Freeradius - Cisco L2TP Tunnel - Authentication problem.

Fri, 17 Feb 2006 03:27:10 -0800

Hi

 

I have an issue with authentication using Freeradius (freeradius-1.0.1-3)

 

We were running L2TPNS on a Linux box and authenticating fine using CHAP to the Freeradius server.

However because of increased volume of users (DSL and Dial) we need to move to a Cisco 7200 so it could terminate the tunnel.

The tunnel terminates fine but authentication is failing because the Cisco is sending PAP authentication and we use CHAP, in fact I would know how to move to PAP anyway.

 

No matter what we put into the Cisco config it still uses PAP, even telling it to refuse PAP.

The Cisco is running IOS 12.2.(6) and here is the relevant lines of config for the tunnel and authentication:

 

########################

aaa new-model

aaa authentication ppp default group radius

aaa authorization network default group radius if-authenticated

aaa accounting network default start-stop group radius

 

multilink virtual-template 1

vpdn enable

!

vpdn-group 1

 accept-dialin

  protocol l2tp

  virtual-template 1

 terminate-from hostname tunnel

 local name gw1

 l2tp tunnel password 7 xxxxxxxxxx

 source-ip 10.0.0.1

 

interface Virtual-Template1

 ip unnumbered FastEthernet1/0

 ip mroute-cache

 no logging event link-status

 no keepalive

 timeout absolute 4320 0

 no peer default ip address

 ppp authentication chap callin

 ppp multilink

!

ip local pool IP-POOL 192.168.0.1 192.168.1.254

ip classless

ip route 0.0.0.0 0.0.0.0 10.0.0.254

no ip http server

ip pim bidir-enable

!

radius-server host 192.168.1.12 auth-port 1645 acct-port 1646 key xxxxxx

radius-server retransmit 2

###############

 

 

Here is a line from the radius users file that authentication is failing for:

 

######

user1      Auth-Type := Local, User-Password== "jijyocspok"

        Service-Type = Framed-User,

        Framed-Protocol = PPP,

        Framed-Address = 192.168.2.22,

        Framed-Netmask = 255.255.255.255,

        Framed-Compression = Van-Jacobsen-TCP-IP

######

 

Here is the radius log entries for when the login fails from the Cisco and passes from the L2TPNS server:

 

####

Thu Feb 16 23:30:41 2006 : Auth: Login incorrect: [user1/jijyocspok] (from client l2tp port 3)

Fri Feb 17 08:22:43 2006 : Auth: Login OK: [user1/<CHAP-Password>] (from client l2tp port 3)

######

 

I was wondering if anyone had seen a problem like this before and found a solution.

Is the Cisco at fault, does it have a bug in it?

Should I just move to PAP authentication, is so how do I do that? But doesn’t Windows PC’s send CHAP? Would it still work?

 

Any help would be appreciated.

 

Thanks

Tony

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to