Onboard Cisco AnyConnect IKEv2 to PrivacyIdea

Hi all,

we are currently running IKEv2 IPsec VPN against a Cisco Router.
As client we used in the passed the Windows integrated VPN client without an issue.
Radius was a NPS on WIndows 2016.

Unfortunatly this Windows does not support PAP authentication for IKEv2.

So we switched to Cisco AnyConnect Client and are still able to login to IKEv2 with EAP-MSCHAPv2.
But as soon as we switch the radius on the router to PrivacyIdea we can’t login, even with PIN+OTP.
I estimate cause the password is still sent via MSCHAPv2,

so my questions are:

  1. how to check, if PAP or MSCHAPv2 is used from router to radius?
  2. imho this is always a setting on the VPN-client, cause cisco want’s to modify the router-config
  3. does someone have a hint howto onboard IKEv2 to PrivacyIdea?


yes, privacyIDEA with OTP only supports PAP.

Run the freeradius server in debug mode:

freeradius -X

The RADIUS client (i.e. the VPN server) will define the RADIUS attributes used.