cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
982
Views
0
Helpful
5
Replies

RADIUS Auth failure for PPTP on IOS

mnlatif
Level 3
Level 3

Hi,

We are using a Cisco 1721 router for terminating Microsoft PPTP connections. When using the Local user-database on the router, everything works.

However with RADIUS authentication, the setup fails.

Even though the IOS router "does" get an "Access-accept" from the RADIUS,but still it drops the client connection.

Below is the trace

+++++++++++++++++++++++++++++++++++++++

RADIUS: Send to unknown id 10 10.10.1.20:1812, Access-Request, len 138

1w2d: RADIUS: authenticator 82 C6 16 85 2F 6E D8 C0 - 00 00 00 00 00 00 00 00

1w2d: RADIUS: User-Name [1] 20 "xxxxxx"

1w2d: RADIUS: Vendor, Microsoft [26] 16

1w2d: RADIUS: MSCHAP_Challenge [11] 10

1w2d: RADIUS: 82 C6 16 85 2F 6E [????/n]

1w2d: RADIUS: Vendor, Microsoft [26] 58

1w2d: RADIUS: MS-CHAP-Response [1] 52 *

1w2d: RADIUS: NAS-Port [5] 6 1

1w2d: RADIUS: NAS-Port-Type [61] 6 Virtual [5]

1w2d: RADIUS: Service-Type [6] 6 Framed [2]

1w2d: RADIUS: NAS-IP-Address [4] 6 10.10.1.37

1w2d: RADIUS: Received from id 10 10.10.1.20:1812, Access-Accept, len 119

1w2d: RADIUS: authenticator 11 ED 24 75 81 89 B4 E6 - 68 63 E0 CC BA 25 13 0E

1w2d: RADIUS: Framed-Protocol [7] 6 PPP [1]

1w2d: RADIUS: Service-Type [6] 6 Framed [2]

1w2d: RADIUS: Class [25] 32

1w2d: RADIUS: 3B 00 05 0E 00 00 01 37 00 01 0A 0A 01 14 01 C3 [;??????7????????]

1w2d: RADIUS: F3 0C EA 95 B9 06 00 00 00 00 00 00 [????????????]

1w2d: RADIUS: Vendor, Microsoft [26] 40

1w2d: RADIUS: MS-CHAP-MPPE-Keys [12] 34 *

1w2d: RADIUS: Vendor, Microsoft [26] 15

1w2d: RADIUS: MS-CHAP-DOMAIN [10] 9 "ARKLOW"

1w2d: RADIUS: Response (10) failed decrypt

++++++++++++++++++++++++++++++++

Important config parts are as below

===========================================

aaa authentication ppp use-radius group radius

vpdn enable

!

vpdn-group 1

! Default PPTP VPDN group

description For terminating PPTP Tunnels

accept-dialin

protocol pptp

virtual-template 1

lcp renegotiation always

ip mtu adjust

interface Virtual-Template1

ip unnumbered FastEthernet0

no ip redirects

no keepalive

peer default ip address pool dialin_pool

ppp encrypt mppe 128

ppp authentication chap ms-chap pap use-radius

!

ip local pool dialin_pool 10.10.3.51 10.10.3.100

==========================================

1 Accepted Solution

Accepted Solutions

OK, you're getting this now in your debug:

RADIUS: Response (20) failed decrypt

This is an indication that your radius keys don't match. I would suggest removing and re-adding the key on both devices. When you add it back in on the router make sure you DON'T just cut/paste it, cause this can add extra spaces at the end which then become part of the key. Type it in manually on both devices and see what you get.

View solution in original post

5 Replies 5

gfullage
Cisco Employee
Cisco Employee

You have the router to set up to ensure that the PPTP client agrees to 128-bit MPPE encryption, which is a good thing. The Radius server is returning the MPPE keys as can be seen here:

1w2d: RADIUS: Vendor, Microsoft [26] 40

1w2d: RADIUS: MS-CHAP-MPPE-Keys [12] 34 *

which is also good. The router needs to use these keys returned by the Radius server to do the MPPE encryption. What you haven't done is tell the router to do this, and that's why it's disconnecting you. Add the following into the router:

aaa authorization network default radius

and you should be good to go.

Hi Glenn,

Thanks for you help. I tried your suggestion but still having exactly the same problem. It seems that it doesn't even go the "authorization" state and Fails to "decrypt" the mppe keys (?) from the RADIUS server ?

I tried 40,128,auto in the command "ppp encrypt mppe" but still the same results.

