02-20-2004 04:49 PM - edited 02-20-2020 09:23 PM
Hi,
We are using a Cisco 1721 router for terminating Microsoft PPTP connections. When using the Local user-database on the router, everything works.
However with RADIUS authentication, the setup fails.
Even though the IOS router "does" get an "Access-accept" from the RADIUS,but still it drops the client connection.
Below is the trace
+++++++++++++++++++++++++++++++++++++++
RADIUS: Send to unknown id 10 10.10.1.20:1812, Access-Request, len 138
1w2d: RADIUS: authenticator 82 C6 16 85 2F 6E D8 C0 - 00 00 00 00 00 00 00 00
1w2d: RADIUS: User-Name [1] 20 "xxxxxx"
1w2d: RADIUS: Vendor, Microsoft [26] 16
1w2d: RADIUS: MSCHAP_Challenge [11] 10
1w2d: RADIUS: 82 C6 16 85 2F 6E [????/n]
1w2d: RADIUS: Vendor, Microsoft [26] 58
1w2d: RADIUS: MS-CHAP-Response [1] 52 *
1w2d: RADIUS: NAS-Port [5] 6 1
1w2d: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
1w2d: RADIUS: Service-Type [6] 6 Framed [2]
1w2d: RADIUS: NAS-IP-Address [4] 6 10.10.1.37
1w2d: RADIUS: Received from id 10 10.10.1.20:1812, Access-Accept, len 119
1w2d: RADIUS: authenticator 11 ED 24 75 81 89 B4 E6 - 68 63 E0 CC BA 25 13 0E
1w2d: RADIUS: Framed-Protocol [7] 6 PPP [1]
1w2d: RADIUS: Service-Type [6] 6 Framed [2]
1w2d: RADIUS: Class [25] 32
1w2d: RADIUS: 3B 00 05 0E 00 00 01 37 00 01 0A 0A 01 14 01 C3 [;??????7????????]
1w2d: RADIUS: F3 0C EA 95 B9 06 00 00 00 00 00 00 [????????????]
1w2d: RADIUS: Vendor, Microsoft [26] 40
1w2d: RADIUS: MS-CHAP-MPPE-Keys [12] 34 *
1w2d: RADIUS: Vendor, Microsoft [26] 15
1w2d: RADIUS: MS-CHAP-DOMAIN [10] 9 "ARKLOW"
1w2d: RADIUS: Response (10) failed decrypt
++++++++++++++++++++++++++++++++
Important config parts are as below
===========================================
aaa authentication ppp use-radius group radius
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
description For terminating PPTP Tunnels
accept-dialin
protocol pptp
virtual-template 1
lcp renegotiation always
ip mtu adjust
interface Virtual-Template1
ip unnumbered FastEthernet0
no ip redirects
no keepalive
peer default ip address pool dialin_pool
ppp encrypt mppe 128
ppp authentication chap ms-chap pap use-radius
!
ip local pool dialin_pool 10.10.3.51 10.10.3.100
==========================================
Solved! Go to Solution.
02-23-2004 02:30 PM
OK, you're getting this now in your debug:
RADIUS: Response (20) failed decrypt
This is an indication that your radius keys don't match. I would suggest removing and re-adding the key on both devices. When you add it back in on the router make sure you DON'T just cut/paste it, cause this can add extra spaces at the end which then become part of the key. Type it in manually on both devices and see what you get.
02-22-2004 04:40 PM
You have the router to set up to ensure that the PPTP client agrees to 128-bit MPPE encryption, which is a good thing. The Radius server is returning the MPPE keys as can be seen here:
1w2d: RADIUS: Vendor, Microsoft [26] 40
1w2d: RADIUS: MS-CHAP-MPPE-Keys [12] 34 *
which is also good. The router needs to use these keys returned by the Radius server to do the MPPE encryption. What you haven't done is tell the router to do this, and that's why it's disconnecting you. Add the following into the router:
aaa authorization network default radius
and you should be good to go.
02-23-2004 10:20 AM
Hi Glenn,
Thanks for you help. I tried your suggestion but still having exactly the same problem. It seems that it doesn't even go the "authorization" state and Fails to "decrypt" the mppe keys (?) from the RADIUS server ?
I tried 40,128,auto in the command "ppp encrypt mppe" but still the same results.
++++++++++++++++++++++++++++++++++++
1w5d: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
1w5d: Vi1 PPP: Treating connection as a dedicated line
1w5d: Vi1 PPP: Authorization required
1w5d: Vi1 PPP: Preauth Authorization:
1w5d: Vi1 PPP/AAA: auth-required
1w5d: Vi1 AAA/AUTHOR/LCP: Authorization succeeds trivially
1w5d: Vi1 MS-CHAP: O CHALLENGE id 24 len 21 from "ir-vpn "
1w5d: Vi1 MS-CHAP: I RESPONSE id 24 len 72 from "ARKLOW\test.vpn"
1w5d: AAA/AUTHEN/PPP (0000003D): Pick method list 'use-radius'
1w5d: Vi1 PPP: Sent MSCHAP LOGIN Request to AAA
1w5d: RADIUS/ENCODE(0000003D): acct_session_id: 46
1w5d: RADIUS(0000003D): sending
1w5d: RADIUS: Send to unknown id 20 10.10.1.20:1812, Access-Request, len 138
1w5d: RADIUS: authenticator EA EB 30 34 AF 2D 42 C3 - 00 00 00 00 00 00 00 00
1w5d: RADIUS: User-Name [1] 20 "ARKLOW\test.vpn"
1w5d: RADIUS: Vendor, Microsoft [26] 16
1w5d: RADIUS: MSCHAP_Challenge [11] 10
1w5d: RADIUS: EA EB 30 34 AF 2D [??04?-]
1w5d: RADIUS: Vendor, Microsoft [26] 58
1w5d: RADIUS: MS-CHAP-Response [1] 52 *
1w5d: RADIUS: NAS-Port [5] 6 1
1w5d: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
1w5d: RADIUS: Service-Type [6] 6 Framed [2]
1w5d: RADIUS: NAS-IP-Address [4] 6 10.10.1.37
1w5d: RADIUS: Received from id 20 10.10.1.20:1812, Access-Accept, len 119
1w5d: RADIUS: authenticator 87 7C 10 35 B6 1F BC 15 - 74 AF 99 38 01 3C 0B CD
1w5d: RADIUS: Framed-Protocol [7] 6 PPP [1]
1w5d: RADIUS: Service-Type [6] 6 Framed [2]
1w5d: RADIUS: Class [25] 32
1w5d: RADIUS: 3B 3B 05 49 00 00 01 37 00 01 0A 0A 01 14 01 C3 [;;?I???7????????]
1w5d: RADIUS: F3 0C EA 95 B9 06 00 00 00 00 00 00 [????????????]
1w5d: RADIUS: Vendor, Microsoft [26] 40
1w5d: RADIUS: MS-CHAP-MPPE-Keys [12] 34 *
1w5d: RADIUS: Vendor, Microsoft [26] 15
1w5d: RADIUS: MS-CHAP-DOMAIN [10] 9 "ARKLOW"
1w5d: RADIUS: Response (20) failed decrypt
1w5d: RADIUS: Retransmit to (10.10.1.20:1812,1813) for id 20
1w5d: RADIUS: Received from id 20 10.10.1.20:1812, Access-Accept, len 119
1w5d: RADIUS: authenticator 27 6D 75 AB 97 DA 1E 0D - D3 50 F6 DF 01 2F DA E9
1w5d: RADIUS: Framed-Protocol [7] 6 PPP [1]
1w5d: RADIUS: Service-Type [6] 6 Framed [2]
1w5d: RADIUS: Class [25] 32
1w5d: RADIUS: 3B 3D 05 4B 00 00 01 37 00 01 0A 0A 01 14 01 C3 [;=?K???7????????]
1w5d: RADIUS: F3 0C EA 95 B9 06 00 00 00 00 00 00 [????????????]
1w5d: RADIUS: Vendor, Microsoft [26] 40
1w5d: RADIUS: MS-CHAP-MPPE-Keys [12] 34 *
1w5d: RADIUS: Vendor, Microsoft [26] 15
1w5d: RADIUS: MS-CHAP-DOMAIN [10] 9 "ARKLOW"
1w5d: RADIUS: Response (20) failed decrypt
++++++++++++++++++++++++++++++++++++++++++++++=
Config now looks like
=======================================
aaa authentication ppp use-radius group radius
aaa authorization network use-radius group radius
aaa authorization network use-local local
vpdn-group 1
! Default PPTP VPDN group
description For terminating PPTP Tunnels
accept-dialin
protocol pptp
virtual-template 1
lcp renegotiation always
ip mtu adjust
interface Virtual-Template1
ip unnumbered FastEthernet0
no ip redirects
no keepalive
peer default ip address pool dialin_pool
ppp encrypt mppe 128
ppp authentication ms-chap chap pap use-radius
ppp authorization use-radius
ip local pool dialin_pool 10.10.3.51 10.10.3.100
radius-server host 10.10.1.20 auth-port 1812 acct-port 1813 key 7 xxxxxxxxxxxxxx
radius-server retransmit 3
================================================
02-23-2004 02:30 PM
OK, you're getting this now in your debug:
RADIUS: Response (20) failed decrypt
This is an indication that your radius keys don't match. I would suggest removing and re-adding the key on both devices. When you add it back in on the router make sure you DON'T just cut/paste it, cause this can add extra spaces at the end which then become part of the key. Type it in manually on both devices and see what you get.
02-23-2004 03:22 PM
Hi Glenn,
If you look at my first posting i was still getting the same message.
I don't believe that the keys between Router and RADISU are in-corerct, as I am getting the "Access-Accept" from the RADIUS Server. I wouldn't get that, if the shared secret was in-correct ?
Thanks
Naman
02-23-2004 04:22 PM
I was wrong. Re-entering the shared-key fixed the problem.
However i still don't understand , if the shared-secert was in-correct between RADIUS and router, then why would the RADIUS send an Access-Accept back ? Shouldn't it just discard the request, as it was received from an "invalid radius-client" ?
Thanks for the help.
\\ Naman
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: