm :MS-CHAP".
The NPS RADIUS server shows this as MS-CHAPv2.

Now a test from the iPad trying to establish a L2TP VPN. Here is the output from the TZ210:

Info L2TP Server L2TP Server : L2TP Session Established. zzz.zzz.zzz.zzz, 50611 xxx.xxx.xxx.xxx, 1701 LocalSessionID=0x9d71, RemoteSessionId=0x19e
Info PPP PPP: Starting CHAP authentication
Info Remote Authentication User login denied - RADIUS authentication failure zzz.zzz.zzz.zzz, 0, X1 (testuser) xxx.xxx.xxx.xxx, 0, X1 testuser, TCP Port: 0
Info PPP PPP: CHAP authentication failed - check username / password
Info L2TP Server L2TP Server: RADIUS/LDAP reports Authentication Failure zzz.zzz.zzz.zzz, 50611 (testuser) xxx.xxx.xxx.xxx, 1701 Host Name :, User Name :testuser, Auth Algorithm :MD5 CHAP

Specifically I want to highlight on the last line "Auth Algorithm :MD5 CHAP ".
The 2008 NPS server shows this as MD5-CHAP.

I would also like to draw your attention to this link: http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6579
This shows you how to configure the VPN on the iPhone. The last screenshot is taken from the logs on the SonicWALL device. If you squint enough or zoom in the image, you can see in their example that the Auth Algorithm is MD5 CHAP.

I understand that I can modify user account attributes to store the user passwords using reversible encryption in Active Directory as per the following link: http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7170&formaction=fa qalert
Clearly this isn't preffered method.

So to restate my findings:
In my testing I have found that the iOS is using CHAP (or MD5-CHAP) as it's authentication method instead of MS-CHAPv2.

Question 1:
Are my findings correct? Is the Enterprise Deployment Guide incorrect?

Question 2:
How can I make the iOS communicate using MS-CHAPv2?

I have been testing on an iPad 4.3.3.

iPad, iOS 4.3.2

Posted on May 17, 2011 9:27 PM

Reply

Answer 1

Box293 Author

Level 1

0 points

May 25, 2011 8:13 PM in response to Box293

OK so it appears that the SonicWALL is the cause of the problem.

I connected my NPS/RRAS server directly to the internet to completely remove the SonicWALL from the equation. The iPad/iPhone is then able to connect to the NPS/RRAS server and the NPS/RRAS server identifies the authentication type as MS-CHAPv2.

Now I have the evidence I need to log a case with SonicWALL.

Thanks everyone for their help and suggestions 😝

Reply

Answer 2

Revb0b

Level 1

0 points

Jun 2, 2011 4:02 PM in response to Box293

We're having the same issue. We are using LDAP for SSLVPN authentication and trying to add iPads. I have a ticket open with SonicWall and was wondering if you received a solution yet. They are testing out our config in their labs.

Reply

Answer 3

Box293 Author

Level 1

0 points

Jun 2, 2011 6:58 PM in response to Revb0b

Two days ago I had the SonicWALL support person connect remotely and take some packet captures of the problem. When looking at the packet captures they indicated that they saw the iPhone trying to connect as MD5-CHAP. I persisted in telling them that when it connects to the NPS server with only MS-CHAPv2 authentication enabled it works find. So they took some packet captures from the NPS server (directly connected to the internet, no SonicWALL in the path).

I am awaiting to hear back from them.

Please feel free to quote my Case Number 01592411. It may help us get a quicker resolution to the problem.

Reply

Answer 4

Jun 7, 2011 8:14 PM in response to Box293

Any update on this issue? I just ordered the TZ 210 in hopes that this will be resolved quickly. My old router was in dire need of a replacement and I wanted something that could handle SSL VPNs.

Thanks,

-Dave

Reply

Answer 5

Box293 Author

Level 1

0 points

Jun 7, 2011 10:51 PM in response to apple.dave

Still waiting however this is not a bad thing. It probably means they are doing some thorough in house testing before getting back to us.

SonicWALL support seems to have improved and they only close a case once the customer agrees (trying to say that they won't ignore you).

Reply

Answer 6

Jun 12, 2011 7:32 AM in response to Box293

It turns out that this issue doesn't affect me at all because I am not using RADIUS and I don't need the stronger dual-authentication offered by MS-CHAPv2 (although it wouldn't hurt - but it looks like it is only an option if RADIUS is utilized). I can confirm that with local authentication I am connecting to the TZ 210 using MD5 CHAP. Good luck!

Reply

Answer 7

Box293 Author

Level 1

0 points

Jun 28, 2011 5:17 PM in response to Box293

The latest update from SonicWALL is as follows:

I had configured Radius Server with CHAPv2 in lab here. I tried connecting with Windows L2TP client and it connects fine. When i tried with iPhone 4. It was not connecting. We are researching on this issue with the help of senior tech. I will update the case once we have an solution.

So this confirms that they can replicate the problem.

Reply

Answer 8

Revb0b

Level 1

0 points

Jul 11, 2011 7:59 AM in response to Box293

Box293,

I too have had a case open with Sonicwall on this issue for about a month. They also performed packet captures and concluded that the iOS device only uses chap, which Apple says otherwise. They were going to close the case, but I called back to haev them keep it open. I have not tried to connect directly to the NPS server yet, but will try and set something up.

I reread your thread above and see you directly attached your nps server. I think I'll setup a 1-to-1 nat for testing though I'm not sure how I'll accomplish the packet caps on the NPS. What did they use?

EDIT: Totally missed that you had posted your case number. I'm adding it to my sonicwall case notes now. My case number, in case you want to use it, is 1598713.

Message was edited by: Revb0b

Reply

Answer 9

Box293 Author

Level 1

0 points

Jul 17, 2011 5:32 PM in response to Revb0b

Here is the latest update from SonicWALL:

The cause of this issue is the firewall's generated PPP LCP Configuration Request. The firewall is requesting MD5 CHAP. The client doesn't require the use of MS-CHAPv2, so as long as the proposed authentication method is one that is supported by iOS (MS-CHAPv2, MS-CHAP, CHAP, or PAP), The iOS device will accept the authentication method and move forward in the PPP LCP negotiation process. Engineering is working on addressing the issue. There is currently no ETA for firmware that addresses this issue. I will contact you regarding this ticket as soon as new information from our Engineering team is available.

Case Status: Waiting On Engineering (DTS # 83508)

Reply

Answer 10

Box293 Author

Level 1

0 points

Jul 21, 2011 10:11 PM in response to Box293

Received a beta firmware from SonicWALL today that will allow you to change the order in which the firewall will propose authentication protocols, which allows you to set MS-CHAPv2 as the first protocol to use. With this change, iOS devices will connect and negotiate MS-CHAPv2 instead of CHAP.

I tested the firmware and it worked. Great stuff.

The official firmware with this fix will be 5.8.1.1 when it is released.

Here is the KB article that explains the problem and the fix.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=9013

Reply