LNS whitout radius server

sebastien3 · ‎01-13-2023

Hello,

I have a router running L2TP service. I don't use a radius server. The account base is local to the router.

aaa new-model
aaa authentication login default local
aaa authentication ppp default local
!
username cisco@test.com password 0 CiScO
!

vpdn enable
!
vpdn-group TEST
accept-dialin
protocol l2tp
virtual-template 1
source-ip 10.1.1.1
lcp renegotiation always
no l2tp tunnel authentication
ip mtu adjust

!

L2TP-1#show vpdn session

L2TP Session Information Total tunnels 1 sessions 1

LocID RemID TunID Username, Intf/ State Last Chg Uniq ID
Vcid, Circuit
13520 58354 45207 -, Vi2.1 est 00:30:39 152

I would like to know the user for example cisco@test.com when using the show vpdn command.
How to do this ?

Thanks

MHM Cisco World · ‎01-13-2023

show vpdn <<- without session keyword

sebastien3 · ‎01-13-2023

This gives the same result as show vpdn session...

On the username column (output of show vpdn or vpdn session) I have - and not the local login cisco@test.com

L2TP-1#sh vpdn

L2TP Tunnel and Session Information Total tunnels 1 sessions 1

LocTunID   RemTunID   Remote Name   State  Remote Address  Sessn L2TP Class/
                                                           Count VPDN Group
45207      15874      R892FSP       est    X.X.X.X  1     TEST

LocID      RemID      TunID      Username, Intf/      State  Last Chg Uniq ID
                                 Vcid, Circuit
13520      58354      45207      -, Vi2.1             est    02:27:29 152

L2TP-1#sh vpdn session

L2TP Session Information Total tunnels 1 sessions 1

LocID      RemID      TunID      Username, Intf/      State  Last Chg Uniq ID
                                 Vcid, Circuit
13520      58354      45207      -, Vi2.1             est    02:27:33 152
L2TP-1#

Am I missing something in the configuration ?

With a radius server I have no problem displaying the full login with sh vpdn session...

MHM Cisco World · ‎01-13-2023

you correct it must show under vi2.1
you can do
show ppp all <<- check the username

sebastien3 · ‎01-13-2023

The show ppp all no display username :

L2TP-1#sh ppp all
Interface/ID OPEN+ Nego* Fail-     Stage    Peer Address    Peer Name
------------ --------------------- -------- --------------- --------------------
Vi2.1        LCP+ IPCP+            LocalT   X.X.X.X

MHM Cisco World · ‎01-14-2023

are you using
ppp pap sent-username <<- udder the PPP interface ?

sebastien3 · ‎01-14-2023

Yes ! I use ppp pap sent-username :

interface Dialer0
ip address negotiated
no cdp enable
sent-username cisco@test.com password 7 XXXXXXX

I would rather use CHAP than PAP but I don't understand auth...

I tried with ppp chap hostname and password I can't authenticate on the LNS...

sebastien3 · ‎01-15-2023

To complete my previous answer here is the debug with CHAP enabled :

*Jan 15 07:34:56.121: ppp597 PPP: Queue CHAP code[1] id[1]
*Jan 15 07:34:56.125: ppp597 PPP: Phase is AUTHENTICATING, by both
*Jan 15 07:34:56.125: ppp597 CHAP: O CHALLENGE id 1 len 33 from "L2TP-1"
*Jan 15 07:34:56.125: ppp597 CHAP: Redirect packet to ppp597
*Jan 15 07:34:56.125: ppp597 CHAP: I CHALLENGE id 1 len 43 from "cisco@test.com"
*Jan 15 07:34:56.125: ppp597 CHAP: Waiting for Peer to authenticate first
*Jan 15 07:34:56.125: ppp597 LCP: State is Open
*Jan 15 07:34:56.217: ppp597 CHAP: I RESPONSE id 1 len 43 from "cisco@test.com"
*Jan 15 07:34:56.217: ppp597 PPP: Phase is FORWARDING, Attempting Forward
*Jan 15 07:34:56.217: ppp597 PPP: Phase is AUTHENTICATING, Unauthenticated User
*Jan 15 07:34:56.217: ppp597 PPP: Sent CHAP LOGIN Request
*Jan 15 07:34:56.217: ppp597 PPP: Received LOGIN Response PASS
*Jan 15 07:34:56.217: ppp597 IPCP: Authorizing CP
*Jan 15 07:34:56.217: ppp597 IPCP: CP stalled on event[Authorize CP]
*Jan 15 07:34:56.217: ppp597 IPCP: CP unstall
*Jan 15 07:34:56.217: ppp597 PPP: Phase is FORWARDING, Attempting Forward
*Jan 15 07:34:56.225: Vi2.1 PPP: Phase is AUTHENTICATING, Authenticated User
*Jan 15 07:34:56.225: Vi2.1 PPP: Sent CHAP SENDAUTH Request
*Jan 15 07:34:56.225: Vi2.1 CHAP: O SUCCESS id 1 len 4
*Jan 15 07:34:56.229: Vi2.1 PPP: Received SENDAUTH Response PASS
*Jan 15 07:34:56.229: Vi2.1 CHAP: Using hostname from configured hostname
*Jan 15 07:34:56.229: Vi2.1 CHAP: Using password from AAA
*Jan 15 07:34:56.229: Vi2.1 CHAP: O RESPONSE id 1 len 33 from "L2TP-1"
*Jan 15 07:34:56.337: Vi2.1 PPP: I pkt type 0xC223, datagramsize 29 link[ppp]
*Jan 15 07:34:56.337: Vi2.1 CHAP: I FAILURE id 1 len 25 msg is "Authentication failed"
*Jan 15 07:34:56.337: Vi2.1 PPP DISC: We failed authentication
*Jan 15 07:34:56.337: Vi2.1 PPP: Sending Acct Event[Down] id[26D]
*Jan 15 07:34:56.337: PPP: NET STOP send to AAA.

MHM Cisco World · ‎01-15-2023

ppp chap hostname
ppp chap password

if you use chap instead of pap use above command for username/password

sebastien3 · ‎01-15-2023

I just found my mistake... I had to remove ppp authentication chap callin on the remote router !

Now on L2TP server is OK for username connected :

L2TP-1#sh vpdn session

L2TP Session Information Total tunnels 1 sessions 1

LocID      RemID      TunID      Username, Intf/      State  Last Chg Uniq ID
                                 Vcid, Circuit
2201       33436      62839      cisco@test..., Vi2.1 est    00:32:45 684