Our RAS users dial-in to an AS5200 and are authenticated in a RADIUS (IAS) server running Windows 2000. When I use PAP authentication everything is working fine, but when I instead configure "ppp authentication ms-chap" the users are no longer able to connect. The IAS log indicates that an incorrect username or password had been supplied.
The client is setup to use MS-CHAP authentication and the IAS policy allows users to authenticate both with ms-chap and pap.
Please find below the error message on the IAS and a few lines of debug:
User testuser was denied access.
Fully-Qualified-User-Name = REMOTE\testuser
NAS-IP-Address = 192.168.100.100
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier = xxxxxxxxx
Client-Friendly-Name = AS5200
Client-IP-Address = 192.168.100.100
NAS-Port-Type = Async
NAS-Port = 11
Policy-Name = <undetermined>
Authentication-Type = MS-CHAPv1
EAP-Type = <undetermined>
Reason-Code = 16
Reason = There was an authentication failure because of an unknown user name or a bad password.
Jun 19 11:21:17.541 CET: RADIUS: Received from id 128 10.10.10.10:1645, Access-Reject, len 42
Jun 19 11:21:17.553 CET: As11 CHAP: Unable to validate Response. Username testuser: Authentication failure
Jun 19 11:21:17.557 CET: As11 MS-CHAP: O FAILURE id 2 len 18 msg is "BE=691 R=0 V=3"
Does anyone have an idea of what could be wrong?
Thanks in advance for your help!
How is your RADIUS server authenticating - by a local database or through an external database, such as Windows NT? If it is external, the RADIUS server will not be able to convert the hash it receives from the router to the user's password and cannot authenticate.
The RADIUS server (IAS) uses the Active Directory database (Windows 2000)to authenticate the users. Does that mean there is no way of using ms-chap to authenticate?
better late than never I surpose I assume you have already solved anyway. I write this reply just incase others find in search of database. - You need to check the box in IAS for reverse encryptable passwords. Then reset the user password to store it agin in new format.
Check the following URL. U will find a complete guide idicating how configure IAS/RADIUS 802.1x client on Winsows xp and FOUNDRY Networks Switch, all to support 802.lx and dymanic vlan.
Curiously Fondry cli is very similar to Cisco CLI (!!!)
Hope it helps.