06-19-2003 01:39 AM - edited 03-02-2019 08:15 AM
Hi,
Our RAS users dial-in to an AS5200 and are authenticated in a RADIUS (IAS) server running Windows 2000. When I use PAP authentication everything is working fine, but when I instead configure "ppp authentication ms-chap" the users are no longer able to connect. The IAS log indicates that an incorrect username or password had been supplied.
The client is setup to use MS-CHAP authentication and the IAS policy allows users to authenticate both with ms-chap and pap.
Please find below the error message on the IAS and a few lines of debug:
User testuser was denied access.
Fully-Qualified-User-Name = REMOTE\testuser
NAS-IP-Address = 192.168.100.100
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier = xxxxxxxxx
Client-Friendly-Name = AS5200
Client-IP-Address = 192.168.100.100
NAS-Port-Type = Async
NAS-Port = 11
Policy-Name = <undetermined>
Authentication-Type = MS-CHAPv1
EAP-Type = <undetermined>
Reason-Code = 16
Reason = There was an authentication failure because of an unknown user name or a bad password.
Jun 19 11:21:17.541 CET: RADIUS: Received from id 128 10.10.10.10:1645, Access-Reject, len 42
Jun 19 11:21:17.553 CET: As11 CHAP: Unable to validate Response. Username testuser: Authentication failure
Jun 19 11:21:17.557 CET: As11 MS-CHAP: O FAILURE id 2 len 18 msg is "BE=691 R=0 V=3"
Does anyone have an idea of what could be wrong?
Thanks in advance for your help!
Regards,
Harald
06-19-2003 06:05 AM
Harald,
How is your RADIUS server authenticating - by a local database or through an external database, such as Windows NT? If it is external, the RADIUS server will not be able to convert the hash it receives from the router to the user's password and cannot authenticate.
Mark
06-19-2003 06:52 AM
The RADIUS server (IAS) uses the Active Directory database (Windows 2000)to authenticate the users. Does that mean there is no way of using ms-chap to authenticate?
08-14-2003 06:19 PM
better late than never I surpose I assume you have already solved anyway. I write this reply just incase others find in search of database. - You need to check the box in IAS for reverse encryptable passwords. Then reset the user password to store it agin in new format.
03-31-2004 01:37 PM
Where is that checkbox? I have not been able to find it.
04-06-2004 07:26 AM
Check the following URL. U will find a complete guide idicating how configure IAS/RADIUS 802.1x client on Winsows xp and FOUNDRY Networks Switch, all to support 802.lx and dymanic vlan.
Curiously Fondry cli is very similar to Cisco CLI (!!!)
Hope it helps.
04-06-2004 07:27 AM
Sorry,
forget URL
www.foundrynet.com/solutions/appNotes/PDFs/ 8021xAuthenticationWithActiveDirectory.pdf
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: