PPTP VPN on 877 - Cannot authenticate using MS-CHAP/MS-CHAP-V2

Unanswered Question
Oct 22nd, 2007
User Badges:

Hi everyone,

I would be very grateful if you could help me to solve this little problem:

I need to establish PPTP VPN to 877 modem/router from Internet.

The VPN client is a Windows XP standard VPN client.

I configured the router basing on the document:

"Configuring the Cisco Router and VPN Clients Using PPTP and MPPE"

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00801e51e2.shtml


And... It works quite nice BUT only when I use PAP protocol to authenticate the user.

When I try to use 'MS-CHAP' or 'MS-CHAP v2' I get error 691 on the client side

("Access was denied because the username an/or password was invalid on the doman.")


and on the router in the debuging log I can see the following:


105556: Oct 23 09:31:46.425 PCTime: ppp615 PPP: Phase is AUTHENTICATING, Unauthenticated User

105557: Oct 23 09:31:46.425 PCTime: AAA/AUTHEN/PPP (0000013F): Pick method list 'default'

105558: Oct 23 09:31:46.425 PCTime: ppp615 PPP: Sent MSCHAP_V2 LOGIN Request

105559: Oct 23 09:31:46.433 PCTime: ppp615 PPP: Received LOGIN Response FAIL

105560: Oct 23 09:31:46.433 PCTime: ppp615 MS-CHAP-V2: O FAILURE id 1 len 13 msg is "E=691 R=0"

105561: Oct 23 09:31:46.433 PCTime: ppp615 PPP: Sending Acct Event[Down] id[13F]

105562: Oct 23 09:31:46.437 PCTime: ppp615 PPP: Phase is TERMINATING



Could enyone help me find where I have made a mistake in the configuration?

The running config of the router is attached.


Cheers,

Richard




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
vkapoor5 Fri, 10/26/2007 - 13:41
User Badges:
  • Bronze, 100 points or more

if you set the PC authentication protocols for Shiva PAP (SPAP) and Microsoft Challenge Authentication Protocol (MS-CHAP) version 2 (when the router is unable to do version 2), and you set the router for CHAP, then the debug ppp negotiation command on the router displays this output.


04:30:55: Vi1 LCP: Failed to negotiate with peer

ryszard.sidor Thu, 11/22/2007 - 15:47
User Badges:

Sorry,

but it looks like the answer is not completely related to my problem.

The 877 is unable to do version 2 (from what I know) and I have tried to connect having both the router and the PC set to use only MS-CHAP or MS-CHAP-V2 and still couldn't connect.


Ryszard

ryszard.sidor Sun, 11/25/2007 - 17:26
User Badges:

Problem resolved:


After spending some time on the phone with Cisco TAC it appeared that passwords for users that authenticate for PPTP VPN access could not be secret ones.

Funny is , that I couldn't find such trivial information anywhere...


Ryszard

jasonhumes Mon, 11/03/2008 - 11:41
User Badges:

Wow! THANKS! I've finally found this as a solution to a long time problem and this is NOWHERE in the docs or anyplace. So, to help with future searches... PPTP on an IOS router using LOCAL AUTHENTICATION will fail when using encrypted secrets rather than regular passwords. Thanks soooo much for this.


J

Flanger23 Wed, 10/15/2014 - 00:38
User Badges:

Even after 7 years this is a relevant and needed info, that saved me from a countless hours of debugging. Starred 5!

gherbstman Sat, 11/05/2011 - 06:04
User Badges:


This helpped me as well. Thanks! This (among other things) should get documented better by Cisco.


Gary

Byte solutions, Inc.

Actions

This Discussion