Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Corrupt PAP passwords using 7200-IOS 12.2T

We are having a problem that seems to be 7200-IOS 12.2T curropting PAP passwords. No such bugs recorded at Cisco.

Has anyone heard of such a thing?

Details:

Our RADIUS server rejects some customers claiming that the password is wrong. After some tests we discovered that the password entered is actually correct. But RADIUS receives it corrupted. It couldn't be a random bit error, because it happens consistantly, and the same corrupt password is received for the same account. Once the password is changed for that account it works fine, but occasionally the problem returns to the same account. Our NAS is a 7200 to terminate pppoe/ATM-dsl sessions. pap is used for ppp authentication.

We initially thought that RADIUS must be the culprit. So switched authentication to the backup RADIUS server, and we used some problem-accounts (accounts that have this problem) to see how it works there. And it displays the exact same problem. We then avoided passing through the router, by running a test script to see if the RADIUS authenticates these problem-accounts, and they were accepted just fine.

So then we turned our sights towards the end clients. We thought they might have a bug that somehow might have been triggered at the same time. We tried these problem-accounts on different systems (Zyxel, Alacatel, dsl-bridge, dsl-router, Windows 2000, XP) and they were all rejected by the RADIUS ("Passwords don't match"). (Of course we verified that it was accepting other non-problem-accounts.)

Finally we looked at the NAS router (the 7200). So we used a test router (3640, IOS 11.1(20)) as a NAS that has modems and authenticating on the same RADIUS used for DSL. We dialed in with these problem-accounts and they were ACCEPTED.

We concluded that our NAS/router somehow was causing this problem. I couldn't find any such bug on Cisco's site for that IOS -- 12.2(13)T4. I thought that it might be a side effect to some other PPP bug (which are many) and that it might of been fixed with a later version. So I upgraded the router to 12.2(15)T5, yet nothing changed.

Our intermediate solution, at this point, is renew the password everytime a customer calls complaining about being rejected.

Does anyone know what might be the problem?

Or has anyone ever encountered such a problem?

thank you,

-Osama

2 REPLIES
Cisco Employee

Re: Corrupt PAP passwords using 7200-IOS 12.2T

It could be a new bug. We need to see the debugs on the NAS for following during the PAP authentication to RADIUS server. So turn on following debug to capture the autheication packet sent to radius.

debug ppp authentication

debug radius

debug aaa authentication

since you can see this issue with some accounts, you can start that debug and buffer it in the syslog server. Once you notice that the authentication is failed because of corrunpted passowrd, stop the debug and find the record with a problem.

New Member

Re: Corrupt PAP passwords using 7200-IOS 12.2T

Here some debug output for a corrupted password account (u123718763):

Jul 14 12:44:41: AAA/BIND(00006F3F): Bind i/f

Jul 14 12:44:41: ppp1362 PPP: Using default call direction

Jul 14 12:44:41: ppp1362 PPP: Treating connection as a dedicated line

Jul 14 12:44:41: ppp1362 PPP: Authorization required

Jul 14 12:44:43: ppp1362 PAP: I AUTH-REQ id 8 len 21 from "u123718763"

Jul 14 12:44:43: ppp1362 PAP: Authenticating peer u123718763

Jul 14 12:44:43: AAA/AUTHEN/PPP (00006F3F): Pick method list 'default'

Jul 14 12:44:43: ppp1362 PPP: Sent PAP LOGIN Request

Jul 14 12:44:43: RADIUS: AAA Unsupported [150] 12

Jul 14 12:44:43: RADIUS: 33 2F 30 2F 30 2F 31 2E 31 30 [3/0/0/1.10]

Jul 14 12:44:43: RADIUS(00006F3F): Storing nasport 0 in rad_db

Jul 14 12:44:43: RADIUS(00006F3F): Config NAS IP: 0.0.0.0

Jul 14 12:44:43: RADIUS/ENCODE(00006F3F): acct_session_id: 38199

Jul 14 12:44:43: RADIUS(00006F3F): sending

Jul 14 12:44:43: RADIUS/ENCODE: Best Local IP-Address 212.118.133.136 for Radius-Server 212.118.133.82

Jul 14 12:44:43: RADIUS(00006F3F): Send Access-Request to 212.118.133.82:1812 id 21687/245, len 88

Jul 14 12:44:43: RADIUS: authenticator 78 EC 3F A2 B3 11 EE 87 - BD E1 20 C1 B3 0F 02 C4

Jul 14 12:44:43: RADIUS: Framed-Protocol [7] 6 PPP [1]

Jul 14 12:44:43: RADIUS: User-Name [1] 12 "u123718763"

Jul 14 12:44:43: RADIUS: User-Password [2] 18 *

Jul 14 12:44:43: RADIUS: NAS-Port-Type [61] 6 Virtual [5]

