01-18-2011 04:17 PM
Hi Guys,
Can someone please advise what I am doing wrong? I'm trying to test one of our routers to use pptp protocol for VPN.
Please see below the config:
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
l2tp tunnel timeout no-session 15
interface Virtual-Template1
ip nat inside
ip virtual-reassembly
peer default ip address pool POOL_IP
no keepalive
ppp encrypt mppe auto
ppp authentication ms-chap-v2 ms-chap
!
!
ip local pool POOL_IP 192.168.42.50 192.168.42.100
running debug I am getting this:
NTCSYD2#sh debugging
PPP:
PPP authentication debugging is on
PPP protocol errors debugging is on
PPP protocol negotiation debugging is on
NTCSYD2#
*Jan 18 23:43:21.855: PPP: Alloc Context [4670C550]
*Jan 18 23:43:21.859: ppp8 PPP: Phase is ESTABLISHING
*Jan 18 23:43:21.859: ppp8 PPP: Using vpn set call direction
*Jan 18 23:43:21.859: ppp8 PPP: Treating connection as a callin
*Jan 18 23:43:21.859: ppp8 PPP: Session handle[8] Session id[8]
*Jan 18 23:43:21.859: ppp8 LCP: Event[OPEN] State[Initial to Starting]
*Jan 18 23:43:21.859: ppp8 PPP LCP: Enter passive mode, state[Stopped]
*Jan 18 23:43:22.203: ppp8 LCP: I CONFREQ [Stopped] id 0 len 21
*Jan 18 23:43:22.207: ppp8 LCP: MRU 1400 (0x01040578)
*Jan 18 23:43:22.207: ppp8 LCP: MagicNumber 0x48C56584 (0x050648C56584)
*Jan 18 23:43:22.207: ppp8 LCP: PFC (0x0702)
*Jan 18 23:43:22.207: ppp8 LCP: ACFC (0x0802)
*Jan 18 23:43:22.207: ppp8 LCP: Callback 6 (0x0D0306)
*Jan 18 23:43:22.207: ppp8 LCP: O CONFREQ [Stopped] id 1 len 15
*Jan 18 23:43:22.207: ppp8 LCP: AuthProto MS-CHAP-V2 (0x0305C22381)
*Jan 18 23:43:22.207: ppp8 LCP: MagicNumber 0x3710B12D (0x05063710B12D)
*Jan 18 23:43:22.207: ppp8 LCP: O CONFREJ [Stopped] id 0 len 7
*Jan 18 23:43:22.207: ppp8 LCP: Callback 6 (0x0D0306)
*Jan 18 23:43:22.207: ppp8 LCP: Event[Receive ConfReq-] State[Stopped to REQsent
]
*Jan 18 23:43:22.211: ppp8 LCP: I CONFACK [REQsent] id 1 len 15
*Jan 18 23:43:22.211: ppp8 LCP: AuthProto MS-CHAP-V2 (0x0305C22381)
*Jan 18 23:43:22.211: ppp8 LCP: MagicNumber 0x3710B12D (0x05063710B12D)
*Jan 18 23:43:22.211: ppp8 LCP: Event[Receive ConfAck] State[REQsent to ACKrcvd]
*Jan 18 23:43:22.211: ppp8 LCP: I CONFREQ [ACKrcvd] id 1 len 18
*Jan 18 23:43:22.211: ppp8 LCP: MRU 1400 (0x01040578)
*Jan 18 23:43:22.211: ppp8 LCP: MagicNumber 0x48C56584 (0x050648C56584)
*Jan 18 23:43:22.211: ppp8 LCP: PFC (0x0702)
*Jan 18 23:43:22.211: ppp8 LCP: ACFC (0x0802)
*Jan 18 23:43:22.211: ppp8 LCP: O CONFNAK [ACKrcvd] id 1 len 8
*Jan 18 23:43:22.211: ppp8 LCP: MRU 1500 (0x010405DC)
*Jan 18 23:43:22.211: ppp8 LCP: Event[Receive ConfReq-] State[ACKrcvd to ACKrcvd
]
*Jan 18 23:43:22.211: ppp8 LCP: I CONFREQ [ACKrcvd] id 2 len 18
*Jan 18 23:43:22.211: ppp8 LCP: MRU 1400 (0x01040578)
*Jan 18 23:43:22.211: ppp8 LCP: MagicNumber 0x48C56584 (0x050648C56584)
*Jan 18 23:43:22.211: ppp8 LCP: PFC (0x0702)
*Jan 18 23:43:22.211: ppp8 LCP: ACFC (0x0802)
*Jan 18 23:43:22.215: ppp8 LCP: O CONFNAK [ACKrcvd] id 2 len 8
*Jan 18 23:43:22.215: ppp8 LCP: MRU 1500 (0x010405DC)
*Jan 18 23:43:22.215: ppp8 LCP: Event[Receive ConfReq-] State[ACKrcvd to ACKrcvd
]
*Jan 18 23:43:22.215: ppp8 LCP: I CONFREQ [ACKrcvd] id 3 len 18
*Jan 18 23:43:22.215: ppp8 LCP: MRU 1500 (0x010405DC)
*Jan 18 23:43:22.215: ppp8 LCP: MagicNumber 0x48C56584 (0x050648C56584)
*Jan 18 23:43:22.215: ppp8 LCP: PFC (0x0702)
*Jan 18 23:43:22.215: ppp8 LCP: ACFC (0x0802)
*Jan 18 23:43:22.215: ppp8 LCP: O CONFACK [ACKrcvd] id 3 len 18
*Jan 18 23:43:22.215: ppp8 LCP: MRU 1500 (0x010405DC)
*Jan 18 23:43:22.215: ppp8 LCP: MagicNumber 0x48C56584 (0x050648C56584)
*Jan 18 23:43:22.215: ppp8 LCP: PFC (0x0702)
*Jan 18 23:43:22.215: ppp8 LCP: ACFC (0x0802)
*Jan 18 23:43:22.219: ppp8 LCP: Event[Receive ConfReq+] State[ACKrcvd to Open]
*Jan 18 23:43:22.219: ppp8 LCP: I IDENTIFY [Open] id 4 len 18 magic 0x48C56584MS
RASV5.20
*Jan 18 23:43:22.219: ppp8 LCP: I IDENTIFY [Open] id 5 len 20 magic 0x48C56584MS
RAS-0-MIS4
*Jan 18 23:43:22.219: ppp8 LCP: I IDENTIFY [Open] id 6 len 24 magic 0x48C56584qY
GSQK'IGC"xKt6e
*Jan 18 23:43:22.239: ppp8 PPP: Phase is AUTHENTICATING, by this end
*Jan 18 23:43:22.239: ppp8 MS-CHAP-V2: O CHALLENGE id 1 len 28 from "NTCSYD2"
*Jan 18 23:43:22.239: ppp8 LCP: State is Open
*Jan 18 23:43:22.243: ppp8 MS-CHAP-V2: I RESPONSE id 1 len 67 from "administrato
r"
*Jan 18 23:43:22.243: ppp8 PPP: Phase is FORWARDING, Attempting Forward
*Jan 18 23:43:22.247: ppp8 PPP: Phase is AUTHENTICATING, Unauthenticated User
*Jan 18 23:43:22.247: ppp8 PPP: Sent MSCHAP_V2 LOGIN Request
*Jan 18 23:43:22.251: ppp8 PPP: Received LOGIN Response FAIL
*Jan 18 23:43:22.255: ppp8 MS-CHAP-V2: O FAILURE id 1 len 13 msg is "E=691 R=0"
*Jan 18 23:43:22.255: ppp8 PPP DISC: User failed MSCHAP-V2 authentication
*Jan 18 23:43:22.255: ppp8 PPP: Sending Acct Event[Down] id[2A]
*Jan 18 23:43:22.255: ppp8 LCP: O TERMREQ [Open] id 2 len 4
*Jan 18 23:43:22.255: ppp8 LCP: Event[CLOSE] State[Open to Closing]
*Jan 18 23:43:22.255: ppp8 PPP: Phase is TERMINATING
*Jan 18 23:43:22.259: ppp8 LCP: I TERMACK [Closing] id 2 len 4
*Jan 18 23:43:22.259: ppp8 LCP: Event[Receive TermAck] State[Closing to Closed]
*Jan 18 23:43:22.259: ppp8 LCP: Event[DOWN] State[Closed to Initial]
*Jan 18 23:43:22.259: ppp8 PPP: Phase is DOWN
Any help would be extremelly appreciated.
Cheers,
Fabio
Solved! Go to Solution.
01-18-2011 05:17 PM
It would appear that the users are failing to authenticate. What are you using to authenticate the users? Do you have a default aaa authentication pool that is checking the ms-chap-v2 usernames against radius via AD?
01-18-2011 07:22 PM
Hi Fabio,
What do you have your AAA server configured as ? Could you please place the configuration of the same.
I see you have configured:
aaa authentication login Users_DataBase local
aaa authentication ppp Users_DataBase local
Here the request will first hit your AAA server Users_DataBase. if this AAA server is not reachable then it will fallback on local. But if the user credentials are not present on this AAA server, it will just say authentication failed. the fallback to local will not be hit.