++++++++++++++++++++++++++++++++++++

1w5d: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up

1w5d: Vi1 PPP: Treating connection as a dedicated line

1w5d: Vi1 PPP: Authorization required

1w5d: Vi1 PPP: Preauth Authorization:

1w5d: Vi1 PPP/AAA: auth-required

1w5d: Vi1 AAA/AUTHOR/LCP: Authorization succeeds trivially

1w5d: Vi1 MS-CHAP: O CHALLENGE id 24 len 21 from "ir-vpn "

1w5d: Vi1 MS-CHAP: I RESPONSE id 24 len 72 from "ARKLOW\test.vpn"

1w5d: AAA/AUTHEN/PPP (0000003D): Pick method list 'use-radius'

1w5d: Vi1 PPP: Sent MSCHAP LOGIN Request to AAA

1w5d: RADIUS/ENCODE(0000003D): acct_session_id: 46

1w5d: RADIUS(0000003D): sending

1w5d: RADIUS: Send to unknown id 20 10.10.1.20:1812, Access-Request, len 138

1w5d: RADIUS: authenticator EA EB 30 34 AF 2D 42 C3 - 00 00 00 00 00 00 00 00

1w5d: RADIUS: User-Name [1] 20 "ARKLOW\test.vpn"

1w5d: RADIUS: Vendor, Microsoft [26] 16

1w5d: RADIUS: MSCHAP_Challenge [11] 10

1w5d: RADIUS: EA EB 30 34 AF 2D [??04?-]

1w5d: RADIUS: Vendor, Microsoft [26] 58

1w5d: RADIUS: MS-CHAP-Response [1] 52 *

1w5d: RADIUS: NAS-Port [5] 6 1

1w5d: RADIUS: NAS-Port-Type [61] 6 Virtual [5]

1w5d: RADIUS: Service-Type [6] 6 Framed [2]

1w5d: RADIUS: NAS-IP-Address [4] 6 10.10.1.37

1w5d: RADIUS: Received from id 20 10.10.1.20:1812, Access-Accept, len 119

1w5d: RADIUS: authenticator 87 7C 10 35 B6 1F BC 15 - 74 AF 99 38 01 3C 0B CD

1w5d: RADIUS: Framed-Protocol [7] 6 PPP [1]

1w5d: RADIUS: Service-Type [6] 6 Framed [2]

1w5d: RADIUS: Class [25] 32

1w5d: RADIUS: 3B 3B 05 49 00 00 01 37 00 01 0A 0A 01 14 01 C3 [;;?I???7????????]

1w5d: RADIUS: F3 0C EA 95 B9 06 00 00 00 00 00 00 [????????????]

1w5d: RADIUS: Vendor, Microsoft [26] 40

1w5d: RADIUS: MS-CHAP-MPPE-Keys [12] 34 *

1w5d: RADIUS: Vendor, Microsoft [26] 15

1w5d: RADIUS: MS-CHAP-DOMAIN [10] 9 "ARKLOW"

1w5d: RADIUS: Response (20) failed decrypt

1w5d: RADIUS: Retransmit to (10.10.1.20:1812,1813) for id 20

1w5d: RADIUS: Received from id 20 10.10.1.20:1812, Access-Accept, len 119

1w5d: RADIUS: authenticator 27 6D 75 AB 97 DA 1E 0D - D3 50 F6 DF 01 2F DA E9

1w5d: RADIUS: Framed-Protocol [7] 6 PPP [1]

1w5d: RADIUS: Service-Type [6] 6 Framed [2]

1w5d: RADIUS: Class [25] 32

1w5d: RADIUS: 3B 3D 05 4B 00 00 01 37 00 01 0A 0A 01 14 01 C3 [;=?K???7????????]

1w5d: RADIUS: F3 0C EA 95 B9 06 00 00 00 00 00 00 [????????????]

1w5d: RADIUS: Vendor, Microsoft [26] 40

1w5d: RADIUS: MS-CHAP-MPPE-Keys [12] 34 *

1w5d: RADIUS: Vendor, Microsoft [26] 15

1w5d: RADIUS: MS-CHAP-DOMAIN [10] 9 "ARKLOW"

1w5d: RADIUS: Response (20) failed decrypt

++++++++++++++++++++++++++++++++++++++++++++++=

Config now looks like

=======================================

aaa authentication ppp use-radius group radius

aaa authorization network use-radius group radius

aaa authorization network use-local local

vpdn-group 1

! Default PPTP VPDN group

description For terminating PPTP Tunnels

accept-dialin

protocol pptp

virtual-template 1

lcp renegotiation always

ip mtu adjust

interface Virtual-Template1

ip unnumbered FastEthernet0

no ip redirects

no keepalive

peer default ip address pool dialin_pool

ppp encrypt mppe 128

ppp authentication ms-chap chap pap use-radius

ppp authorization use-radius

ip local pool dialin_pool 10.10.3.51 10.10.3.100

radius-server host 10.10.1.20 auth-port 1812 acct-port 1813 key 7 xxxxxxxxxxxxxx

radius-server retransmit 3

================================================

OK, you're getting this now in your debug:

RADIUS: Response (20) failed decrypt

This is an indication that your radius keys don't match. I would suggest removing and re-adding the key on both devices. When you add it back in on the router make sure you DON'T just cut/paste it, cause this can add extra spaces at the end which then become part of the key. Type it in manually on both devices and see what you get.

Hi Glenn,

If you look at my first posting i was still getting the same message.

I don't believe that the keys between Router and RADISU are in-corerct, as I am getting the "Access-Accept" from the RADIUS Server. I wouldn't get that, if the shared secret was in-correct ?

Thanks

Naman

I was wrong. Re-entering the shared-key fixed the problem.

However i still don't understand , if the shared-secert was in-correct between RADIUS and router, then why would the RADIUS send an Access-Accept back ? Shouldn't it just discard the request, as it was received from an "invalid radius-client" ?

Thanks for the help.

\\ Naman

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: