Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

MS-CHAP-V2 and IOS 12.2.2 XB5

Hi, i am having big trouble configuring a CISCO 3660 with 4 PRI´s as a dialin server using ACS V3.0 and MS-Chap-V2 with password expiration feature.

Everything is fine until i set the "user will have to change password next time" switch in Win2K, when i dial in after that the 3660 just crashes while the change password box appears on screen of the dialup client (NT and 2K).

This is the config of the router:

version 12.2

no parser cache

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

service udp-small-servers

service tcp-small-servers

!

hostname RoutEWAHL1

!

boot system flash flash:c3660-i-mz.122-2.XB5.bin

boot system flash flash:c3660-is-mz.122-10.bin

aaa new-model

!

!

aaa authentication login default group tacacs+ line

aaa authentication enable default group tacacs+ enable

aaa authentication ppp default group radius

aaa authorization exec default group tacacs+ none

aaa authorization network default group radius

aaa accounting delay-start

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group radius

aaa session-id common

enable password pullmoll

!

username XYXYXYXXY password 0 XYXYXYXXYXY

ip subnet-zero

ip cef

!

!

no ip domain-lookup

!

isdn switch-type primary-net5

!

controller E1 1/0

pri-group timeslots 1-31

!

controller E1 1/1

pri-group timeslots 1-31

!

controller E1 2/0

pri-group timeslots 1-31

!

controller E1 2/1

pri-group timeslots 1-31

!

!

!

interface FastEthernet0/0

ip address 172.17.2.1 255.255.0.0

no ip mroute-cache

duplex auto

speed 100

!

interface Serial1/0:15

description Rufnummer XYXYXYXY

no ip address

encapsulation ppp

ip tcp header-compression

timeout absolute 3600 0

dialer rotary-group 1

dialer-group 1

isdn switch-type primary-net5

isdn T310 4000

compress mppc

no cdp enable

ppp multilink

!

interface Serial1/1:15

description Rufnummer XYXYXYXXY

no ip address

encapsulation ppp

ip tcp header-compression

timeout absolute 3600 0

dialer rotary-group 1

dialer-group 1

isdn switch-type primary-net5

isdn T310 4000

compress mppc

no cdp enable

ppp multilink

!

interface Serial2/0:15

no ip address

shutdown

isdn switch-type primary-net5

isdn T310 4000

no cdp enable

!

interface Serial2/1:15

no ip address

shutdown

isdn switch-type primary-net5

isdn T310 4000

no cdp enable

!

interface Dialer1

description Interner SOPHO-Anschluss XYXYXXYXY

ip unnumbered FastEthernet0/0

encapsulation ppp

ip tcp header-compression

no ip mroute-cache

keepalive 7200

timeout absolute 3600 0

dialer in-band

dialer aaa

dialer idle-timeout 7200

dialer hold-queue 20

dialer-group 1

no peer default ip address

compress mppc

no cdp enable

ppp max-bad-auth 3

ppp callback accept

ppp authentication ms-chap-v2 callin

ppp multilink

!

ip classless

ip route 0.0.0.0 0.0.0.0 172.17.1.5

ip route 172.18.178.0 255.255.255.0 172.17.1.7

ip route 172.19.98.0 255.255.255.0 172.17.1.5

ip route 191.9.0.0 255.255.0.0 172.17.1.7

ip http server

!

!

map-class dialer call-back

dialer callback-server username

logging trap notifications

logging 172.17.40.0

dialer-list 1 protocol ip permit

tacacs-server host 172.19.98.71 key stadtdoras

snmp-server community dort_wri RW

snmp-server community stado_ro RO

snmp-server enable traps tty

radius-server host 172.19.98.71 auth-port 1812 acct-port 1813 key stadtdoras

radius-server retransmit 3

radius-server vsa send authentication

!

line con 0

speed 19200

line aux 0

line vty 0 4

timeout login response 300

password admin

absolute-timeout 3600

!

!

end

If you have any tips for me what i am doing wrong please dont hesitate to tell me ..... Thank you for your help !!

  • Other Network Infrastructure Subjects
5 REPLIES
Cisco Employee

Re: MS-CHAP-V2 and IOS 12.2.2 XB5

Well, if your router crashes after the 'change password box', then it could be a bug. Have you tried alternate code to narrow down the issue. If it works using another version, then i would suggest you open a TAC case to get further help.

R/Yusuf

New Member

Re: MS-CHAP-V2 and IOS 12.2.2 XB5

well, the tac told me that the only current version supporting ms-chap-v2 is 12.2(2) XB5. MS-CHAP-V2 is scheduled for the next major release. There is a document related to this ms-chap-v2 issue describing how to set up ms-chap-v2, and i did as explained in that document. The crash only occurs when the change password box occurs. I tried this with the demo of ACS V3.0 because we just got ACS V2.6, but i am not buying a new version if that password change feature doesnt work correctly.

Silver

Re: MS-CHAP-V2 and IOS 12.2.2 XB5

You are running into CSCdx66244....12.2(2)XB6 has the fix for the same.

Thanks, Mak.

New Member

Re: MS-CHAP-V2 and IOS 12.2.2 XB5

Thanks, but i just tried to download and test 12.2(2)XB6 and noticed that theres only an XB5 release for the 3660 .... and maybe you can also help me with this: you gave me a problem number, but how can i find this specific problem using the number you gave me ???? Thank you very much !

Silver

Re: MS-CHAP-V2 and IOS 12.2.2 XB5

Go to www.cisco.com/tac , login , select Tool Index, select Bug Toolkit & enter the bug id (CDCdx66244)

You can find 12.2(2)XB6 for 3660 on CCO now.

Thanks, Mak.

363
Views
0
Helpful
5
Replies