As5400 PPP MSCHAP Authentication failure

paul.coley · ‎11-08-2007

We use TAC AAA and that TAC box points to our Active directory for authentication. Only some users our having this issue and We have verified that those users are apart of the same group as users who are able to connect.

Nov 8 09:22:02 EST: As3/23 PPP: Using dialer call direction

Nov 8 09:22:02 EST: As3/23 PPP: Treating connection as a callin

Nov 8 09:22:02 EST: As3/23 PPP: Authorization required

Nov 8 09:22:02 EST: As3/23 DDR: Dialer statechange to up

Nov 8 09:22:02 EST: As3/23 DDR: Dialer received incoming call from <unknown>

Nov 8 09:22:03 EST: As3/23 MS-CHAP-V2: O CHALLENGE id 3 len 37 from "lclas5400d-on.ca"

Nov 8 09:22:03 EST: As3/23 MS-CHAP-V2: I RESPONSE id 3 len 61 from "bwillco"

Nov 8 09:22:03 EST: As3/23 PPP: Sent MSCHAP_V2 LOGIN Request

Nov 8 09:22:03 EST: As3/23 PPP: Received LOGIN Response FAIL

Nov 8 09:22:03 EST: As3/23 MS-CHAP-V2: O FAILURE id 3 len 13 msg is "E=691 R=0"

smahbub · ‎11-14-2007

Workaround: Do not use EAP. Rather, use CHAP, PAP, or MSCHAP, or configure EAP to authenticate locally by entering the ppp eap local command. Doing so requires AAA to be configured to authenticate PPP locally and the users that must be authenticated to be defined locally.

paul.phillips · ‎11-27-2007

Have you checked the IAS log for the matching MS-CHAP failure.

It could be a reversible password encryption issue with the AD user accounts.