01-29-2004 12:16 AM - edited 03-02-2019 01:13 PM
hi,
i tried using CHAP for ppp session for our vpdn
(l2tp). The l2tp session is successfully established
but the LNS (cisco box) keep complaining as below :-
---- debug messages at LNS -----
Jan 29 07:13:30.329: Vi5 CHAP: I CHALLENGE id 133 len 44 from "test@vpdn.com"
Jan 29 07:13:30.329: Vi5 CHAP: Ignoring Challenge with local name
Jan 29 07:13:30.405: Vi5 AUTH: Timeout 2
What does the "local name" means ?
---- config at my LNS -------
!
vpdn-group vpdn.com
accept-dialin
protocol l2tp
virtual-template 3
terminate-from hostname as5300
source-ip <our_lns_ip>
local name vpdntunnel
!
!
interface Virtual-Template3
ip vrf forwarding vpdn.com
ip unnumbered Loopback0
no peer default ip address
ppp authentication chap
ppp chap hostname test@vpdn.com
ppp chap password xxxx
ppp pap sent-username test@vpdn.com
password xxxx
ppp multilink
!
--- config at my CE router -----
interface BRI1/0
encapsulation ppp
dialer idle-timeout 300
dialer-group 1
isdn switch-type basic-net3
ppp authentication chap
ppp chap hostname test@vpdn.com
ppp chap password xxxx
ppp pap sent-username xxxxx password x
xxxxx
ppp multilink
end
appreciate any input.
thanks,
--fared
01-29-2004 03:07 AM
Hi,
It looks that you have made your Virtual-Template 3 username specific, and I think you don't need to do this.
so remove the lines:
ppp chap hostname test@vpdn.com
ppp chap password xxxx
ppp pap sent-username test@vpdn.com
You need to use a AAA method to decide how the ppp authentication is done, e.g. either with a RADIUS server or local, ...
create a AAA method for 'ppp authentication'
aaa authentication ppp yourmethod group your-radius-srv local
and refer to it in the Virtual-Template 3:
ppp authentication chap pap yourmethod
if you do local authentication, make sure you have the username and password configured locally on the LNS.
hope this helps.
Jan
01-30-2004 02:55 AM
hi jan,
thanks for the input.
i'd taken out the chap hostname/password and created
the aaa method for the virtual-template.
!
aaa new-model
aaa authentication login default local group radius
aaa authentication ppp default group radius
aaa authentication ppp vpdn group radius
!
interface Virtual-Template3
ip vrf forwarding vpdn.com
ip unnumbered Loopback0
no peer default ip address
ppp authentication chap vpdn
ppp multilink
end
!
The error messages dissapeared
but now, the CHAP authentication failed. I have no problem if use "aaa authentication ppp vpdn local" but when i use "aaa authentication ppp default group radius", things doesn't work. Something must be wrong somewhere in my ppp config. thanks again for the insight.
.
Jan 30 10:00:56.432: RADIUS: Received from id 21646/82 61.6.32.76:1645, Access-Accept, len 44
.
Jan 30 10:01:06.304: Vi5 CHAP: I CHALLENGE id 212 len 44 from "test@vpdn.com"
Jan 30 10:01:06.304: AAA/AUTHEN/PPP (00000530): Pick method list 'vpdn'
.
Jan 30 10:01:06.308: Vi5 CHAP: Unable to authenticate for peer
Jan 30 10:01:06.308: Vi5 PPP: Sending Acct Event[Down] id[530]
Jan 30 10:01:06.312: Vi5 PPP: Phase is TERMINATING
.
thanks,
--fared
01-31-2004 06:10 AM
Hi Fared,
difficult to say with the logs you provided.
If you use a RADIUS server: use "debug radius" to see the LNS's request to that radius server and what it returns. the user should be configured on that RADIUS server and make sure you get an Access-Accept back (with attribute 6 and 7: Service-Type = Framed; Framed-Service = PPP.
Moreover, I personally always try to avoid default methods as much as possible. I use named methods. That allows better control of the functionality you really need.
02-04-2004 10:51 PM
hi jmaris,
it seems that my lack of understanding on the ppp authentication had dragged me into lots of problem.
reading through the docs and debug logs i did some changes at the client side, adding the callin to the ppp athentication and problem solved.
thank you for the advice.
--fared
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: