Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
883
Views
5
Helpful
6
Replies

RAS user fails Authentication

Acanio
Level 1
Level 1

‎11-10-2004 01:53 PM

I get this "Error 778: It was not possible to verify the identity of the server" when I connect to my RAS which is connected to a radius server.

Labels:
0 Helpful
6 Replies 6

makchitale
Level 6
Level 6

‎11-10-2004 04:10 PM

Will need to see the running config, also debug outputs for the failed call:

Depending on which platform or modems are in use

deb modem

deb modem csm or deb csm modem

deb spe modem stat

deb ppp nego

deb aaa authen / deb aaa author / deb radius

Does the call work fine when authentication is done locally on the router?

Thanks, Mak

0 Helpful

Acanio
Level 1
Level 1
In response to makchitale

‎11-11-2004 07:30 AM

Yes, authentication works using local database.

The MS pop up window shows Error 778 right after username and password authentication process.

Here is the running config:sh run

Building configuration...

!

hostname hq-dial-gw3

!

boot-start-marker

no boot startup-test

boot-end-marker

!

logging queue-limit 100

logging buffered 4096 debugging

enable secret xxxx

!

username xxxx password xxxx

username xxxx password xxx

!

!

resource-pool disable

clock timezone Pacific -8

spe default-firmware spe-firmware-1

aaa new-model

!

!

aaa authentication login default local line group radius

aaa authentication login cdflogin local group radius

aaa authentication ppp analogdial group radius local

aaa session-id common

ip subnet-zero

ip cef

no ip domain lookup

!

ip dhcp-server 165.105.49.20

async-bootp dns-server 165.105.1.20 165.105.1.38

async-bootp nbns-server 165.105.1.20

isdn switch-type primary-ni

isdn voice-call-failure 0

!

!

!

!

controller T1 3/0

framing esf

linecode b8zs

pri-group timeslots 1-24

description PRI Ckt PB# 15HCFS000045-001PT

!

controller T1 3/1

framing esf

linecode b8zs

description PRI Ckt PB# 15HCFS000045-002PT

!

controller T1 3/2

framing esf

linecode b8zs

description PRI Ckt PB# 15HCFS000045-003PT

!

controller T1 3/3

framing esf

linecode b8zs

pri-group timeslots 1-24

description PRI Ckt PB# 15HCFS000045-004PT

!

!

interface FastEthernet0/0

ip address 172.16.1.1 255.255.255.0

ip helper-address 165.105.49.20

no ip route-cache

duplex full

speed 100

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

!

interface Serial3/0:23

no ip address

encapsulation ppp

dialer rotary-group 1

dialer-group 1

isdn switch-type primary-ni

isdn incoming-voice modem

no fair-queue

!

interface Serial3/3:23

no ip address

encapsulation ppp

dialer rotary-group 1

dialer-group 1

isdn switch-type primary-ni

isdn incoming-voice modem

no fair-queue

!

interface Group-Async1

ip unnumbered FastEthernet0/0

ip helper-address 165.105.49.20

encapsulation ppp

dialer in-band

dialer idle-timeout 3600

async default routing

async mode dedicated

peer default ip address dhcp

ppp max-bad-auth 9

ppp authentication ms-chap-v2 analogdial

group-range 1/00 2/107

!

interface Dialer1

ip unnumbered FastEthernet0/0

ip helper-address 172.16.162.10

encapsulation ppp

dialer in-band

dialer idle-timeout 300

dialer-group 1

peer default ip address dhcp

no fair-queue

ppp authentication ms-chap-v2 analogdial

ppp multilink

!

ip classless

ip route 0.0.0.0 0.0.0.0 172.16.1.254

no ip http server

!

!

!

radius-server host 165.105.1.20 auth-port 1645 acct-port 1646 non-standard

radius-server host 165.105.49.20 auth-port 1645 acct-port 1646 non-standard

radius-server timeout 15

radius-server key DIAL4cisco

radius-server vsa send authentication

!

voice-port 3/0:D

!

line con 0

password xxxx

login authentication local

line aux 0

password xxxx

modem InOut

transport input all

flowcontrol hardware

line vty 0 4

password cnsc1

transport input all

line 1/00 2/107

no modem callout

modem Dialin

0 Helpful

makchitale
Level 6
Level 6
In response to Acanio

‎11-11-2004 07:54 AM

You have configured for mschap-v2, there is a known issue that was caused by CSCeb73055 and fixed by CSCec12645

The following IOS images onwards should have the fix committed; 12.3(02)T09 /12.3(07)XI / 12.3(04.04)B / 12.3(03.09)T02 / 012.003(004.002) / 12.3(03.08)PI02

A possible work around is to enable network authorization (aaa authorization network xxxxxxx).

What IOS image do you presently have on the RAS?

Thanks, Mak

Acanio
Level 1
Level 1
In response to makchitale

‎11-11-2004 09:36 AM

Thank you for this info.

Here is the image int AS5350:

c5350-is-mz.123-3g.bin

0 Helpful

makchitale
Level 6
Level 6
In response to Acanio

‎11-11-2004 09:53 AM

Ok since the bug is fixed in 12.3(004.002) & you have 12.3(3g) you will need to upgrade the IOS image.

12.3(5d) is the next available or go to 12.3(10a) which is the latest in that train.

Did you try out the workaround?

Thanks, Mak

0 Helpful

Acanio
Level 1
Level 1
In response to makchitale

‎11-11-2004 10:41 AM

I tried the work around as you suggested and it seemd to work now. At least when I RAS'd into the network I got authenticated and registered.

I will have to wait for the customer to try himself using known users in their domain.

Will keep you poseted.

Thanks for your help.

0 Helpful
Customers Also Viewed These Support Documents