07-27-2015 08:09 AM - edited 03-01-2019 02:54 PM
Hello, i need configure Cisco as PPPoE-Server using local username.
i get Authentication Failure on server side:
PPP Server Conf:
hostname ISP
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login PPP local
aaa authentication ppp default local
aaa authentication ppp PPP local
aaa authorization network default local
aaa authorization network PPP local
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
username client password 0 pppoe
username daniel privilege 15 password 0 cisco
!
!
bba-group pppoe global
virtual-template 1
sessions per-mac limit 2
!
!
interface FastEthernet0/0
no ip address
duplex half
pppoe enable group global
!
interface Virtual-Template1
mtu 1492
ip address negotiated
no ip redirects
no ip route-cache cef
peer default ip address pool PPPOE
ppp mtu adaptive
ppp authentication chap callin
ppp authorization PPP
!
ip local pool PPPOE 192.168.12.10 192.168.12.50
ip forward-protocol nd
no ip http server
no ip http secure-server
Client Conf:
interface FastEthernet0/0
no ip address
shutdown
duplex half
pppoe enable
pppoe-client dial-pool-number 1
!
interface Dialer1
mtu 1492
ip address negotiated
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap
ppp chap hostname client
ppp chap password 0 pppoe
Solved! Go to Solution.
07-28-2015 04:56 AM
Hi Daniel,
Where do you see the authentication failure comes from the server?
From the screenshot of the sniffer trace you included previously we see that PPPoE PADS packet comes from device with MAC ca:01:21:4c:00:00 to MAC ca:02:16:b8:00:00. This means, you client is ca:02:16:b8:00:00 and the server is ca:01:21:4c:00:00 (since PADS is a packet that goes from server to client).
If we see the authentication failure packet we see it comes from MAC ca:02:16:b8:00:00, so it's coming from the client, not from the server.
Did you try the suggestion I made before? What was the result?
If it doesn't help, can you provide the outputs of the following debugs from client and server side:
- debug ppp negotiation
- debug ppp authentication
- debug aaa authentication
Regards
07-28-2015 01:06 AM
Hi Daniel,
This is because you are configuring 'ppp authentication chap' on the client side. In PPP you can do authentication on each peer independently. In this case, on the server side you configured:
ppp authentication chap callin
ppp authorization PPP
This indicated that your server will authenticate incoming calls and authorize them using the PPP authorization method list (which points to local as per your config)
On the client side you have:
ppp authentication chap
ppp chap hostname client
ppp chap password 0 pppoe
This means that your client will authenticate other end using CHAP and it will use username "client" and password "pppoe" in authentication request (challenge).
If you do not want to authenticate the server, simply remove " ppp authentication chap" from the client config. If you want to authenticate the server, configure the corresponding CHAP CHAP hostname and password
Hope it works
Regards
07-28-2015 04:22 AM
Hello Manuel.
I need authenticate about 10 pppoe-clients and i configured on server side AAA using local username and password i would not like to use radius server.
aaa authentication login default local
aaa authentication login PPP local
aaa authentication ppp default local
aaa authentication ppp PPP local
aaa authorization network default local
aaa authorization network PPP local
username client password 0 pppoe
but client request username and password and get Authentication failure on server side,
you can help me ?
07-28-2015 04:56 AM
Hi Daniel,
Where do you see the authentication failure comes from the server?
From the screenshot of the sniffer trace you included previously we see that PPPoE PADS packet comes from device with MAC ca:01:21:4c:00:00 to MAC ca:02:16:b8:00:00. This means, you client is ca:02:16:b8:00:00 and the server is ca:01:21:4c:00:00 (since PADS is a packet that goes from server to client).
If we see the authentication failure packet we see it comes from MAC ca:02:16:b8:00:00, so it's coming from the client, not from the server.
Did you try the suggestion I made before? What was the result?
If it doesn't help, can you provide the outputs of the following debugs from client and server side:
- debug ppp negotiation
- debug ppp authentication
- debug aaa authentication
Regards
07-28-2015 05:20 AM
Hello Manuel
Thanks, now i understand it.
i removed ppp authentication chap from client and worked!
before i didn't understand what the ppp authentication chap do now i know
Thanks for help!
07-28-2015 05:24 AM
Hi Daniel,
No problem. Good to hear it worked!
Best regards.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: