Solved: ppp auth failed with ms-chap-v2

telelvisjr · ‎12-21-2012

Hello, all

I'm trying to connect to ISP with PPPoE method using Cisco 861 equip. On the other side Cisco 3845 BRAS.

Session fails at authentication phase. Authentication protocol chosen by routers is ms-chap-v2. Chap supported also.

So here is a debug

Jan 3 14:27:38 MSK: %DIALER-6-BIND: Interface Vi1 bound to profile Di1

Jan 3 14:27:38 MSK: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up

22:27:40: Vi1 PPP: Sending cstate UP notification

22:27:40: Vi1 PPP: Processing CstateUp message

22:27:40: AAA/BIND(00000B0C): Bind i/f Virtual-Access1

22:27:40: PPP: Alloc Context [844DF258]

22:27:40: ppp810 PPP: Phase is ESTABLISHING

22:27:40: ppp810 PPP: Using AAA Unique Id = B0C

22:27:40: AAA/BIND(00000B0C): Bind i/f Virtual-Access1

22:27:40: AAA/AUTHOR (00000B0C): Method list id=0 not configured. Skip author

22:27:40: Vi1 PPP: Authorization NOT required

22:27:40: Vi1 PPP: Using dialer call direction

22:27:40: Vi1 PPP: Treating connection as a callout

22:27:40: Vi1 PPP: Session handle[C300003C] Session id[810]

22:27:40: Vi1 LCP: Event[OPEN] State[Initial to Starting]

22:27:40: Vi1 LCP: O CONFREQ [Starting] id 1 len 15

22:27:40: Vi1 LCP: AuthProto CHAP (0x0305C22305)

22:27:40: Vi1 LCP: MagicNumber 0x981EF7EB (0x0506981EF7EB)

22:27:40: Vi1 LCP: Event[UP] State[Starting to REQsent]

22:27:40: Vi1 LCP: I CONFREQ [REQsent] id 1 len 19

22:27:40: Vi1 LCP: MRU 1492 (0x010405D4)

22:27:40: Vi1 LCP: AuthProto MS-CHAP-V2 (0x0305C22381)

22:27:40: Vi1 LCP: MagicNumber 0x903962FB (0x0506903962FB)

22:27:40: Vi1 LCP: O CONFNAK [REQsent] id 1 len 8

22:27:40: Vi1 LCP: MRU 1500 (0x010405DC)

22:27:40: Vi1 LCP: Event[Receive ConfReq-] State[REQsent to REQsent]

22:27:40: Vi1 LCP: I CONFACK [REQsent] id 1 len 15

22:27:40: Vi1 LCP: AuthProto CHAP (0x0305C22305)

22:27:40: Vi1 LCP: MagicNumber 0x981EF7EB (0x0506981EF7EB)

22:27:40: Vi1 LCP: Event[Receive ConfAck] State[REQsent to ACKrcvd]

22:27:40: Vi1 LCP: I CONFREQ [ACKrcvd] id 2 len 19

22:27:40: Vi1 LCP: MRU 1500 (0x010405DC)

22:27:40: Vi1 LCP: AuthProto MS-CHAP-V2 (0x0305C22381)

22:27:40: Vi1 LCP: MagicNumber 0x903962FB (0x0506903962FB)

22:27:40: Vi1 LCP: O CONFACK [ACKrcvd] id 2 len 19

22:27:40: Vi1 LCP: MRU 1500 (0x010405DC)

22:27:40: Vi1 LCP: AuthProto MS-CHAP-V2 (0x0305C22381)

22:27:40: Vi1 LCP: MagicNumber 0x903962FB (0x0506903962FB)

22:27:40: Vi1 LCP: Event[Receive ConfReq+] State[ACKrcvd to Open]

22:27:40: Vi1 PPP: Queue CHAP code[1] id[1]

22:27:40: Vi1 PPP: Phase is AUTHENTICATING, by both

22:27:40: Vi1 CHAP: O CHALLENGE id 1 len 27 from "ppp009"

22:27:40: Vi1 CHAP: Redirect packet to Vi1

22:27:40: Vi1 MS-CHAP-V2: I CHALLENGE id 1 len 23 from "r1"

22:27:40: AAA/AUTHEN/PPP (00000B0C): Pick method list ' Permanent Local'

22:27:40: Vi1 PPP: Sent MSCHAP_V2 SENDAUTH Request

22:27:40: Vi1 LCP: State is Open

22:27:40: Vi1 PPP: Received SENDAUTH Response FAIL

22:27:40: Vi1 MS CHAP V2: Using hostname from interface CHAP

22:27:40: Vi1 MS CHAP V2: Using password from interface CHAP

22:27:40: Vi1 MS-CHAP-V2: O RESPONSE id 1 len 60 from "ppp009"

22:27:40: Vi1 MS-CHAP-V2: I SUCCESS id 1 len 46 msg is "S=56927B5B36EA40071200B1BE5C285D2B3F3F3E8E"

22:27:40: Vi1 MS CHAP V2 No Password found for : r1

22:27:40: Vi1 MS CHAP V2 Check AuthenticatorResponse Success for : ppp009

22:27:40: Vi1 LCP: I TERMREQ [Open] id 3 len 4

22:27:40: Vi1 PPP DISC: Received LCP TERMREQ from peer

22:27:40: Vi1 PPP: Sending Acct Event[Down] id[B0C]

22:27:40: PPP: NET STOP send to AAA.

