cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bookmark
|
Subscribe
|
1385
Views
5
Helpful
5
Replies

Device Authentication and PPP Auth

chrisallen
Level 1
Level 1

We recently enabled AAA on all our routers for device authenticationa dn authorization. When we did this it broke our async dial back up on some of our routers. Basically as soon as you enable aaa new-model, the behavior of PPP Authentication changes. Below is the configuration, What I want to do is to have AAA enabled on the router for telnet and console, but have the PPP dialup connection continue to use the configured username and password.

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ none

aaa authorization commands 15 default group tacacs+ none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa authorization config-commands

interface Async2

no ip address

encapsulation ppp

dialer in-band

dialer pool-member 2

dialer-group 2

async default routing

async mode interactive

ppp authentication chap callin

!

interface Dialer2

ip unnumbered Loopback0

encapsulation ppp

dialer pool 2

dialer redial interval 30 attempts 5 re-enable 300

dialer string xxxxx

dialer-group 2

no cdp enable

ppp authentication chap callin

ppp chap hostname WESLEYTESTING-REMOTEATM

ppp chap password passhere

Any help is appreciated....

5 Replies 5

gfullage
Cisco Employee
Cisco Employee

Try adding the following:

aaa authentication ppp default local

I have tried this... It still doesn't see to use the following commands:

ppp chap hostname WESLEYTESTING-REMOTEATM

ppp chap password passhere

It will only use the hostname of the router??? Any Ideas?

Another development... I didn't realize this before but when I do debug PPP negotiation, it appears it is using PAP authentication instead of chap. So I put in a PAP username and password and then it worked??? So really my problem is that once I enable aaa new-model, the router now ignores the ppp authentication chap command ???

Hi there,

if that's the case, u may want to try the following: enable both CHAP and PAP

ppp authentication chap pap.

It's just a wild guess.

Marc

Even though CHAP is more secure than PAP, it causes problems when you are authenticating on a tacacs server. The essential problem is that CHAP does not send the password, it sends an authentication block which is generated from the password. If you are authenticating on the router, then the router can do the same calculation and compare results to see if the correct password is used. But when the router needs to send the password that was entered to the tacacs server for authentication, there is a serious problem because the router does not have the password which was entered.

The solution is to use PAP because PAP does transmit the password which was originally entered and thus the router can send the password to the tacacs server for authentication.

HTH

Rick

HTH

Rick