You must have the user crendentials defined on the AAA server.
Regards,
Anisha
01-19-2011 04:36 AM
Users_DataBase is the authentication group name so you are fine leaving that the way it is, however if you want the router to do local authentication you need to add chap to the Virtual-Template ppp authentication statement because a cisco router does not do ms-chap or ms-chapv2.
ppp authentication chap pap Users_DataBase
You can do ms-chap-v2 ms-chap but you have to setup a radius server that can authenticate ms-chap-v2 or ms-chap like IAS.
01-19-2011 04:52 PM
Did that work for you?
01-19-2011 07:34 PM
hi,
Here is the link for PPTP configuration with radius authentication:
Regards,
Anisha
P.S.: please rat ethe helpful posts.
01-19-2011 08:04 PM
The users in ios have to have passwords and not secrets as well. I can help with the radius as well if you need it.
01-19-2011 09:31 PM
hi Fabio,
Thats great please rate and mark this thread answered, so that it is easy for others to search as well.
Regards,
Anisha
01-18-2011 05:17 PM
It would appear that the users are failing to authenticate. What are you using to authenticate the users? Do you have a default aaa authentication pool that is checking the ms-chap-v2 usernames against radius via AD?
01-18-2011 07:09 PM
Hi,
Thanks for your reply.
aaa authetication is local it used to be:
aaa authentication ppp local
but now I changed to
aaa authentication login Users_DataBase local
aaa authentication ppp Users_DataBase local
aaa authorization network default if-authenticated
and I also edited the Virtual-Template interface
interface Virtual-Template1
ip nat inside
ip virtual-reassembly
peer default ip address pool POOL_IP
no keepalive
ppp encrypt mppe auto
ppp authentication ms-chap-v2 ms-chap Users_DataBase
cheers,
Fabio
*Jan 19 02:51:53.423: PPP: Alloc Context [4670C550]
*Jan 19 02:51:53.423: ppp14 PPP: Phase is ESTABLISHING
*Jan 19 02:51:53.423: ppp14 PPP: Using AAA Unique Id = 58
*Jan 19 02:51:53.423: ppp14 PPP: Authorization required
*Jan 19 02:51:53.423: ppp14 PPP: Using vpn set call direction
*Jan 19 02:51:53.423: ppp14 PPP: Treating connection as a callin
*Jan 19 02:51:53.423: ppp14 PPP: Session handle[500000E] Session id[14]
*Jan 19 02:51:53.423: ppp14 LCP: Event[OPEN] State[Initial to Starting]
*Jan 19 02:51:53.423: ppp14 PPP LCP: Enter passive mode, state[Stopped]
*Jan 19 02:51:53.675: ppp14 LCP: I CONFREQ [Stopped] id 0 len 21
*Jan 19 02:51:53.675: ppp14 LCP: MRU 1400 (0x01040578)
*Jan 19 02:51:53.675: ppp14 LCP: MagicNumber 0x70A62CD9 (0x050670A62CD9)
*Jan 19 02:51:53.675: ppp14 LCP: PFC (0x0702)
*Jan 19 02:51:53.675: ppp14 LCP: ACFC (0x0802)
*Jan 19 02:51:53.675: ppp14 LCP: Callback 6 (0x0D0306)
*Jan 19 02:51:53.675: ppp14 LCP: O CONFREQ [Stopped] id 1 len 15
*Jan 19 02:51:53.675: ppp14 LCP: AuthProto MS-CHAP-V2 (0x0305C22381)
*Jan 19 02:51:53.675: ppp14 LCP: MagicNumber 0x37BD5A09 (0x050637BD5A09)
*Jan 19 02:51:53.675: ppp14 LCP: O CONFREJ [Stopped] id 0 len 7
*Jan 19 02:51:53.675: ppp14 LCP: Callback 6 (0x0D0306)
*Jan 19 02:51:53.675: ppp14 LCP: Event[Receive ConfReq-] State[Stopped to REQse
t]
*Jan 19 02:51:53.679: ppp14 LCP: I CONFACK [REQsent] id 1 len 15
*Jan 19 02:51:53.679: ppp14 LCP: AuthProto MS-CHAP-V2 (0x0305C22381)
*Jan 19 02:51:53.679: ppp14 LCP: MagicNumber 0x37BD5A09 (0x050637BD5A09)
*Jan 19 02:51:53.679: ppp14 LCP: Event[Receive ConfAck] State[REQsent to ACKrcv
]
*Jan 19 02:51:53.679: ppp14 LCP: I CONFREQ [ACKrcvd] id 1 len 18
