Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
432
Views
4
Helpful
4
Replies

ISDN DDR w/ EasyIP to MS-CHAP RAS Server

Go to solution
simtel
Level 1
Level 1

‎09-19-2002 05:41 AM - edited ‎03-02-2019 01:28 AM

Hi,

Q1) does anybody have an example config that will do this task? -- (ISDN DDR w/ EasyIP to call MS-CHAP RAS) -- I have been trying for a month, but can't get to the IPCP stage, it seems to stop just after PPP authentication completes.

Q2) Is there a way to block RAS dial in attempts from a Cisco router? I'm dialing into a Cisco Router at the other end, but im not sure whether it performs the authentication or not.

Any info would be much appreciated!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mljohnson
Level 4
Level 4
In response to simtel

‎09-19-2002 01:04 PM

Note that you don't usually need to enable authentication for outbound dialing; normally you would use "ppp authen ms-chap callin" to only authenticate inbound calls. "debug ppp neg" does show that we respond to the remote's request for MS-CHAP (due to the "pp chap" commands under the BRI, I think). Notice that the RAS takes 3 seconds to respond to the CHAP; it may be confused, although you would have to troubleshoot the RAS to determine that. Certainly if our password is not correct it should NOT send a success. It may be that the RAS is unable to respond to our challenge; adding the "callin" option may be an interesting test then.

View solution in original post

4 Replies 4

Go to solution
mljohnson
Level 4
Level 4

‎09-19-2002 09:25 AM

If the cisco is calling the RAS, and the RAS wants to use MS-CHAP to authenticate the cisco, this won't work since cisco does not support being challenged via MS-CHAP (essentially the client portion of MS-CHAP). Instead, CHAP could be used. In that case just a generic DDR config with "ip address negotiated" would be fine. If the RAS is calling the cisco, then a generic DDR config with "ip address negotiated" and "ppp authent mschap" would be fine. I assume that you have seen things fail at the authentication state; "debug ppp neg" would show you what's happening.

I'm not sure I understand the second question. The RAS dials the cisco, and you want to block that dial? In general authentication (other than checking the CLID) is the best way to control who connects. To enable this on the cisco you simply configure the interface command "ppp authent method", and "debug ppp neg" or "debug ppp authen" will tell you what is happening for a connection attempt.

0 Helpful

Go to solution
simtel
Level 1
Level 1
In response to mljohnson

‎09-19-2002 10:41 AM

yeah the cisco is calling the RAS. The RAS is allowing only MS-CHAP.

What you say about the MS-CHAP not being supported is most likely true, however the router is able to authenticate itself with MS-CHAP as I can see the following in debug ppp negotiation (well I assume it is!):

10:07:41: BR0/0:1 MS-CHAP: O RESPONSE id 6 len 65 from "fred".

10:07:44: BR0/0:1 MS-CHAP: I SUCCESS id 6 len 4

as soon as this happens however, the RAS server sends a TERMREQ:

10:07:44: BR0/0:1 LCP: I TERMREQ [Open] id 11 len 4

10:07:44: BR0/0:1 LCP: O TERMACK [Open] id 11 len 4

and it drops before progressing to IPCP.

here is the full output:

RouterA#ping 10.132.48.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.132.48.1, timeout is 2 seconds:

10:07:40: BR0/0 DDR: Dialing cause ip (s=xxx.xxx.xxx.xxx, d=10.132.48.1)

10:07:40: BR0/0 DDR: Attempting to dial

10:07:40: %ISDN-6-LAYER2UP: Layer 2 for Interface BR0/0, TEI 0 changed to up

10:07:41: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to up

10:07:41: BR0/0:1 PPP: Treating connection as a callout

10:07:41: BR0/0:1 PPP: Phase is ESTABLISHING, Active Open [0 sess, 0 load]

10:07:41: BR0/0:1 LCP: O CONFREQ [Closed] id 9 len 15

10:07:41: BR0/0:1 LCP: AuthProto MS-CHAP (0x0305C22380)

10:07:41: BR0/0:1 LCP: MagicNumber 0x075F37AC (0x0506075F37AC)

10:07:41: BR0/0:1 LCP: I CONFREQ [REQsent] id 10 len 15

10:07:41: BR0/0:1 LCP: AuthProto MS-CHAP (0x0305C22380)

10:07:41: BR0/0:1 LCP: MagicNumber 0x7A056D6F (0x05067A056D6F)

10:07:41: BR0/0:1 LCP: O CONFACK [REQsent] id 10 len 15

10:07:41: BR0/0:1 LCP: AuthProto MS-CHAP (0x0305C22380)

10:07:41: BR0/0:1 LCP: MagicNumber 0x7A056D6F (0x05067A056D6F)

10:07:41: BR0/0:1 LCP: I CONFACK [ACKsent] id 9 len 15

10:07:41: BR0/0:1 LCP: AuthProto MS-CHAP (0x0305C22380)

10:07:41: BR0/0:1 LCP: MagicNumber 0x075F37AC (0x0506075F37AC)

10:07:41: BR0/0:1 LCP: State is Open

10:07:41: BR0/0:1 PPP: Phase is AUTHENTICATING, by both [0 sess, 0 load]

10:07:41: BR0/0:1 CHAP: Using alternate hostname fred

10:07:41: BR0/0:1 MS-CHAP: O CHALLENGE id 9 len 24 from "fred"

10:07:41: BR0/0:1 MS-CHAP: I CHALLENGE id 6 len 21 from "muli3s3 "

10:07:41: BR0/0:1 CHAP: Using alternate hostname fred

10:07:41: BR0/0:1 CHAP: Username muli3s3 not found

10:07:41: BR0/0:1 CHAP: Using default password.

10:07:41: BR0/0:1 MS-CHAP: O RESPONSE id 6 len 65 from "fred".

10:07:44: BR0/0:1 MS-CHAP: I SUCCESS id 6 len 4

10:07:44: BR0/0:1 LCP: I TERMREQ [Open] id 11 len 4

10:07:44: BR0/0:1 LCP: O TERMACK [Open] id 11 len 4

10:07:44: BR0/0:1 PPP: Phase is TERMINATING [0 sess, 0 load]

10:07:45: %ISDN-6-CONNECT: Interface BRI0/0:1 is now connected to

10:07:45: %ISDN-6-DISCONNECT: Interface BRI0/0:1 disconnected from ,

call lasted 3 seconds

10:07:45: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to down

10:07:45: DDR: Call disconnected, 0 packets unqueued and discarded

10:07:45: BR0/0:1 LCP: State is Closed

10:07:45: BR0/0:1 PPP: Phase is DOWN [0 sess, 0 load]

10:07:45: BR0/0:1 DDR: disconnecting call.

And here is the Bri config + other required lines:

interface BRI0/0

bandwidth 64

ip address negotiated

ip nat outside

encapsulation ppp

no keepalive

dialer idle-timeout 300

dialer wait-for-carrier-time 60

dialer map ip 10.132.48.1 broadcast

dialer hold-queue 10

dialer-group 1

isdn switch-type basic-net3

isdn tei-negotiation first-call

isdn static-tei 0

no cdp enable

ppp authentication ms-chap

ppp chap hostname fred

ppp chap password 0

ppp ipcp accept-address

!

ip route 10.132.48.1 255.255.255.255 BRI0/0 permanent

dialer-list 1 protocol ip permit

It's a funny thing, because we have had 3 different RAS servers respond in the same way, and one of them was in our lab, which we configured with PAP, CHAP and MS-CHAP, all of which produced similar results.

Probably there is some stupid mistake in the config?

Thanks for the help!

Mark.

0 Helpful

Go to solution
mljohnson
Level 4
Level 4
In response to simtel

‎09-19-2002 01:04 PM

Note that you don't usually need to enable authentication for outbound dialing; normally you would use "ppp authen ms-chap callin" to only authenticate inbound calls. "debug ppp neg" does show that we respond to the remote's request for MS-CHAP (due to the "pp chap" commands under the BRI, I think). Notice that the RAS takes 3 seconds to respond to the CHAP; it may be confused, although you would have to troubleshoot the RAS to determine that. Certainly if our password is not correct it should NOT send a success. It may be that the RAS is unable to respond to our challenge; adding the "callin" option may be an interesting test then.

Go to solution
simtel
Level 1
Level 1
In response to mljohnson

‎09-19-2002 03:14 PM

I new it was something stupid. it works!!

I love you! (in a non homosexual kinda way!!)

thankyou very very much, you saved my life and future training!!

Happy Mark

0 Helpful
Customers Also Viewed These Support Documents