Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PPTP + Local Authentication

I am trying to setup our concentrator to allow PPTP VPN sessions using local authentication. I setup a pptp group on our concentrator and setup a local user which is associated with the group. I set the tunneling protocols to PPTP on both the group and user levels. I also set the respective PPTP Authentication Protocols under the PPTP/L2TP tab for the group. The problem I am running into is when I attempt to establish a connection from a Windows XP machine using the local user account I am not able to ever establish a connection. When I watch the Live Event Viewer it shows the following message ( User [pptpuser]disconnected.. failed authentication (MSCHAP-V2) ). What I take from this is as if the concentrator is still looking for Radius auth. Anyone have any suggestions on this?

Cisco Employee

Re: PPTP + Local Authentication

Couple of things I would try to begin with.

1. Move the Internal Authentication to the top of the list under authentication servers.

2. Check the PPTP Configuration to see if you have MSCHAP-V2 Configured. If so, try disabling this option and see if it works.



** Please rate all helpful posts **

New Member

Re: PPTP + Local Authentication

I tried these 2 suggestions and the outcome is not as I expected. I think the issue I am having is due to how this concentrator was originally deployed and setup. If I move the Internal Authentication to the top of the list then Radius authentication fails. If I move Radius back to the top then Internal will fail. Historically the way users access VPN is the use radius and authenticate to the Base-Group which by default is set to Radius authentication. In previous implementations I have seen were the Base-Group is set to internal for authentication and then various groups are created in the concentrator and within those groups you specify them to auth via Radius server.