Yes, authentication works using local database.

The MS pop up window shows Error 778 right after username and password authentication process.

Here is the running config:sh run

Building configuration...

!

hostname hq-dial-gw3

!

boot-start-marker

no boot startup-test

boot-end-marker

!

logging queue-limit 100

logging buffered 4096 debugging

enable secret xxxx

!

username xxxx password xxxx

username xxxx password xxx

!

!

resource-pool disable

clock timezone Pacific -8

spe default-firmware spe-firmware-1

aaa new-model

!

!

aaa authentication login default local line group radius

aaa authentication login cdflogin local group radius

aaa authentication ppp analogdial group radius local

aaa session-id common

ip subnet-zero

ip cef

no ip domain lookup

!

ip dhcp-server 165.105.49.20

async-bootp dns-server 165.105.1.20 165.105.1.38

async-bootp nbns-server 165.105.1.20

isdn switch-type primary-ni

isdn voice-call-failure 0

!

!

!

!

controller T1 3/0

framing esf

linecode b8zs

pri-group timeslots 1-24

description PRI Ckt PB# 15HCFS000045-001PT

!

controller T1 3/1

framing esf

linecode b8zs

description PRI Ckt PB# 15HCFS000045-002PT

!

controller T1 3/2

framing esf

linecode b8zs

description PRI Ckt PB# 15HCFS000045-003PT

!

controller T1 3/3

framing esf

linecode b8zs

pri-group timeslots 1-24

description PRI Ckt PB# 15HCFS000045-004PT

!

!

interface FastEthernet0/0

ip address 172.16.1.1 255.255.255.0

ip helper-address 165.105.49.20

no ip route-cache

duplex full

speed 100

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

!

interface Serial3/0:23

no ip address

encapsulation ppp

dialer rotary-group 1

dialer-group 1

isdn switch-type primary-ni

isdn incoming-voice modem

no fair-queue

!

interface Serial3/3:23

no ip address

encapsulation ppp

dialer rotary-group 1

dialer-group 1

isdn switch-type primary-ni

isdn incoming-voice modem

no fair-queue

!

interface Group-Async1

ip unnumbered FastEthernet0/0

ip helper-address 165.105.49.20

encapsulation ppp

dialer in-band

dialer idle-timeout 3600

async default routing

async mode dedicated

peer default ip address dhcp

ppp max-bad-auth 9

ppp authentication ms-chap-v2 analogdial

group-range 1/00 2/107

!

interface Dialer1

ip unnumbered FastEthernet0/0

ip helper-address 172.16.162.10

encapsulation ppp

dialer in-band

dialer idle-timeout 300

dialer-group 1

peer default ip address dhcp

no fair-queue

ppp authentication ms-chap-v2 analogdial

ppp multilink

!

ip classless

ip route 0.0.0.0 0.0.0.0 172.16.1.254

no ip http server

!

!

!

radius-server host 165.105.1.20 auth-port 1645 acct-port 1646 non-standard

radius-server host 165.105.49.20 auth-port 1645 acct-port 1646 non-standard

radius-server timeout 15

radius-server key DIAL4cisco

radius-server vsa send authentication

!

voice-port 3/0:D

!

line con 0

password xxxx

login authentication local

line aux 0

password xxxx

modem InOut

transport input all

flowcontrol hardware

line vty 0 4

password cnsc1

transport input all

line 1/00 2/107

no modem callout

modem Dialin

You have configured for mschap-v2, there is a known issue that was caused by CSCeb73055 and fixed by CSCec12645

The following IOS images onwards should have the fix committed; 12.3(02)T09 /12.3(07)XI / 12.3(04.04)B / 12.3(03.09)T02 / 012.003(004.002) / 12.3(03.08)PI02

A possible work around is to enable network authorization (aaa authorization network xxxxxxx).

What IOS image do you presently have on the RAS?

Thanks, Mak

Thank you for this info.

Here is the image int AS5350:

c5350-is-mz.123-3g.bin

Ok since the bug is fixed in 12.3(004.002) & you have 12.3(3g) you will need to upgrade the IOS image.

12.3(5d) is the next available or go to 12.3(10a) which is the latest in that train.

Did you try out the workaround?

Thanks, Mak

I tried the work around as you suggested and it seemd to work now. At least when I RAS'd into the network I got authenticated and registered.

I will have to wait for the customer to try himself using known users in their domain.

Will keep you poseted.

Thanks for your help.