CHAP problem :- Ignoring Challenge with local name

mfared · ‎01-29-2004

hi,

i tried using CHAP for ppp session for our vpdn

(l2tp). The l2tp session is successfully established

but the LNS (cisco box) keep complaining as below :-

---- debug messages at LNS -----

Jan 29 07:13:30.329: Vi5 CHAP: I CHALLENGE id 133 len 44 from "test@vpdn.com"

Jan 29 07:13:30.329: Vi5 CHAP: Ignoring Challenge with local name

Jan 29 07:13:30.405: Vi5 AUTH: Timeout 2

What does the "local name" means ?

---- config at my LNS -------

!

vpdn-group vpdn.com

accept-dialin

protocol l2tp

virtual-template 3

terminate-from hostname as5300

source-ip <our_lns_ip>

local name vpdntunnel

!

interface Virtual-Template3

ip vrf forwarding vpdn.com

ip unnumbered Loopback0

no peer default ip address

ppp authentication chap

ppp chap hostname test@vpdn.com

ppp chap password xxxx

ppp pap sent-username test@vpdn.com

password xxxx

ppp multilink

!

--- config at my CE router -----

interface BRI1/0

encapsulation ppp

dialer idle-timeout 300

dialer-group 1

isdn switch-type basic-net3

ppp authentication chap

ppp chap hostname test@vpdn.com

ppp chap password xxxx

ppp pap sent-username xxxxx password x

xxxxx

ppp multilink

end

appreciate any input.

thanks,

--fared

JAN MARIS · ‎01-29-2004

Hi,

It looks that you have made your Virtual-Template 3 username specific, and I think you don't need to do this.

so remove the lines:

ppp chap hostname test@vpdn.com

ppp chap password xxxx

ppp pap sent-username test@vpdn.com

You need to use a AAA method to decide how the ppp authentication is done, e.g. either with a RADIUS server or local, ...

create a AAA method for 'ppp authentication'

aaa authentication ppp yourmethod group your-radius-srv local

and refer to it in the Virtual-Template 3:

ppp authentication chap pap yourmethod

if you do local authentication, make sure you have the username and password configured locally on the LNS.

hope this helps.

Jan

mfared · ‎01-30-2004

hi jan,

thanks for the input.

i'd taken out the chap hostname/password and created

the aaa method for the virtual-template.

!

aaa new-model

aaa authentication login default local group radius

aaa authentication ppp default group radius

aaa authentication ppp vpdn group radius

!

interface Virtual-Template3

ip vrf forwarding vpdn.com

ip unnumbered Loopback0

no peer default ip address

ppp authentication chap vpdn

ppp multilink

end

!

The error messages dissapeared

but now, the CHAP authentication failed. I have no problem if use "aaa authentication ppp vpdn local" but when i use "aaa authentication ppp default group radius", things doesn't work. Something must be wrong somewhere in my ppp config. thanks again for the insight.

.

Jan 30 10:00:56.432: RADIUS: Received from id 21646/82 61.6.32.76:1645, Access-Accept, len 44

.

Jan 30 10:01:06.304: Vi5 CHAP: I CHALLENGE id 212 len 44 from "test@vpdn.com"

Jan 30 10:01:06.304: AAA/AUTHEN/PPP (00000530): Pick method list 'vpdn'

.

Jan 30 10:01:06.308: Vi5 CHAP: Unable to authenticate for peer

Jan 30 10:01:06.308: Vi5 PPP: Sending Acct Event[Down] id[530]

Jan 30 10:01:06.312: Vi5 PPP: Phase is TERMINATING

.

thanks,

--fared

JAN MARIS · ‎01-31-2004

Hi Fared,

difficult to say with the logs you provided.

If you use a RADIUS server: use "debug radius" to see the LNS's request to that radius server and what it returns. the user should be configured on that RADIUS server and make sure you get an Access-Accept back (with attribute 6 and 7: Service-Type = Framed; Framed-Service = PPP.

Moreover, I personally always try to avoid default methods as much as possible. I use named methods. That allows better control of the functionality you really need.

mfared · ‎02-04-2004

hi jmaris,

it seems that my lack of understanding on the ppp authentication had dragged me into lots of problem.

reading through the docs and debug logs i did some changes at the client side, adding the callin to the ppp athentication and problem solved.

thank you for the advice.

--fared