Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Dialing into CISCO3660 using NT4 and Win2000 RAS-Clients

Hello, we are just migrating our NT-RAS Servers to CISCO machines. We also use Cisco ACS for athentication. My problem is, with the NT servers it was possible to let passwords for dialin expire, and the user got a box notifying him of that and that he has to change the pasword. I found documents on the cisco site explaining how to do this with a CISCO VPN3000 with MS-CHAP as auth protocol. Is it possible to enable this feature with a CISCO3660 and ISDN PRI ports ??? i have installed the trial of CISCO ACS V3.0, and advanced to the client dialing in, getting that box telling to change the password. But the problem is that the router gets an access rejected from Radius-Server and hangs up before you can change your password. Here is a debug radius output from the CISCO3660:

19:56:08: %LINK-3-UPDOWN: Interface Serial1/1:0, changed state to up

19:56:08: Se1/1:0 PPP: Treating connection as a callin

19:56:10: Se1/1:0 MS-CHAP: O CHALLENGE id 9 len 23 from "RoutEWAHL1"

19:56:10: Se1/1:0 MS-CHAP: I RESPONSE id 9 len 60 from "DialIn"

19:56:10: RADIUS: ustruct sharecount=1

19:56:10: Radius: radius_port_info() success=1 radius_nas_port=1

19:56:10: RADIUS: Initial Transmit Serial1/1:0 id 32, Access-

Request, len 142

19:56:10: Attribute 4 6 AC110201

19:56:10: Attribute 5 6 00004E84

19:56:10: Attribute 61 6 00000002

19:56:10: Attribute 1 8 4469616C

19:56:10: Attribute 31 10 30343736

19:56:10: Attribute 26 16 000001370B0A362A

19:56:10: Attribute 26 58 0000013701340901

19:56:10: Attribute 6 6 00000002

19:56:10: Attribute 7 6 00000001

19:56:10: RADIUS: Received from id 32, Access-Reject, len 54

19:56:10: Attribute 18 12 52656A65

19:56:10: Attribute 26 22 0000013702100945

19:56:10: Se1/1:0 CHAP: Unable to validate Response. Username DialIn: Authentic

ation failure

19:56:10: Se1/1:0 MS-CHAP: O FAILURE id 9 len 28 msg is "IE=648 R=0 V=3RejectedJ


19:56:10: %ISDN-6-CONNECT: Interface Serial1/1:0 is now connected to 04765538

19:56:10: %ISDN-6-DISCONNECT: Interface Serial1/1:0 disconnected from 04765538

, call lasted 1 seconds

19:56:10: %LINK-3-UPDOWN: Interface Serial1/1:0, changed state to down

You can contact me directly via E-Mail at

Thanks for your help.


Re: Dialing into CISCO3660 using NT4 and Win2000 RAS-Clients

You'll need IOS support for MS-CHAP2, which is CSCdt71045, which I think is due out in the next 12.2T image (should be 12.2(11)T).

New Member

Re: Dialing into CISCO3660 using NT4 and Win2000 RAS-Clients

It's also supposed to be in 12.2(2)XB5 as far as I know. This is on CCO now.


New Member

Re: Dialing into CISCO3660 using NT4 and Win2000 RAS-Clients

well, i had the best experiences with the 12.2(10) image. Using all other images i couldnt even get the change password box in NT, only problem is that the router gets an acces-rejected from the radius-server when change password at next logon is activated, so the new password you enter is not transmitted to the radius-server even if the router doesnt hang up which i could handle with a ppp max-bad-auth 3. i couldnt get the xb5 image to boot on my 3660 with 64megs of ram, keeps booting the old image which is still in the flash. while booting it says something like not enough I/O memory. i hope the next image (12.2(11)) will fix this issues, or is it just possible to use this password expiration feature in conjunction with the VPN models ????

CreatePlease login to create content