Jul 14 12:44:43: RADIUS: NAS-Port [5] 6 0

Jul 14 12:44:43: RADIUS: Connect-Info [77] 8 "sp-256"

Jul 14 12:44:43: RADIUS: Service-Type [6] 6 Framed [2]

Jul 14 12:44:43: RADIUS: NAS-IP-Address [4] 6 212.118.133.136

Jul 14 12:44:43: RADIUS: Received from id 21687/245 212.118.133.82:1812, Access-Reject, len 36

Jul 14 12:44:43: RADIUS: authenticator 64 5A 60 A8 0A AA B7 2F - D5 8F 09 BE A3 08 A2 60

Jul 14 12:44:43: RADIUS: Reply-Message [18] 16

Jul 14 12:44:43: RADIUS: 57 72 6F 6E 67 20 70 61 73 73 77 6F 72 64 [Wrong password]

Jul 14 12:44:43: RADIUS(00006F3F): Received from id 21687/245

Jul 14 12:44:43: RADIUS/DECODE: Reply-Message fragments, 14, total 14 bytes

Jul 14 12:44:43: ppp1362 PPP: Received LOGIN Response FAIL

Jul 14 12:44:43: ppp1362 PAP: O AUTH-NAK id 8 len 19 msg is "Wrong password"

Here is another (account: u129316748):

Jul 14 12:57:09: AAA/BIND(00006F7B): Bind i/f

Jul 14 12:57:09: ppp68 PPP: Using default call direction

Jul 14 12:57:09: ppp68 PPP: Treating connection as a dedicated line

Jul 14 12:57:09: ppp68 PPP: Authorization required

Jul 14 12:57:11: ppp68 PAP: I AUTH-REQ id 92 len 24 from "u129316748"

Jul 14 12:57:11: ppp68 PAP: Authenticating peer u129316748

Jul 14 12:57:11: AAA/AUTHEN/PPP (00006F7B): Pick method list 'default'

Jul 14 12:57:11: ppp68 PPP: Sent PAP LOGIN Request

Jul 14 12:57:11: RADIUS: AAA Unsupported [150] 11

Jul 14 12:57:11: RADIUS: 33 2F 30 2F 30 2F 31 2E 38 [3/0/0/1.8]

Jul 14 12:57:11: RADIUS(00006F7B): Storing nasport 0 in rad_db

Jul 14 12:57:11: RADIUS(00006F7B): Config NAS IP: 0.0.0.0

Jul 14 12:57:11: RADIUS/ENCODE(00006F7B): acct_session_id: 38282

Jul 14 12:57:11: RADIUS(00006F7B): sending

Jul 14 12:57:11: RADIUS/ENCODE: Best Local IP-Address 212.118.133.136 for Radius-Server 212.118.133.82

Jul 14 12:57:11: RADIUS(00006F7B): Send Access-Request to 212.118.133.82:1812 id 21688/111, len 88

Jul 14 12:57:11: RADIUS: authenticator 05 D2 0C F2 10 65 0B 20 - 80 B6 67 A2 E2 75 63 C1

Jul 14 12:57:11: RADIUS: Framed-Protocol [7] 6 PPP [1]

Jul 14 12:57:11: RADIUS: User-Name [1] 12 "u129316748"

Jul 14 12:57:11: RADIUS: User-Password [2] 18 *

Jul 14 12:57:11: RADIUS: NAS-Port-Type [61] 6 Virtual [5]

Jul 14 12:57:11: RADIUS: NAS-Port [5] 6 0

Jul 14 12:57:11: RADIUS: Connect-Info [77] 8 "sp-256"

Jul 14 12:57:11: RADIUS: Service-Type [6] 6 Framed [2]

Jul 14 12:57:11: RADIUS: NAS-IP-Address [4] 6 212.118.133.136

Jul 14 12:57:11: RADIUS: Received from id 21688/111 212.118.133.82:1812, Access-Reject, len 36

Jul 14 12:57:11: RADIUS: authenticator 1A 07 87 94 C4 D0 AF 3B - 3E 3D E0 40 10 3E CB D7

Jul 14 12:57:11: RADIUS: Reply-Message [18] 16

Jul 14 12:57:11: RADIUS: 57 72 6F 6E 67 20 70 61 73 73 77 6F 72 64 [Wrong password]

Jul 14 12:57:11: RADIUS(00006F7B): Received from id 21688/111

Jul 14 12:57:11: RADIUS/DECODE: Reply-Message fragments, 14, total 14 bytes

Jul 14 12:57:11: ppp68 PPP: Received LOGIN Response FAIL

Jul 14 12:57:11: ppp68 PAP: O AUTH-NAK id 92 len 19 msg is "Wrong password"

thanks,

-Osama

154
Views
0
Helpful
2
Replies
CreatePlease to create content