*Jan 19 02:51:53.679: ppp14 LCP: MRU 1400 (0x01040578)
*Jan 19 02:51:53.679: ppp14 LCP: MagicNumber 0x70A62CD9 (0x050670A62CD9)
*Jan 19 02:51:53.679: ppp14 LCP: PFC (0x0702)
*Jan 19 02:51:53.679: ppp14 LCP: ACFC (0x0802)
*Jan 19 02:51:53.679: ppp14 LCP: O CONFNAK [ACKrcvd] id 1 len 8
*Jan 19 02:51:53.679: ppp14 LCP: MRU 1500 (0x010405DC)
*Jan 19 02:51:53.679: ppp14 LCP: Event[Receive ConfReq-] State[ACKrcvd to ACKrc
d]
*Jan 19 02:51:53.683: ppp14 LCP: I CONFREQ [ACKrcvd] id 2 len 18
*Jan 19 02:51:53.683: ppp14 LCP: MRU 1400 (0x01040578)
*Jan 19 02:51:53.683: ppp14 LCP: MagicNumber 0x70A62CD9 (0x050670A62CD9)
*Jan 19 02:51:53.683: ppp14 LCP: PFC (0x0702)
*Jan 19 02:51:53.683: ppp14 LCP: ACFC (0x0802)
*Jan 19 02:51:53.683: ppp14 LCP: O CONFNAK [ACKrcvd] id 2 len 8
*Jan 19 02:51:53.683: ppp14 LCP: MRU 1500 (0x010405DC)
*Jan 19 02:51:53.683: ppp14 LCP: Event[Receive ConfReq-] State[ACKrcvd to ACKrc
d]
*Jan 19 02:51:53.687: ppp14 LCP: I CONFREQ [ACKrcvd] id 3 len 18
*Jan 19 02:51:53.687: ppp14 LCP: MRU 1500 (0x010405DC)
*Jan 19 02:51:53.687: ppp14 LCP: MagicNumber 0x70A62CD9 (0x050670A62CD9)
*Jan 19 02:51:53.687: ppp14 LCP: PFC (0x0702)
*Jan 19 02:51:53.687: ppp14 LCP: ACFC (0x0802)
*Jan 19 02:51:53.687: ppp14 LCP: O CONFACK [ACKrcvd] id 3 len 18
*Jan 19 02:51:53.687: ppp14 LCP: MRU 1500 (0x010405DC)
*Jan 19 02:51:53.687: ppp14 LCP: MagicNumber 0x70A62CD9 (0x050670A62CD9)
*Jan 19 02:51:53.687: ppp14 LCP: PFC (0x0702)
*Jan 19 02:51:53.687: ppp14 LCP: ACFC (0x0802)
*Jan 19 02:51:53.687: ppp14 LCP: Event[Receive ConfReq+] State[ACKrcvd to Open]
*Jan 19 02:51:53.691: ppp14 LCP: I IDENTIFY [Open] id 4 len 18 magic 0x70A62CD9
SRASV5.20
*Jan 19 02:51:53.691: ppp14 LCP: I IDENTIFY [Open] id 5 len 20 magic 0x70A62CD9
SRAS-0-MIS4
*Jan 19 02:51:53.691: ppp14 LCP: I IDENTIFY [Open] id 6 len 24 magic 0x70A62CD9
h/Ys+.M]C#K+BpY
*Jan 19 02:51:53.695: ppp14 PPP: Phase is AUTHENTICATING, by this end
*Jan 19 02:51:53.695: ppp14 MS-CHAP-V2: O CHALLENGE id 1 len 28 from "NTCSYD2"
*Jan 19 02:51:53.695: ppp14 LCP: State is Open
*Jan 19 02:51:53.695: ppp14 MS-CHAP-V2: I RESPONSE id 1 len 67 from "administra
or"
*Jan 19 02:51:53.699: ppp14 PPP: Phase is FORWARDING, Attempting Forward
*Jan 19 02:51:53.699: ppp14 PPP: Phase is AUTHENTICATING, Unauthenticated User
*Jan 19 02:51:53.699: ppp14 PPP: Sent MSCHAP_V2 LOGIN Request
*Jan 19 02:51:53.707: ppp14 PPP: Received LOGIN Response FAIL
*Jan 19 02:51:53.707: ppp14 PPP AUTHOR: Author Data NOT Available
*Jan 19 02:51:53.707: ppp14 PPP: Receive Attrs from[authen] Keep[LCP] MERGE
*Jan 19 02:51:53.707: ppp14 PPP: Keep Attr: Framed-Protocol 1 [PPP]
*Jan 19 02:51:53.707: ppp14 PPP: Skip Attr: username "administrator
*Jan 19 02:51:53.707: ppp14 PPP: Skip Attr: challenge
*Jan 19 02:51:53.707: ppp14 PPP: Skip Attr: id
*Jan 19 02:51:53.707: ppp14 PPP: Skip Attr: response
*Jan 19 02:51:53.711: ppp14 MS-CHAP-V2: O FAILURE id 1 len 13 msg is "E=691 R=0
*Jan 19 02:51:53.711: ppp14 PPP DISC: User failed MSCHAP-V2 authentication
*Jan 19 02:51:53.711: ppp14 PPP: Sending Acct Event[Down] id[58]
*Jan 19 02:51:53.711: ppp14 LCP: O TERMREQ [Open] id 2 len 4
*Jan 19 02:51:53.711: ppp14 LCP: Event[CLOSE] State[Open to Closing]
*Jan 19 02:51:53.711: ppp14 PPP: Phase is TERMINATING
*Jan 19 02:51:53.715: ppp14 LCP: I TERMACK [Closing] id 2 len 4
*Jan 19 02:51:53.715: ppp14 LCP: Event[Receive TermAck] State[Closing to Closed
*Jan 19 02:51:53.715: ppp14 LCP: Event[DOWN] State[Closed to Initial]
*Jan 19 02:51:53.715: ppp14 PPP: Clearing AAA Unique Id = 58
