Hi,
This document talks about a PPTP config on IOS using MS-CHAP v2 for authentication. The config as per the Cisco Documentation for using PPTP on IOS uses "pap chap ms-chap-v2" for authentication. However, assume that the config is as follows :
interface Virtual-Template10
ppp authentication ms-chap-v2
Using ms-chap-v1 or ms-chap-v2 in such a scenario prevents the PPTP connection to go through successfully and throws up an authentication error in the debugs. The router would request the user for the "username" and "password" however, would throw up the authentication error. The error that you would encounter in the "ppp debugs" are as follows:
000503: *Jan x xx:xx:xx.yyy PST: ppp32 PPP: Sent MSCHAP LOGIN Request
000504: *Jan x xx:xx:xx.yyy PST: ppp32 PPP: Received LOGIN Response FAIL
000505: *Jan x xx:xx:xx.yyy PST: ppp32 MS-CHAP: O FAILURE id 3 len 13 msg is "E=691 R=1"
However, the same connection goes through successfully while using the following configuration, ie pap chap :
ppp authentication pap chap
A little understanding of the way MS-CHAP works provides the solution to this problem. Configuring the username with the
"password" keyword rather than the "secret" keyword while using "ms-chap-v2" or "ms-chap" for authentication fixes
the problem:
username test secret <hashed-value-of-password> privilege x -----> Wrong
username test password <password-string> privilege x -----> Correct
This particular configuration implied that the configured password was already hashed on the router. Hence, during the
PPTP authentication, when the client was sending the encrypted password using MS-CHAP, the router created a hash
of the already encrypted password and tried to match it with the one sent by the client. This caused an
authentication error.
Solution: Changing the creation of the username from using the "secret" keyword to the "password" keyword fixed the issue.
