Re: TACACS+ & ISDN authentication probs

brymiller · ‎10-08-2005

R5 dials R2.

R2 is supposed to authenticate R5 and then callback to R5.

So far I see that the problem is the ACS tacacs+ server. Authentication failed...

03:52:55: TPLUS: Using server 10.1.1.100

03:52:55: TPLUS(00000070)/0/NB_WAIT/65435178: Started 20 sec timeout

03:52:55: TPLUS(00000070)/0/NB_WAIT: socket event 2

03:52:55: TPLUS(00000070)/0/NB_WAIT: wrote entire 85 bytes request

03:52:55: TPLUS(00000070)/0/READ: socket event 1

03:52:55: TPLUS(00000070)/0/READ: Would block while reading

03:52:55: TPLUS(00000070)/0/READ: socket event 1

03:52:55: TPLUS(00000070)/0/READ: read 0 bytes

R2#

*Oct 8 21:54:35.543: %ISDN-6-CONNECT: Interface BRI0/0/0:1 is now connected to 8358664 unknown

R2#

03:53:04: BR0/0/0:1 AUTH: Timeout 1

03:53:04: BR0/0/0:1 CHAP: I RESPONSE id 97 len 28 from "Router5"

03:53:04: BR0/0/0:1 CHAP: Ignoring Additional Response

R2#

03:53:15: TPLUS(00000070)/0/READ/65435178: timed out

03:53:15: TPLUS: Authentication start packet created for 112(Router5)

03:53:15: TPLUS(00000070)/0/READ/65435178: timed out, clean up

03:53:15: TPLUS(00000070)/0/65435178: Processing the reply packet

03:53:15: BR0/0/0:1 PPP: Received LOGIN Response FAIL

03:53:15: BR0/0/0:1 CHAP: O FAILURE id 97 len 25 msg is "Authentication failed"

03:53:15: BR0/0/0:1 PPP: Sending Acct Event[Down] id[70]

03:53:15: BR0/0/0:1 PPP: Phase is TERMINATING

My ACS server seems to be configured properly. And of course the passwords match. But I still can't get this thing working.

The configs are a bit sloppy because I'm tryig to troubleshoot this one authentication issue.

TIA

Here are the configs:

hostname R2

!

aaa new-model

!

aaa authentication ppp ISDN group tacacs+

aaa authorization network ISDN group tacacs+

!

isdn switch-type basic-ni

!

interface BRI0/0/0

ip address 150.50.25.2 255.255.255.0

encapsulation ppp

ip ospf demand-circuit

dialer map ip 150.50.25.5 name Router5 broadcast 8358662

dialer-group 1

isdn switch-type basic-ni

isdn spid1 0835866101

isdn spid2 0835866301

ppp authentication chap ISDN

ppp chap hostname R2

ppp chap password 0 ccie

!

tacacs-server host 10.1.1.100

tacacs-server timeout 20

tacacs-server directed-request

tacacs-server key ccie

hostname R5

!

aaa new-model

!

isdn switch-type basic-ni

!

interface BRI0/0/0

ip address 150.50.25.5 255.255.255.0

encapsulation ppp

ip ospf demand-circuit

dialer map ip 150.50.25.2 name R2 broadcast 8358661

dialer-group 1

isdn switch-type basic-ni

isdn spid1 0835866201

isdn spid2 0835866401

ppp callback request

ppp authentication chap callin

ppp chap hostname Router5

ppp chap password 0 ccie

!

dialer-list 1 protocol ip permit

!

Richard Burts · ‎10-09-2005

Bryan

I see that you have configured R2 for CHAP authentication for PPP. In my experience using CHAP when going to TACACS is problematic while PAP works well. Since TACACS will encrypt the password being sent to the authentication server you have adequate protection with PAP and do not need the complexity of CHAP. Specifying CHAP which will also encrypt the password is overkill and CHAP wanting to do the challenge/challenge response processing does not work with TACACS.

I suggest that you change the authentication from CHAP to PAP and see if it does not work better.

The other solution that I can think of would be to change the configuration of R2 so that it does not do TACACS for PPP and does local authentication instead. I would do this if there is a particular reason why you want CHAP instead of PAP.

Let us know how you work this out.

HTH

Rick

HTH

Rick