AuthLite's RADIUS service expects two-factor authentication requests to use the MS-CHAPv2 protocol, but there is no obvious way to turn this on in a Cisco ASA.
These instructions assume Cisco ASDM v6.2 but can be easily generalized by an IOS expert.
- In the "AAA Server" configuration dialog for your RADIUS server, you should select the "Microsoft CHAPv2 Capable" checkbox. But this alone won't make the ASA use this protocol.
- In the "Connection Profile" (tunnel group), navigate to Advanced -> General, and select "Enable password management". Even though we are not working with password reset/expiration at all, this setting is required in order to make the ASA use MS-CHAPv2.