Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

MS-CHAP-V2 and password change again ...

Hello, I am still trying to implement a CISCO 3660 with four E1 lines as RAS-Server for NT/W2K Dialup-Users. Everything works fine, except the new MS-CHAP-V2 Password change feature which is also supported by Cisco ACS V3.0. The problem still resides, that if I select the "User must change password next logon" box the dialup-user sees the dialogue telling him to change the password, but the password is not send to the ACS Server and changed in the W2K User-Database. I was told that IOS 12.2.2 XB6 will support this and clear the crash bug which was in XB5. The crash bug is fixed, but you still cannot change the Dialup-Password. I also found a document that this is still not supported in XB6. Can someone from Cisco tell me when this feature will work correctly ???

This is a debug trace from the Router and some notes which i found in bug-tool:

16:01:38: %LINK-3-UPDOWN: Interface Serial1/0:0, changed state to up

16:01:38: Se1/0:0 EVT: Cstate [13] 4 0x812BCF18

16:01:38: Se1/0:0 PPP: Treating connection as a callin

16:01:38: Se1/0:0 PPP: Phase is ESTABLISHING, Passive Open

16:01:38: Se1/0:0 LCP: State is Listen

16:01:40: Se1/0:0 EVT: Packet [13] 1 0x810478FC

16:01:40: Se1/0:0 LCP: I CONFREQ [Listen] id 0 len 13

16:01:40: Se1/0:0 LCP: MagicNumber 0x00001C80 (0x050600001C80)

16:01:40: Se1/0:0 LCP: Callback 6 (0x0D0306)

16:01:40: Se1/0:0 PPP: Authorization required

16:01:40: Se1/0:0 LCP: O CONFREQ [Listen] id 23 len 33

16:01:40: Se1/0:0 LCP: AuthProto MS-CHAP-V2 (0x0305C22381)

16:01:40: Se1/0:0 LCP: MagicNumber 0x0AC13725 (0x05060AC13725)

16:01:40: Se1/0:0 LCP: MRRU 1524 (0x110405F4)

16:01:40: Se1/0:0 LCP: EndpointDisc 1 RoutFW-Test (0x130E01526F757446572D54657374)

16:01:40: Se1/0:0 LCP: O CONFACK [Listen] id 0 len 13

16:01:40: Se1/0:0 LCP: MagicNumber 0x00001C80 (0x050600001C80)

16:01:40: Se1/0:0 LCP: Callback 6 (0x0D0306)

16:01:40: Se1/0:0 EVT: Packet [13] 1 0x810478FC

16:01:40: Se1/0:0 LCP: I CONFREJ [ACKsent] id 23 len 22

16:01:40: Se1/0:0 LCP: MRRU 1524 (0x110405F4)

16:01:40: Se1/0:0 LCP: EndpointDisc 1 RoutFW-Test (0x130E01526F757446572D54657374)

16:01:40: Se1/0:0 LCP: O CONFREQ [ACKsent] id 24 len 15

16:01:40: Se1/0:0 LCP: AuthProto MS-CHAP-V2 (0x0305C22381)

16:01:40: Se1/0:0 LCP: MagicNumber 0x0AC13725 (0x05060AC13725)

16:01:40: Se1/0:0 EVT: Packet [13] 1 0x81044970

16:01:40: Se1/0:0 LCP: I CONFACK [ACKsent] id 24 len 15

16:01:40: Se1/0:0 LCP: AuthProto MS-CHAP-V2 (0x0305C22381)

16:01:40: Se1/0:0 LCP: MagicNumber 0x0AC13725 (0x05060AC13725)

16:01:40: Se1/0:0 LCP: State is Open

16:01:40: Se1/0:0 PPP: Phase is AUTHENTICATING, by this end

16:01:40: Se1/0:0 MS-CHAP-V2: O CHALLENGE id 22 len 32 from "RoutFW-Test"

16:01:40: Se1/0:0 EVT: Packet [13] 1 0x810478FC

16:01:40: Se1/0:0 LCP: I IDENTIFY [Open] id 1 len 18 magic 0x00001C80 MSRASV4.00

16:01:40: Se1/0:0 EVT: Packet [13] 1 0x810478FC

16:01:40: Se1/0:0 LCP: I IDENTIFY [Open] id 2 len 25 magic 0x00001C80 MSRAS-1-RASTEST_1

16:01:40: Se1/0:0 EVT: Packet [13] 0 0x810478FC

16:01:40: Se1/0:0 MS-CHAP-V2: I RESPONSE id 22 len 60 from "DialIn"

16:01:40: AAA/AUTHEN/PPP (00000017): Pick method list 'default'

16:01:40: Se1/0:0 PPP: Sent MSCHAP_V2 LOGIN Request

16:01:40: RADIUS/ENCODE(00000017): acct_session_id: 51

16:01:40: RADIUS(00000017): sending

16:01:40: RADIUS: Send to unknown id 20 172.19.98.71:1812, Access-Request, len 169

16:01:40: RADIUS: authenticator 0C 46 03 5E BB 18 9E 9E - 24 55 59 77 71 47 C2 CF

16:01:40: RADIUS: Framed-Protocol [7] 6 PPP [1]

16:01:40: RADIUS: User-Name [1] 8 "DialIn"

16:01:40: RADIUS: Vendor, Microsoft [26] 24

16:01:40: RADIUS: MSCHAP_Challenge [11] 18

16:01:40: RADIUS: 0C 46 03 5E BB 18 9E 9E 24 55 59 77 71 47 C2 [?F?^????$UYwqG?]

16:01:40: RADIUS: Vendor, Microsoft [26] 58

16:01:40: RADIUS: MS-CHAP-V2-Response[25] 52 *

16:01:40: RADIUS: Vendor, Cisco [26] 19

16:01:40: RADIUS: cisco-nas-port [2] 13 "Serial1/0:0"

16:01:40: RADIUS: NAS-Port [5] 6 20000

16:01:40: RADIUS: NAS-Port-Type [61] 6 ISDN [2]

16:01:40: RADIUS: Calling-Station-Id [31] 10 "04765538"

16:01:40: RADIUS: Service-Type [6] 6 Framed [2]

16:01:40: RADIUS: NAS-IP-Address [4] 6 172.17.2.3

16:01:41: RADIUS: Received from id 20 172.19.98.71:1812, Access-Reject, len 54

16:01:41: RADIUS: authenticator 15 60 B4 B9 91 15 4A 13 - A8 F7 F0 F7 02 E9 C5 A3

16:01:41: RADIUS: Reply-Message [18] 12

16:01:41: RADIUS: 52 65 6A 65 63 74 65 64 0A 0D [Rejected??]

16:01:41: RADIUS: Vendor, Microsoft [26] 22

16:01:41: RADIUS: MS-CHAP-ERROR [2] 16 "E=648 R=0 V="

16:01:41: RADIUS: Received from id 17

16:01:41: RADIUS/DECODE: Reply-Message fragments, 10, total 10 bytes

16:01:41: Se1/0:0 PPP: Received LOGIN Response FAIL

16:01:41: Se1/0:0 MS-CHAP-V2: O FAILURE id 22 len 52 msg is "E=648 R=1 C=2346035EBB189E9E245559777147C2CF V=3"

16:01:41: Se1/0:0 AUTH: Will allow 2 more authentication attempts

16:01:44: %ISDN-6-CONNECT: Interface Serial1/0:0 is now connected to 04765538

16:01:46: Se1/0:0 EVT: Packet [13] 0 0x81199054

16:01:46: Se1/0:0 MS-CHAP-V2: I RESPONSE id 23 len 60 from "DialIn"

16:01:46: AAA/AUTHEN/PPP (00000017): Pick method list 'default'

16:01:46: Se1/0:0 PPP: Sent MSCHAP_V2 LOGIN Request

16:01:46: RADIUS/ENCODE(00000017): acct_session_id: 51

16:01:46: RADIUS(00000017): sending

16:01:46: RADIUS: Send to unknown id 21 172.19.98.71:1812, Access-Request, len 169

16:01:46: RADIUS: authenticator 23 46 03 5E BB 18 9E 9E - 24 55 59 77 71 47 C2 CF

16:01:46: RADIUS: Framed-Protocol [7] 6 PPP [1]

16:01:46: RADIUS: User-Name [1] 8 "DialIn"

16:01:46: RADIUS: Vendor, Microsoft [26] 24

16:01:46: RADIUS: MSCHAP_Challenge [11] 18

16:01:46: RADIUS: 23 46 03 5E BB 18 9E 9E 24 55 59 77 71 47 C2 CF [#F?^????$UYwqG??]

16:01:46: RADIUS: Vendor, Microsoft [26] 58

16:01:46: RADIUS: MS-CHAP-V2-Response[25] 52 *

16:01:46: RADIUS: Vendor, Cisco [26] 19

16:01:46: RADIUS: cisco-nas-port [2] 13 "Serial1/0:0"

16:01:46: RADIUS: NAS-Port [5] 6 20000

16:01:46: RADIUS: NAS-Port-Type [61] 6 ISDN [2]

16:01:46: RADIUS: Calling-Station-Id [31] 10 "04765538"

16:01:46: RADIUS: Service-Type [6] 6 Framed [2]

16:01:46: RADIUS: NAS-IP-Address [4] 6 172.17.2.3

16:01:46: RADIUS: Received from id 21 172.19.98.71:1812, Access-Reject, len 54

16:01:46: RADIUS: authenticator 90 62 E7 F6 70 5B D2 60 - 9B FE 67 12 56 42 F9 23

16:01:46: RADIUS: Reply-Message [18] 12

16:01:46: RADIUS: 52 65 6A 65 63 74 65 64 0A 0D [Rejected??]

16:01:46: RADIUS: Vendor, Microsoft [26] 22

16:01:46: RADIUS: MS-CHAP-ERROR [2] 16 "E=691 R=0 V="

16:01:46: RADIUS: Received from id 17

16:01:46: RADIUS/DECODE: Reply-Message fragments, 10, total 10 bytes

16:01:46: Se1/0:0 PPP: Received LOGIN Response FAIL

16:01:46: Se1/0:0 MS-CHAP-V2: O FAILURE id 23 len 52 msg is "E=691 R=1 C=3A46035EBB189E9E245559777147C2CF V=3"

16:01:46: Se1/0:0 AUTH: Will allow 1 more authentication attempts

16:01:50: Se1/0:0 AUTH: Timeout 1

16:01:52: Se1/0:0 EVT: Packet [13] 0 0x810478FC

16:01:52: Se1/0:0 MS-CHAP-V2: I RESPONSE id 24 len 60 from "DialIn"

16:01:52: AAA/AUTHEN/PPP (00000017): Pick method list 'default'

16:01:52: Se1/0:0 PPP: Sent MSCHAP_V2 LOGIN Request

16:01:52: RADIUS/ENCODE(00000017): acct_session_id: 51

16:01:52: RADIUS(00000017): sending

16:01:52: RADIUS: Send to unknown id 22 172.19.98.71:1812, Access-Request, len 169

16:01:52: RADIUS: authenticator 3A 46 03 5E BB 18 9E 9E - 24 55 59 77 71 47 C2 CF

16:01:52: RADIUS: Framed-Protocol [7] 6 PPP [1]

16:01:52: RADIUS: User-Name [1] 8 "DialIn"

16:01:52: RADIUS: Vendor, Microsoft [26] 24

16:01:52: RADIUS: MSCHAP_Challenge [11] 18

16:01:52: RADIUS: 3A 46 03 5E BB 18 9E 9E 24 55 59 77 71 47 C2 CF [:F?^????$UYwqG??]

16:01:52: RADIUS: Vendor, Microsoft [26] 58

16:01:52: RADIUS: MS-CHAP-V2-Response[25] 52 *

16:01:52: RADIUS: Vendor, Cisco [26] 19

16:01:52: RADIUS: cisco-nas-port [2] 13 "Serial1/0:0"

16:01:52: RADIUS: NAS-Port [5] 6 20000

16:01:52: RADIUS: NAS-Port-Type [61] 6 ISDN [2]

16:01:52: RADIUS: Calling-Station-Id [31] 10 "04765538"

16:01:52: RADIUS: Service-Type [6] 6 Framed [2]

16:01:52: RADIUS: NAS-IP-Address [4] 6 172.17.2.3

16:01:52: RADIUS: Received from id 22 172.19.98.71:1812, Access-Reject, len 54

16:01:52: RADIUS: authenticator B4 3A FC 62 5F FD EE 8E - A3 5D E2 53 17 7A 51 F7

16:01:52: RADIUS: Reply-Message [18] 12

16:01:52: RADIUS: 52 65 6A 65 63 74 65 64 0A 0D [Rejected??]

16:01:52: RADIUS: Vendor, Microsoft [26] 22

16:01:52: RADIUS: MS-CHAP-ERROR [2] 16 "E=691 R=0 V="

16:01:52: RADIUS: Received from id 17

16:01:52: RADIUS/DECODE: Reply-Message fragments, 10, total 10 bytes

16:01:52: Se1/0:0 PPP: Received LOGIN Response FAIL

16:01:52: Se1/0:0 MS-CHAP-V2: O FAILURE id 24 len 13 msg is "E=691 R=0"

16:01:52: Se1/0:0 CCP: State is Closed

16:01:52: Se1/0:0 CCP: Compression already closed

16:01:52: Se1/0:0 PPP: Phase is TERMINATING

16:01:52: Se1/0:0 LCP: O TERMREQ [Open] id 25 len 4

16:01:52: Se1/0:0 EVT: Packet [13] 1 0x810478FC

16:01:52: Se1/0:0 LCP: I TERMREQ [TERMsent] id 3 len 8 (0x000002B3)

16:01:52: Se1/0:0 LCP: O TERMACK [TERMsent] id 3 len 4

16:01:52: Se1/0:0 EVT: Packet [13] 1 0x81199054

16:01:52: Se1/0:0 LCP: I TERMACK [TERMsent] id 25 len 4

16:01:52: Se1/0:0 LCP: State is Closed

16:01:52: Se1/0:0 PPP: Phase is DOWN

16:01:52: Se1/0:0 PPP: Phase is ESTABLISHING, Passive Open

16:01:52: Se1/0:0 LCP: State is Listen

16:01:52: %ISDN-6-DISCONNECT: Interface Serial1/0:0 disconnected from 04765538 , call lasted 13 seconds

16:01:223338299392: %LINK-3-UPDOWN: Interface Serial1/0:0, changed state to down

16:01:52: Se1/0:0 EVT: Cstate [14] 0 0x812BCF18

16:01:52: Se1/0:0 LCP: State is Closed

16:01:52: Se1/0:0 PPP: Phase is DOWN

CSCdw77166 Bug Details

Release Notes

The test will verify the support of version 2 of Microsoft's PPP CHAP dialect,

called MSCHAPv2 on Cisco routers by examining the output of various show and debug commands, as well as verifying successful authentication and rejection via local method as well as via MS-IAS RADIUS server. In these IOS images,MSCHAPv2 authentication protocol is not wroking properly and the required debugs are not collected while making a call.

ppp authentication ms-chap-v2 is configured in the UUT.

The list below contains all of the versions that are affected by this bug:

12.2(2)XB

12.2(2)XB1

12.2(2)XB2

12.2(2)XB4

12.2(2r)XB

12.2(2)XB3

12.2(2)XB5

12.2(2)XB6

3 REPLIES
Community Member

Re: MS-CHAP-V2 and password change again ...

Could be related to your windows, have a read at :

http://www.microsoft.com/windows2000/en/professional/help/auth_mschapv2.htm

Silver

Re: MS-CHAP-V2 and password change again ...

Can you try with a Win98 client in the same setup....Microsoft has some issues with Win2k & XP (seen internal email correspondance with MS on the same).

Thanks, Mak.

Community Member

Re: MS-CHAP-V2 and password change again ...

Yep, i can do some testing with a win98 client, but it will take 1 or 2 days, because we only have NT + W2K here, but i can get a laptop which has 98 on it...

1208
Views
0
Helpful
3
Replies
CreatePlease to create content