Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Problems using ms-chap authentication with AS5200 and RADIUS (IAS)

Hi,

Our RAS users dial-in to an AS5200 and are authenticated in a RADIUS (IAS) server running Windows 2000. When I use PAP authentication everything is working fine, but when I instead configure "ppp authentication ms-chap" the users are no longer able to connect. The IAS log indicates that an incorrect username or password had been supplied.

The client is setup to use MS-CHAP authentication and the IAS policy allows users to authenticate both with ms-chap and pap.

Please find below the error message on the IAS and a few lines of debug:

User testuser was denied access.

Fully-Qualified-User-Name = REMOTE\testuser

NAS-IP-Address = 192.168.100.100

NAS-Identifier = <not present>

Called-Station-Identifier = <not present>

Calling-Station-Identifier = xxxxxxxxx

Client-Friendly-Name = AS5200

Client-IP-Address = 192.168.100.100

NAS-Port-Type = Async

NAS-Port = 11

Policy-Name = <undetermined>

Authentication-Type = MS-CHAPv1

EAP-Type = <undetermined>

Reason-Code = 16

Reason = There was an authentication failure because of an unknown user name or a bad password.

Jun 19 11:21:17.541 CET: RADIUS: Received from id 128 10.10.10.10:1645, Access-Reject, len 42

Jun 19 11:21:17.553 CET: As11 CHAP: Unable to validate Response. Username testuser: Authentication failure

Jun 19 11:21:17.557 CET: As11 MS-CHAP: O FAILURE id 2 len 18 msg is "BE=691 R=0 V=3"

Does anyone have an idea of what could be wrong?

Thanks in advance for your help!

Regards,

Harald

6 REPLIES
Bronze

Re: Problems using ms-chap authentication with AS5200 and RADIUS

Harald,

How is your RADIUS server authenticating - by a local database or through an external database, such as Windows NT? If it is external, the RADIUS server will not be able to convert the hash it receives from the router to the user's password and cannot authenticate.

Mark

New Member

Re: Problems using ms-chap authentication with AS5200 and RADIUS

The RADIUS server (IAS) uses the Active Directory database (Windows 2000)to authenticate the users. Does that mean there is no way of using ms-chap to authenticate?

New Member

Re: Problems using ms-chap authentication with AS5200 and RADIUS

better late than never I surpose I assume you have already solved anyway. I write this reply just incase others find in search of database. - You need to check the box in IAS for reverse encryptable passwords. Then reset the user password to store it agin in new format.

Anonymous
N/A

Re: Problems using ms-chap authentication with AS5200 and RADIUS

Where is that checkbox? I have not been able to find it.

New Member

Re: Problems using ms-chap authentication with AS5200 and RADIUS

Check the following URL. U will find a complete guide idicating how configure IAS/RADIUS 802.1x client on Winsows xp and FOUNDRY Networks Switch, all to support 802.lx and dymanic vlan.

Curiously Fondry cli is very similar to Cisco CLI (!!!)

Hope it helps.

New Member

Re: Problems using ms-chap authentication with AS5200 and RADIUS

Sorry,

forget URL

www.foundrynet.com/solutions/appNotes/PDFs/ 8021xAuthenticationWithActiveDirectory.pdf

251
Views
0
Helpful
6
Replies
CreatePlease to create content