22:27:40: Vi1 PPP: Phase is TERMINATING

22:27:40: Vi1 LCP: O TERMACK [Open] id 3 len 4

22:27:40: Vi1 LCP: Event[Receive TermReq] State[Open to Stopping]

Jan 3 14:27:38 MSK: %DIALER-6-UNBIND: Interface Vi1 unbound from profile Di1

22:27:40: Vi1 PPP: Block vaccess from being freed [0x10]

Jan 3 14:27:38 MSK: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to down

22:27:40: Vi1 PPP: Sending cstate DOWN notification

22:27:40: Vi1 PPP: Processing CstateDown message

22:27:40: Vi1 LCP: Event[CLOSE] State[Stopping to Closing]

22:27:40: Vi1 LCP: Event[DOWN] State[Closing to Initial]

22:27:40: Vi1 PPP: Clearing AAA Unique Id = B0C

22:27:40: Vi1 PPP: Unlocked by [0x10] Still Locked by [0x0]

22:27:40: Vi1 PPP: Free previously blocked vaccess

22:27:40: Vi1 PPP: Phase is DOWN

Dialer interface config

interface Dialer1

description PPPoE

ip address negotiated

ip access-group fire in

ip mtu 1492

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer idle-timeout 0

dialer persistent

dialer-group 1

ppp encrypt mppe auto

ppp authentication chap

ppp chap hostname ppp009

ppp chap password 7 XXXXXXXXXXXXXXXXXXXXXX

ppp ms-chap-v2 refuse

ppp pap sent-username ppp009 password 7 XXXXXXXXXXXXXXXXXXXXXXXXX

no cdp enable

crypto map VPNMAP

Username and password are correct, as I tried Broadband connection on nearby Win7 workstation with these credentials.

So, I have several other locations connected to this ISP, but routers, used there, manufactured by HP MSR series. They doesn't support ms-chap-v2, only chap and I think it's a root of this issue. They can negotiate chap and authenticate with it.

Cisco 861 for some reason chooses ms-chap-v2, despite "ppp ms-chap-v2 refuse" command.

How can be chap authentication forced in this case?

Or why ms-chap-v2 fails?

I managed to get debug from ISP side:

059781: Dec 21 10:21:23.848 CET: ppp466 PPP: Using vpn set call direction

059782: Dec 21 10:21:23.848 CET: ppp466 PPP: Treating connection as a callin

059783: Dec 21 10:21:23.848 CET: ppp466 PPP: Session handle[82000AD7] Session id[466]

059784: Dec 21 10:21:23.856 CET: ppp466 PPP: Authorization required

059785: Dec 21 10:21:23.864 CET: ppp466 MS-CHAP-V2: O CHALLENGE id 1 len 23 from "r1"

059786: Dec 21 10:21:23.876 CET: ppp466 CHAP: I CHALLENGE id 1 len 27 from "ppp009"

059787: Dec 21 10:21:23.876 CET: ppp466 CHAP: Waiting for Peer to authenticate first

059788: Dec 21 10:21:23.896 CET: ppp466 MS-CHAP-V2: I RESPONSE id 1 len 60 from "ppp009"

059789: Dec 21 10:21:23.900 CET: ppp466 PPP: Sent MSCHAP_V2 LOGIN Request

059790: Dec 21 10:21:23.940 CET: ppp466 PPP: Received LOGIN Response PASS

059791: Dec 21 10:21:23.976 CET: Vi46 MS-CHAP-V2: O SUCCESS id 1 len 46 msg is "S=64EBEE1CB11DA3C76487BA5CED517D6B8EA9745D"

059792: Dec 21 10:21:23.980 CET: Vi46 CHAP: Unable to authenticate for peer

and config:

interface Virtual-Template1

mtu 1492

ip unnumbered Loopback1

no ip redirects

ip flow ingress

ip flow egress

ip virtual-reassembly max-reassemblies 512

no logging event link-status

no peer default ip address

ppp authentication ms-chap-v2 chap

end

Thank you for assistance!

Upd:

System image file is "flash:c860-universalk9-mz.151-4.M4.bin"

Peter Paluch · ‎12-21-2012

Hello,

Can you please try removing the ppp authentication chap command from your Dialer1 interface? By this command, you are requesting the ISP to authenticate to you which is not usually done. It is possible that the ISP is not willing to authenticate to you and drops the connection as the result.

Best regards,

Peter

View solution in original post

Peter Paluch · ‎12-21-2012

Hello,

Can you please try removing the ppp authentication chap command from your Dialer1 interface? By this command, you are requesting the ISP to authenticate to you which is not usually done. It is possible that the ISP is not willing to authenticate to you and drops the connection as the result.

Best regards,

Peter

telelvisjr · ‎12-23-2012

Hello, Peter

You right,

Issue solved by removing this command. Indeed, now only ISP requests auth:

3d10h: Vi1 PPP: Phase is AUTHENTICATING, by the peer

I thought, by using this command, I list supported authentication protocols, but instead, I force CE to authenticate PE.

Thank you!