We are having a problem that seems to be 7200-IOS 12.2T curropting PAP passwords. No such bugs recorded at Cisco.
Has anyone heard of such a thing?
Our RADIUS server rejects some customers claiming that the password is wrong. After some tests we discovered that the password entered is actually correct. But RADIUS receives it corrupted. It couldn't be a random bit error, because it happens consistantly, and the same corrupt password is received for the same account. Once the password is changed for that account it works fine, but occasionally the problem returns to the same account. Our NAS is a 7200 to terminate pppoe/ATM-dsl sessions. pap is used for ppp authentication.
We initially thought that RADIUS must be the culprit. So switched authentication to the backup RADIUS server, and we used some problem-accounts (accounts that have this problem) to see how it works there. And it displays the exact same problem. We then avoided passing through the router, by running a test script to see if the RADIUS authenticates these problem-accounts, and they were accepted just fine.
So then we turned our sights towards the end clients. We thought they might have a bug that somehow might have been triggered at the same time. We tried these problem-accounts on different systems (Zyxel, Alacatel, dsl-bridge, dsl-router, Windows 2000, XP) and they were all rejected by the RADIUS ("Passwords don't match"). (Of course we verified that it was accepting other non-problem-accounts.)
Finally we looked at the NAS router (the 7200). So we used a test router (3640, IOS 11.1(20)) as a NAS that has modems and authenticating on the same RADIUS used for DSL. We dialed in with these problem-accounts and they were ACCEPTED.
We concluded that our NAS/router somehow was causing this problem. I couldn't find any such bug on Cisco's site for that IOS -- 12.2(13)T4. I thought that it might be a side effect to some other PPP bug (which are many) and that it might of been fixed with a later version. So I upgraded the router to 12.2(15)T5, yet nothing changed.
Our intermediate solution, at this point, is renew the password everytime a customer calls complaining about being rejected.
It could be a new bug. We need to see the debugs on the NAS for following during the PAP authentication to RADIUS server. So turn on following debug to capture the autheication packet sent to radius.
debug ppp authentication
debug aaa authentication
since you can see this issue with some accounts, you can start that debug and buffer it in the syslog server. Once you notice that the authentication is failed because of corrunpted passowrd, stop the debug and find the record with a problem.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...