|
Hello,
I want to create a dial-In between two Cisco routers. The Cisco router 3640 authenticate against the radius server.
The problem I have is the router 1600 can do an Chap Challenge against the 3640.
The 3640 want to make the chap challenge but he missed the password for the router 1600.
I'm testing the whole day different ways to send the chap password from the radiusserver to the router, but the 3640 ignores the key. I don't know where the mistake is.
If someone could help me it would be very helpful to me.
This is my config on the users-file
bsirouter3 Auth-Type := CHAP, User-Password == "bioscientia" Service-Type = Framed-User, Framed-Protocol = PPP, NAS-Port = "2ppcc", NAS-Port-Type = "2", # CHAP-Password = "bioscientia", Calling-Station-ID = "XXXXXXXXXX", Cisco-AVPair += "ip:addr-pool=XXXXXXX", Framed-IP-Netmask = "255.255.255.0", Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP
This is the debug message from the router.
ISDN Se2/0:15: Incoming call id = 0x0052, dsl 0 Negotiated CCB->int_id 0 B-chan 0, req->int_id 0, B-chan 12 CCPRI_ReleaseChan CCB->B_Chan zero ISDN Se2/0:15: received CALL_INCOMING call_id 0x52 ISDN Se2/0:15: CALL_INCOMING: call type is DATA , bchan = 11 ISDN Se2/0:15: Event: Received a DATA call from 6132781540 on B11 at 64 Kb/s ISDN Se2/0:15: RM returned call_type 0 resource type 0 ISDN Se2/0:15: isdn_send_connect(): msg 74, call id 0x52, ces 0 bchan 11, call type DATA %LINK-3-UPDOWN: Interface Serial2/0:11, changed state to up Se2/0:11 PPP: Treating connection as a callin Se2/0:11 PPP: Phase is ESTABLISHING, Passive Open Se2/0:11 LCP: State is Listen ISDN Se2/0:15: received CALL_PROGRESSing call_id 0x52 Se2/0:11 LCP: I CONFREQ [Listen] id 155 len 32 Se2/0:11 LCP: AuthProto CHAP (0x0305C22305) Se2/0:11 LCP: MagicNumber 0x11E0224A (0x050611E0224A) Se2/0:11 LCP: MRRU 1524 (0x110405F4) Se2/0:11 LCP: EndpointDisc 1 Local (0x130D01627369726F7574657233) Se2/0:11 AAA/AUTHOR/FSM: (0): LCP succeeds trivially Se2/0:11 LCP: O CONFREQ [Listen] id 1 len 33 Se2/0:11 LCP: AuthProto CHAP (0x0305C22305) Se2/0:11 LCP: MagicNumber 0x10A4E9F6 (0x050610A4E9F6) Se2/0:11 LCP: MRRU 1524 (0x110405F4) Se2/0:11 LCP: EndpointDisc 1 Local (0x130E016273692D726F7574657232) Se2/0:11 LCP: O CONFACK [Listen] id 155 len 32 Se2/0:11 LCP: AuthProto CHAP (0x0305C22305) Se2/0:11 LCP: MagicNumber 0x11E0224A (0x050611E0224A) Se2/0:11 LCP: MRRU 1524 (0x110405F4) Se2/0:11 LCP: EndpointDisc 1 Local (0x130D01627369726F7574657233) Se2/0:11 LCP: I CONFACK [ACKsent] id 1 len 33 Se2/0:11 LCP: AuthProto CHAP (0x0305C22305) Se2/0:11 LCP: MagicNumber 0x10A4E9F6 (0x050610A4E9F6) Se2/0:11 LCP: MRRU 1524 (0x110405F4) Se2/0:11 LCP: EndpointDisc 1 Local (0x130E016273692D726F7574657232) Se2/0:11 LCP: State is Open Se2/0:11 PPP: Phase is AUTHENTICATING, by both Se2/0:11 CHAP: O CHALLENGE id 1 len 32 from "bsi-router2" Se2/0:11 CHAP: I CHALLENGE id 145 len 31 from "bsirouter3" Se2/0:11 CHAP: Waiting for peer to authenticate first Se2/0:11 CHAP: I RESPONSE id 1 len 31 from "bsirouter3" AAA: parse name=Serial2/0:11 idb type=13 tty=-1 AAA: name=Serial2/0:11 flags=0x55 type=1 shelf=0 slot=2 adapter=0 port=0 channel=11 AAA: parse name=<no string> idb type=-1 tty=-1 AAA/MEMORY: create_user (0x6208D2B4) user='bsirouter3' ruser='' port='Serial2/0:11*' rem_addr='6132781540/79057' authen_type=CHAP service=PPP priv=1 AAA/AUTHEN/START (2272578070): port='Serial2/0:11*' list='' action="" service=PPP AAA/AUTHEN/START (2272578070): using "default" list AAA/AUTHEN (2272578070): status = UNKNOWN AAA/AUTHEN/START (2272578070): Method=radius (radius) RADIUS: ustruct sharecount=1 RADIUS: added cisco VSA 2 len 13 "Serial2/0:11*" RADIUS: Initial Transmit Serial2/0:11* id 31 10.10.99.201:1645, Access-Request, len 131
RADIUS: Received from id 31 10.10.99.201:1645, Access-Accept, len 106
AAA/AUTHEN (2272578070): status = PASS Se2/0:11 AAA/AUTHOR/LCP: Authorize LCP Se2/0:11 AAA/AUTHOR/LCP (2197525917): Port='Serial2/0:11*' list='' service=NET AAA/AUTHOR/LCP: Se2/0:11 (2197525917) user='bsirouter3' AAA/AUTHOR/LCP (2197525917): send AV service=ppp Se2/0:11 AAA/AUTHOR/LCP (2197525917): send AV protocol=lcp Se2/0:11 AAA/AUTHOR/LCP (2197525917): found list "default" Se2/0:11 AAA/AUTHOR/LCP (2197525917): Method=radius (radius) RADIUS: cisco AVPair "ip:addr-pool=XXXX" not applied for lcp Se2/0:11 AAA/AUTHOR (2197525917): Post authorization status = PASS_REPL Se2/0:11 AAA/AUTHOR/LCP: Processing AV service=ppp Se2/0:11 CHAP: O SUCCESS id 1 len 4 Se2/0:11 CHAP: Processing saved Challenge, id 145 AAA: parse name=Serial2/0:11 idb type=13 tty=-1 AAA: name=Serial2/0:11 flags=0x55 type=1 shelf=0 slot=2 adapter=0 port=0 channel=11 AAA: parse name=<no string> idb type=-1 tty=-1 AAA/MEMORY: create_user (0x620B9B78) user='bsirouter3' ruser='' port='Serial2/0:11*' rem_addr='6132781540/79057' authen_type=CHAP service=PPP priv=1 AAA/AUTHEN/START (2989450000): port='Serial2/0:11*' list='' action="" service=PPP AAA/AUTHEN/START (2989450000): using "default" list AAA/AUTHEN (2989450000): status = UNKNOWN AAA/AUTHEN/START (2989450000): Method=radius (radius) AAA/AUTHEN/SENDAUTH (2989450000): missing password for bsirouter3 AAA/AUTHEN/SENDAUTH (2989450000): Failed sendauthen for bsirouter3 AAA/AUTHEN (2989450000): status = FAIL AAA/AUTHEN/START (2989450000): no methods left to try AAA/AUTHEN (2989450000): status = ERROR AAA/AUTHEN/START (2989450000): failed to authenticate Se2/0:11 CHAP: Username bsirouter3: lookup failure AAA/MEMORY: free_user (0x620B9B78) user='bsirouter3' ruser='' port='Serial2/0:11*' rem_addr='6132781540/79057' authen_type=CHAP service=PPP priv=1 Se2/0:11 CHAP: Unable to authenticate for peer Se2/0:11 PPP: Phase is TERMINATING Se2/0:11 LCP: O TERMREQ [Open] id 2 len 4 Se2/0:11 LCP: I TERMACK [TERMsent] id 2 len 4 Se2/0:11 AAA/AUTHOR/FSM: (0): LCP succeeds trivially Se2/0:11 LCP: State is Closed Se2/0:11 PPP: Phase is DOWN AAA/MEMORY: free_user (0x6208D2B4) user='bsirouter3' ruser='' port='Serial2/0:11*' rem_addr='6132781540/79057' authen_type=CHAP service=PPP priv=1 Se2/0:11 PPP: Phase is ESTABLISHING, Passive Open Se2/0:11 LCP: State is Listen ISDN Se2/0:15: Event: Hangup call to call id 0x52 ISDN Se2/0:15: process_disconnect(): call id 0x52, call type is DATA, b_idb 0x62044030, ces 1, cause Normal call clearing(0x10) ISDN Se2/0:15: CCPRI_ReleaseCall(): bchan 12, call id 0x52, call type DATA CC_CHAN_ReleaseChanpri for DSL 0 B-chan 12 CCPRI_ReleaseChan released b_dsl 0 B_Chan 12 ISDN Se2/0:15: received CALL_CLEARED call_id 0x52
Now comes the message from the debugging of my radiusserver
Ready to process requests. rad_recv: Access-Request packet from host 10.10.199.39:1645, id=31, length=131 NAS-IP-Address = 10.10.199.39 NAS-Port = 20011 Cisco-NAS-Port = "Serial2/0:11*" NAS-Port-Type = ISDN User-Name = "bsirouter3" Called-Station-Id = "79057" Calling-Station-Id = "6132781540" CHAP-Password = 0x0192941ca3dacff951b9dcfe69d6b55c88 Service-Type = Framed-User Framed-Protocol = PPP Acct-Session-Id = "00000018" modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_chap: Adding Auth-Type = CHAP modcall[authorize]: module "chap" returns ok modcall[authorize]: module "mschap" returns notfound rlm_realm: No '@' in User-Name = "bsirouter3", looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module "suffix" returns noop users: Matched bsirouter3 at 130 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type CHAP auth: type "CHAP" modcall: entering group authtype rlm_chap: login attempt by "bsirouter3" with CHAP password ????243332317371Q271334376i326265\? rlm_chap: Using clear text password bioscientia for user bsirouter3 authentication. rlm_chap: chap user bsirouter3 authenticated succesfully modcall[authenticate]: module "chap" returns ok modcall: group authtype returns ok Login OK: [bsirouter3/<CHAP-Password>] (from client bsi-router2 port 20011 cli 6132781540) Sending Access-Accept of id 31 to 10.10.199.39:1645 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 2 NAS-Port-Type = ISDN Calling-Station-Id = "6132781540" Cisco-AVPair += "ip:addr-pool=Krankenhaus" Framed-IP-Netmask = 255.255.255.0 Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP
Thanks a lot
Christian Ihm
|
- DialUp_Admin Ihm, Christian
- DialUp_Admin Travis Best
- Re: DialUp_Admin Kostas Kalevras
