10-08-2005 06:01 PM - edited 03-10-2019 02:20 PM
R5 dials R2.
R2 is supposed to authenticate R5 and then callback to R5.
So far I see that the problem is the ACS tacacs+ server. Authentication failed...
03:52:55: TPLUS: Using server 10.1.1.100
03:52:55: TPLUS(00000070)/0/NB_WAIT/65435178: Started 20 sec timeout
03:52:55: TPLUS(00000070)/0/NB_WAIT: socket event 2
03:52:55: TPLUS(00000070)/0/NB_WAIT: wrote entire 85 bytes request
03:52:55: TPLUS(00000070)/0/READ: socket event 1
03:52:55: TPLUS(00000070)/0/READ: Would block while reading
03:52:55: TPLUS(00000070)/0/READ: socket event 1
03:52:55: TPLUS(00000070)/0/READ: read 0 bytes
R2#
R2#
*Oct 8 21:54:35.543: %ISDN-6-CONNECT: Interface BRI0/0/0:1 is now connected to 8358664 unknown
R2#
03:53:04: BR0/0/0:1 AUTH: Timeout 1
03:53:04: BR0/0/0:1 CHAP: I RESPONSE id 97 len 28 from "Router5"
03:53:04: BR0/0/0:1 CHAP: Ignoring Additional Response
R2#
03:53:15: TPLUS(00000070)/0/READ/65435178: timed out
03:53:15: TPLUS: Authentication start packet created for 112(Router5)
03:53:15: TPLUS(00000070)/0/READ/65435178: timed out, clean up
03:53:15: TPLUS(00000070)/0/65435178: Processing the reply packet
03:53:15: BR0/0/0:1 PPP: Received LOGIN Response FAIL
03:53:15: BR0/0/0:1 CHAP: O FAILURE id 97 len 25 msg is "Authentication failed"
03:53:15: BR0/0/0:1 PPP: Sending Acct Event[Down] id[70]
03:53:15: BR0/0/0:1 PPP: Phase is TERMINATING
My ACS server seems to be configured properly. And of course the passwords match. But I still can't get this thing working.
The configs are a bit sloppy because I'm tryig to troubleshoot this one authentication issue.
TIA
Here are the configs:
hostname R2
!
aaa new-model
!
aaa authentication ppp ISDN group tacacs+
aaa authorization network ISDN group tacacs+
!
isdn switch-type basic-ni
!
interface BRI0/0/0
ip address 150.50.25.2 255.255.255.0
encapsulation ppp
ip ospf demand-circuit
dialer map ip 150.50.25.5 name Router5 broadcast 8358662
dialer-group 1
isdn switch-type basic-ni
isdn spid1 0835866101
isdn spid2 0835866301
ppp authentication chap ISDN
ppp chap hostname R2
ppp chap password 0 ccie
!
tacacs-server host 10.1.1.100
tacacs-server timeout 20
tacacs-server directed-request
tacacs-server key ccie
hostname R5
!
aaa new-model
!
isdn switch-type basic-ni
!
interface BRI0/0/0
ip address 150.50.25.5 255.255.255.0
encapsulation ppp
ip ospf demand-circuit
dialer map ip 150.50.25.2 name R2 broadcast 8358661
dialer-group 1
isdn switch-type basic-ni
isdn spid1 0835866201
isdn spid2 0835866401
ppp callback request
ppp authentication chap callin
ppp chap hostname Router5
ppp chap password 0 ccie
!
dialer-list 1 protocol ip permit
!
10-09-2005 03:13 AM
Bryan
I see that you have configured R2 for CHAP authentication for PPP. In my experience using CHAP when going to TACACS is problematic while PAP works well. Since TACACS will encrypt the password being sent to the authentication server you have adequate protection with PAP and do not need the complexity of CHAP. Specifying CHAP which will also encrypt the password is overkill and CHAP wanting to do the challenge/challenge response processing does not work with TACACS.
I suggest that you change the authentication from CHAP to PAP and see if it does not work better.
The other solution that I can think of would be to change the configuration of R2 so that it does not do TACACS for PPP and does local authentication instead. I would do this if there is a particular reason why you want CHAP instead of PAP.
Let us know how you work this out.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: