cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
388
Views
0
Helpful
6
Replies
astrand
Beginner

Problems using ms-chap authentication with AS5200 and RADIUS (IAS)

Hi,

Our RAS users dial-in to an AS5200 and are authenticated in a RADIUS (IAS) server running Windows 2000. When I use PAP authentication everything is working fine, but when I instead configure "ppp authentication ms-chap" the users are no longer able to connect. The IAS log indicates that an incorrect username or password had been supplied.

The client is setup to use MS-CHAP authentication and the IAS policy allows users to authenticate both with ms-chap and pap.

Please find below the error message on the IAS and a few lines of debug:

User testuser was denied access.

Fully-Qualified-User-Name = REMOTE\testuser

NAS-IP-Address = 192.168.100.100

NAS-Identifier = <not present>

Called-Station-Identifier = <not present>

Calling-Station-Identifier = xxxxxxxxx

Client-Friendly-Name = AS5200

Client-IP-Address = 192.168.100.100

NAS-Port-Type = Async

NAS-Port = 11

Policy-Name = <undetermined>

Authentication-Type = MS-CHAPv1

EAP-Type = <undetermined>

Reason-Code = 16

Reason = There was an authentication failure because of an unknown user name or a bad password.

Jun 19 11:21:17.541 CET: RADIUS: Received from id 128 10.10.10.10:1645, Access-Reject, len 42

Jun 19 11:21:17.553 CET: As11 CHAP: Unable to validate Response. Username testuser: Authentication failure

Jun 19 11:21:17.557 CET: As11 MS-CHAP: O FAILURE id 2 len 18 msg is "BE=691 R=0 V=3"

Does anyone have an idea of what could be wrong?

Thanks in advance for your help!

Regards,

Harald

6 REPLIES 6
mark-obrien
Enthusiast

Harald,

How is your RADIUS server authenticating - by a local database or through an external database, such as Windows NT? If it is external, the RADIUS server will not be able to convert the hash it receives from the router to the user's password and cannot authenticate.

Mark

The RADIUS server (IAS) uses the Active Directory database (Windows 2000)to authenticate the users. Does that mean there is no way of using ms-chap to authenticate?

better late than never I surpose I assume you have already solved anyway. I write this reply just incase others find in search of database. - You need to check the box in IAS for reverse encryptable passwords. Then reset the user password to store it agin in new format.

Not applicable

Where is that checkbox? I have not been able to find it.

Check the following URL. U will find a complete guide idicating how configure IAS/RADIUS 802.1x client on Winsows xp and FOUNDRY Networks Switch, all to support 802.lx and dymanic vlan.

Curiously Fondry cli is very similar to Cisco CLI (!!!)

Hope it helps.

Sorry,

forget URL

www.foundrynet.com/solutions/appNotes/PDFs/ 8021xAuthenticationWithActiveDirectory.pdf

Content for Community-Ad