*Jan 19 02:51:53.715: ppp14 PPP: Phase is DOWN
I can see by debug messages that I'm not authenticating but I wonder why? the local username and password that I'm using to authenticate is the same for my VTY access....
Thanks
01-18-2011 07:22 PM
Hi Fabio,
What do you have your AAA server configured as ? Could you please place the configuration of the same.
I see you have configured:
aaa authentication login Users_DataBase local
aaa authentication ppp Users_DataBase local
Here the request will first hit your AAA server Users_DataBase. if this AAA server is not reachable then it will fallback on local. But if the user credentials are not present on this AAA server, it will just say authentication failed. the fallback to local will not be hit.
You must have the user crendentials defined on the AAA server.
Regards,
Anisha
01-19-2011 04:36 AM
Users_DataBase is the authentication group name so you are fine leaving that the way it is, however if you want the router to do local authentication you need to add chap to the Virtual-Template ppp authentication statement because a cisco router does not do ms-chap or ms-chapv2.
ppp authentication chap pap Users_DataBase
You can do ms-chap-v2 ms-chap but you have to setup a radius server that can authenticate ms-chap-v2 or ms-chap like IAS.
01-19-2011 04:52 PM
Did that work for you?
01-19-2011 05:32 PM
Hi Mate,
Thanks for following it up. Your instructions made a lot of sense to me but unfortunately it did not work... same error running debugging... I thought it would be good to start with local authentication... However my main goal is to use RADIUS. I've got RADIUS working and is currently authenticating wireless users that are connecting through a 1250 AP.
If you or anyonelse could help me with a sample config for VPN using PPTP protocol and RADIUS authentication I would extremelly appreciate.
My IOS versionL Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 15.0(1)M2, RELEASE SOFTWARE (fc2)
Thanks in advance.
Fabio
01-19-2011 07:34 PM
hi,
Here is the link for PPTP configuration with radius authentication:
Regards,
Anisha
P.S.: please rat ethe helpful posts.
01-19-2011 08:04 PM
The users in ios have to have passwords and not secrets as well. I can help with the radius as well if you need it.
01-19-2011 09:19 PM
I managed to get it working with RADIUS I struggled but in the end is very rewarding to get this kind of stuff working....
Thank you very much for all for your help!!!!!
below is my working config
aaa authentication login Users_DataBase local
aaa authentication ppp default group radius group Users_DataBase local
aaa authentication ppp Users_DataBase local
aaa authorization network default group radius group Users_DataBase local
vpdn-group 1
! Default L2TP VPDN group
! Default PPTP VPDN group
accept-dialin
protocol any
virtual-template 1
lcp renegotiation always
no l2tp tunnel authentication
interface Virtual-Template1
ip unnumbered FastEthernet0/0
ip nat inside
ip virtual-reassembly
peer default ip address pool POOL_IP
no keepalive
compress mppc
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
!
ip local pool POOL_IP 192.168.42.50 192.168.42.100
radius-server host 0.0.0.0 auth-port 1645 acct-port 1646 key xxxxxxxxx
Cheers,
Fabio
01-19-2011 09:31 PM
hi Fabio,
Thats great please rate and mark this thread answered, so that it is easy for others to search as well.
Regards,
Anisha
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide