09-19-2002 05:41 AM - edited 03-02-2019 01:28 AM
Hi,
Q1) does anybody have an example config that will do this task? -- (ISDN DDR w/ EasyIP to call MS-CHAP RAS) -- I have been trying for a month, but can't get to the IPCP stage, it seems to stop just after PPP authentication completes.
Q2) Is there a way to block RAS dial in attempts from a Cisco router? I'm dialing into a Cisco Router at the other end, but im not sure whether it performs the authentication or not.
Any info would be much appreciated!
Solved! Go to Solution.
09-19-2002 01:04 PM
Note that you don't usually need to enable authentication for outbound dialing; normally you would use "ppp authen ms-chap callin" to only authenticate inbound calls. "debug ppp neg" does show that we respond to the remote's request for MS-CHAP (due to the "pp chap" commands under the BRI, I think). Notice that the RAS takes 3 seconds to respond to the CHAP; it may be confused, although you would have to troubleshoot the RAS to determine that. Certainly if our password is not correct it should NOT send a success. It may be that the RAS is unable to respond to our challenge; adding the "callin" option may be an interesting test then.
09-19-2002 09:25 AM
If the cisco is calling the RAS, and the RAS wants to use MS-CHAP to authenticate the cisco, this won't work since cisco does not support being challenged via MS-CHAP (essentially the client portion of MS-CHAP). Instead, CHAP could be used. In that case just a generic DDR config with "ip address negotiated" would be fine. If the RAS is calling the cisco, then a generic DDR config with "ip address negotiated" and "ppp authent mschap" would be fine. I assume that you have seen things fail at the authentication state; "debug ppp neg" would show you what's happening.
I'm not sure I understand the second question. The RAS dials the cisco, and you want to block that dial? In general authentication (other than checking the CLID) is the best way to control who connects. To enable this on the cisco you simply configure the interface command "ppp authent method", and "debug ppp neg" or "debug ppp authen" will tell you what is happening for a connection attempt.
09-19-2002 10:41 AM
yeah the cisco is calling the RAS. The RAS is allowing only MS-CHAP.
What you say about the MS-CHAP not being supported is most likely true, however the router is able to authenticate itself with MS-CHAP as I can see the following in debug ppp negotiation (well I assume it is!):
10:07:41: BR0/0:1 MS-CHAP: O RESPONSE id 6 len 65 from "fred".
10:07:44: BR0/0:1 MS-CHAP: I SUCCESS id 6 len 4
as soon as this happens however, the RAS server sends a TERMREQ:
10:07:44: BR0/0:1 LCP: I TERMREQ [Open] id 11 len 4
10:07:44: BR0/0:1 LCP: O TERMACK [Open] id 11 len 4
and it drops before progressing to IPCP.
here is the full output:
RouterA#ping 10.132.48.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.132.48.1, timeout is 2 seconds:
10:07:40: BR0/0 DDR: Dialing cause ip (s=xxx.xxx.xxx.xxx, d=10.132.48.1)
10:07:40: BR0/0 DDR: Attempting to dial
10:07:40: %ISDN-6-LAYER2UP: Layer 2 for Interface BR0/0, TEI 0 changed to up
10:07:41: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to up
10:07:41: BR0/0:1 PPP: Treating connection as a callout
10:07:41: BR0/0:1 PPP: Phase is ESTABLISHING, Active Open [0 sess, 0 load]
10:07:41: BR0/0:1 LCP: O CONFREQ [Closed] id 9 len 15
10:07:41: BR0/0:1 LCP: AuthProto MS-CHAP (0x0305C22380)
10:07:41: BR0/0:1 LCP: MagicNumber 0x075F37AC (0x0506075F37AC)
10:07:41: BR0/0:1 LCP: I CONFREQ [REQsent] id 10 len 15
10:07:41: BR0/0:1 LCP: AuthProto MS-CHAP (0x0305C22380)
10:07:41: BR0/0:1 LCP: MagicNumber 0x7A056D6F (0x05067A056D6F)
10:07:41: BR0/0:1 LCP: O CONFACK [REQsent] id 10 len 15
10:07:41: BR0/0:1 LCP: AuthProto MS-CHAP (0x0305C22380)
10:07:41: BR0/0:1 LCP: MagicNumber 0x7A056D6F (0x05067A056D6F)
10:07:41: BR0/0:1 LCP: I CONFACK [ACKsent] id 9 len 15
10:07:41: BR0/0:1 LCP: AuthProto MS-CHAP (0x0305C22380)
10:07:41: BR0/0:1 LCP: MagicNumber 0x075F37AC (0x0506075F37AC)
10:07:41: BR0/0:1 LCP: State is Open
10:07:41: BR0/0:1 PPP: Phase is AUTHENTICATING, by both [0 sess, 0 load]
10:07:41: BR0/0:1 CHAP: Using alternate hostname fred
10:07:41: BR0/0:1 MS-CHAP: O CHALLENGE id 9 len 24 from "fred"
10:07:41: BR0/0:1 MS-CHAP: I CHALLENGE id 6 len 21 from "muli3s3 "
10:07:41: BR0/0:1 CHAP: Using alternate hostname fred
10:07:41: BR0/0:1 CHAP: Username muli3s3 not found
10:07:41: BR0/0:1 CHAP: Using default password.
10:07:41: BR0/0:1 MS-CHAP: O RESPONSE id 6 len 65 from "fred".
10:07:44: BR0/0:1 MS-CHAP: I SUCCESS id 6 len 4
10:07:44: BR0/0:1 LCP: I TERMREQ [Open] id 11 len 4
10:07:44: BR0/0:1 LCP: O TERMACK [Open] id 11 len 4
10:07:44: BR0/0:1 PPP: Phase is TERMINATING [0 sess, 0 load]
10:07:45: %ISDN-6-CONNECT: Interface BRI0/0:1 is now connected to
10:07:45: %ISDN-6-DISCONNECT: Interface BRI0/0:1 disconnected from
call lasted 3 seconds
10:07:45: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to down
10:07:45: DDR: Call disconnected, 0 packets unqueued and discarded
10:07:45: BR0/0:1 LCP: State is Closed
10:07:45: BR0/0:1 PPP: Phase is DOWN [0 sess, 0 load]
10:07:45: BR0/0:1 DDR: disconnecting call.
And here is the Bri config + other required lines:
interface BRI0/0
bandwidth 64
ip address negotiated
ip nat outside
encapsulation ppp
no keepalive
dialer idle-timeout 300
dialer wait-for-carrier-time 60
dialer map ip 10.132.48.1 broadcast
dialer hold-queue 10
dialer-group 1
isdn switch-type basic-net3
isdn tei-negotiation first-call
isdn static-tei 0
no cdp enable
ppp authentication ms-chap
ppp chap hostname fred
ppp chap password 0
ppp ipcp accept-address
!
ip route 10.132.48.1 255.255.255.255 BRI0/0 permanent
dialer-list 1 protocol ip permit
It's a funny thing, because we have had 3 different RAS servers respond in the same way, and one of them was in our lab, which we configured with PAP, CHAP and MS-CHAP, all of which produced similar results.
Probably there is some stupid mistake in the config?
Thanks for the help!
Mark.
09-19-2002 01:04 PM
Note that you don't usually need to enable authentication for outbound dialing; normally you would use "ppp authen ms-chap callin" to only authenticate inbound calls. "debug ppp neg" does show that we respond to the remote's request for MS-CHAP (due to the "pp chap" commands under the BRI, I think). Notice that the RAS takes 3 seconds to respond to the CHAP; it may be confused, although you would have to troubleshoot the RAS to determine that. Certainly if our password is not correct it should NOT send a success. It may be that the RAS is unable to respond to our challenge; adding the "callin" option may be an interesting test then.
09-19-2002 03:14 PM
I new it was something stupid. it works!!
I love you! (in a non homosexual kinda way!!)
thankyou very very much, you saved my life and future training!!
Happy Mark
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: