Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
765
Views
0
Helpful
3
Replies

ppp authentication failure - help!!!!!!!!!!

mary_odriscoll
Level 1
Level 1

‎04-14-2003 07:31 AM - edited ‎03-04-2019 02:51 AM

I have 1 site dialling into another site on backup and I cannot get the ppp part working. Debug output shows the following:-

Apr 1 13:52:19.533 GMT: BR2/0:1 LCP: State is Open

Apr 1 13:52:19.537 GMT: BR2/0:1 PPP: Phase is AUTHENTICATING, by both

Apr 1 13:52:19.537 GMT: BR2/0:1 CHAP: Using alternate hostname CWBackup

Apr 1 13:52:19.537 GMT: BR2/0:1 CHAP: O CHALLENGE id 58 len 29 from "CWBackup"

Apr 1 13:52:19.553 GMT: BR2/0:1 CHAP: I CHALLENGE id 105 len 30 from "VDBF_RATH

"

Apr 1 13:52:19.553 GMT: BR2/0:1 CHAP: Using alternate hostname CWBackup

Apr 1 13:52:19.553 GMT: BR2/0:1 CHAP: O RESPONSE id 105 len 29 from "CWBackup"

Apr 1 13:52:19.585 GMT: BR2/0:1 CHAP: I FAILURE id 105 len 26 msg is "Authentication failure"

However, I have been through the 2 router configs (NMC3640 and VDBF 2)with a fine tooth-comb and can still see no problem , please see attached:-

NMC3640 - 1NMC3640

hostname NMC3640

!

boot system flash slot0:c3640-jo3s56i-mz.121-13.bin

boot system flash 1207TIPPLUS.bin

logging buffered 4096 debugging

enable secret xxxxx

!

username xxxxxx password xxxxxxx

!

interface BRI2/0

description ISDN backup for SNMP Management **ISDN 01-4046834-35,OldSwRmP1**

no ip address

no ip unreachables

no ip proxy-arp

encapsulation ppp

dialer pool-member 1

dialer pool-member 2

isdn switch-type basic-net3

ppp authentication chap

!

interface Dialer1

description "ISDN SNMP Bkup FOR Vanden-Burgh,isdn:4046834-5/OldSwPrt1/"

ip address 193.154.4.30 255.255.255.252

no ip unreachables

no ip proxy-arp

encapsulation ppp

ip policy route-map Eth3/0

dialer pool 1

dialer remote-name VDBF_RATH

dialer idle-timeout 300

dialer string 2051200

dialer max-call 2

dialer-group 1

pulse-time 0

no cdp enable

ppp authentication chap

ppp chap hostname CWBackup

ppp chap password 7 060A0A715C4F1B1D

VDBF -RATH

hostname VDBF_RATH

!

boot system flash c3640-i-mz.122-2.T.bin

logging buffered 10000 debugging

logging rate-limit console 10 except errors

no logging console

aaa new-model

aaa group server radius SHANE

!

aaa authentication login default group radius

aaa authentication login auth_off none

aaa authentication login ACE group radius local

aaa authentication ppp default group radius

aaa authentication ppp ACE group radius

aaa authentication ppp DEPOT local

enable secret xxxxx.

enable password xxxx

!

username xxxx password xxxx

!

controller E1 1/0

framing NO-CRC4

pri-group timeslots 1-31

!

interface Serial1/0:15

description ISDN PRI

ip unnumbered FastEthernet0/0

encapsulation ppp

dialer pool-member 1

isdn switch-type primary-net5

isdn incoming-voice modem

no peer default ip address

no fair-queue

no cdp enable

ppp authentication chap one-time

ppp multilink

!

interface Dialer8

description ISDN Backup

ip address 193.154.4.29 255.255.255.252

encapsulation ppp

dialer pool 1

dialer remote-name CWBackup

dialer idle-timeout 500

ppp authentication chap DEPOT

!

Labels:
0 Helpful
3 Replies 3

rjackson
Level 5
Level 5

‎04-14-2003 08:28 AM

Make sure there are no spaces at the end of the passwords on the username statements.

0 Helpful

mark-obrien
Level 4
Level 4

‎04-14-2003 08:34 AM

Mary,

Your CHAP password on Dialer1 of NMC3640 is encrypted. VDBF_RATH is expecting to see the password le0pard from CWBackup. Have you verified that le0pard is the password being sent by NMC3640? I would eliminate the CHAP password from the Dialer1 interface configuration, make sure that the "username VDBF_RATH password" command includes the password "le0pard" and try a call again. I know that the password in the dialer interface shouldn't be sent when the router knows the peer that is sending a challenge, but you never know...

Of course, don't forget to change all passwords after this is operational.

HTH

Mark

0 Helpful

tepatel
Cisco Employee
Cisco Employee

‎04-14-2003 11:00 AM

You are using two-way chap here. Mean both the routers will challenge eachother. So in that case usernames presented by two routers during chap authentication can be dirrerent but the passwords should be the same. so i can see that (by decoding the hex numbers in the password) password is le0pard but need to make sure that VDBF_RATH use that password. So to fix that issue you need to enter following commands under interface dialer 8 on VDBF_RATH router

ppp chap hostname VDBF_RATH

ppp chap password le0pard

With that it should work fine

OR

===

you can just use one-way chap by using "ppp authentication chap callin" under "interface Dialer1" on NMC3640 router. With that command it should work too.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card