This document talks about a PPTP config on IOS using MS-CHAP v2 for authentication. The config as per the Cisco Documentation for using PPTP on IOS uses "pap chap ms-chap-v2" for authentication. However, assume that the config is as follows :
Using ms-chap-v1 or ms-chap-v2 in such a scenario prevents the PPTP connection to go through successfully and throws up an authentication error in the debugs. The router would request the user for the "username" and "password" however, would throw up the authentication error. The error that you would encounter in the "ppp debugs" are as follows:
000503: *Jan x xx:xx:xx.yyy PST: ppp32 PPP: Sent MSCHAP LOGIN Request 000504: *Jan x xx:xx:xx.yyy PST: ppp32 PPP: Received LOGIN Response FAIL 000505: *Jan x xx:xx:xx.yyy PST: ppp32 MS-CHAP: O FAILURE id 3 len 13 msg is "E=691 R=1"
However, the same connection goes through successfully while using the following configuration, ie pap chap :
ppp authentication pap chap A little understanding of the way MS-CHAP works provides the solution to this problem. Configuring the username with the "password" keyword rather than the "secret" keyword while using "ms-chap-v2" or "ms-chap" for authentication fixes the problem:
username test secret <hashed-value-of-password> privilege x -----> Wrong
username test password <password-string> privilege x -----> Correct
This particular configuration implied that the configured password was already hashed on the router. Hence, during the PPTP authentication, when the client was sending the encrypted password using MS-CHAP, the router created a hash of the already encrypted password and tried to match it with the one sent by the client. This caused an authentication error.
Solution:Changing the creation of the username from using the "secret" keyword to the "password" keyword fixed the issue.
I have an internet speed of 140-150 Mbps but when I connect to the Cisco Anyconnect Secure Mobile client it kills my internet speed to 500-1000 kbps which is too slow. What possible solution I can try to increase my speed on VpnOS - Ubuntu 18.04.5 LTS
Hello everyone.I'm currently setting up a FMC and while attempting to use external authentication via LDAP, for some reason the FMC is not querying properly.Basically whenever I attempt the test the query, it only finds user machines and groups CNs , not ...
I have added the CRL URL link in the FMC (Ver 6.6.4) But after adding the CRL url link FMC GUI login page not coming but I m able to login through CLI. Pls suggest how to remove CRL url link from the FMC CLI.
Greetings, 'Port Bounce' or 'Reauth' is available in Administration > System > Settings > Profiling. I have it set as 'Reauth' How do I actually make ISE to send a 'Port Bounce' to place a device in a separate VLAN. Please he...
Hi, we are using the cut through proxy feature on an ASA against a radius server for some years. As this is basically a WebSite we are looking for the option todo authentication against SAML or OIDC . I have only found documentation about u...