(RADIATOR) Cisco PPTP and MPPE

Lee Graham lee at ncstate.net
Thu May 30 17:11:10 CDT 2002 

Hello,

I am having a problem getting Radiator to work with a Cisco 2621 using
PPTP/MPPE.  I think I have followed the suggestions in the FAQ and reference
manual.

The configuration works fine if I don't use MPPE, but when I try to use MPPE
I get a message on the Windows 2000 machine that I am trying to log in with
which says "The remote computer does not support the required data
encryption type".  Is this because of the version of Radiator I am using?
If so, is there a workaround?  If not, how much does it cost to upgrade?

I have also included debug information below all of the config files.

Here are the user/radius/router_config files:

------------------------------------------------------------------

# radius.cfg
#
# Configuration file for radius server
#
# Author: Mike McCauley (mikem at open.com.au)
# Copyright (C) 1997 Open System Consultants
# $Id: radius.cfg,v 1.6 1999/07/14 05:28:50 mikem Exp $
#
Foreground
LogStdout
AuthPort	1812
AcctPort	1813
LogDir		.
DbDir		.
LogFile		%L/logfile2
Trace 4
DictionaryFile ./dictionary

<Client DEFAULT>
      NasType  	CiscoVPDN
	Secret	<password here>
	DupInterval 3
</Client>

# Check that Handlers work OK
<Handler NAS-IP-Address = <ip address here> >
	<AuthBy FILE>

		Filename ./users

		# Generate MPPE keys to encrypt pptp vpns
		AutoMPPEKeys Yes

		AddToReply Service-Type = Framed,\
			Framed-Protocol = PPP,\
			Framed-IP-Netmask = 255.255.255.255,\
			Framed-Routing = None,\
			Framed-MTU = 1500,\
			Framed-Compression = Van-Jacobson-TCP-IP,\
			Message-Authenticator = 0000000000000000,\
			MS-MPPE-Encryption-Policy = Encryption-Allowed,\
                  MS-MPPE-Encryption-Types = Encryption-Any

	</AuthBy>

</Handler>

------------------------------------------------------------------

# users

DEFAULT	Service-Type = Administrative-User, Auth-Type = System
	Idle-Timeout = 2000,

DEFAULT	Service-Type = Login-User, Expiration = "Feb 2 2010"
	Idle-Timeout = 2001,
	Fall-Through = yes

DEFAULT	Service-Type = Outbound-User, Expiration = "Feb 2 2010"
	Idle-Timeout = 2002

DEFAULT Auth-Type = System, Group = group1, Auth-Type=Radius
	Reply-Message = you are in group 1

DEFAULT Suffix=.ppp, Auth-Type = System
	Reply-Message = You are a suffix PPP user

DEFAULT Prefix=P, Auth-Type = System
	Reply-Message = You are a prefix PPP user

testperson User-Password = "test"

------------------------------------------------------------------

router#sh run
Building configuration...

Current configuration : 1929 bytes
!
version 12.1
no parser cache
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname router
!
no logging rate-limit
aaa new-model
aaa authentication login default group radius enable none
aaa authentication ppp default group radius none
aaa authorization network ppp group radius none
enable password <password here>
!
ip subnet-zero
ip cef
!
!
no ip finger
no ip domain-lookup
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.20 192.168.1.254
ip dhcp excluded-address 192.168.1.17
!
ip dhcp pool public
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server <ip address>
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
vpdn enable
no vpdn logging
!
vpdn-group 1
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
!
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address <ip address> 255.255.255.0
 ip nat outside
 no ip mroute-cache
 speed 100
 full-duplex
!
interface FastEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 no ip mroute-cache
 speed 100
 full-duplex
!
interface Virtual-Template1
 ip unnumbered FastEthernet0/0
 no logging event link-status
 no keepalive
 peer default ip address pool default
 ppp encrypt mppe 128
 ppp authentication ms-chap
!
ip local pool default 192.168.1.20 192.168.1.25
ip nat inside source list 7 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 <ip address>
no ip http server
!
access-list 7 permit 192.168.1.0 0.0.0.255
access-list 101 permit ip any any
radius-server host <ip address> auth-port 1812 acct-port 1813
radius-server retransmit 3
radius-server key <password>
!
dial-peer cor custom
!
!
!
!
!
line con 0
 transport input none
line aux 0
line vty 0 4
!
end

router#

----------------------------------------------------------------

Also, here are the debug files

----------------------------------------------------------------

router#
5d07h: Vi1 MPPE: don't understand all options, NAK
5d07h: Vi1 MPPE: RADIUS keying material missing
getz#sh debug
PPP:
  MPPE Events debugging is on
  MPPE Packets debugging is on
  MPPE Packet Details debugging is on
router#

----------------------------------------------------------------

C:\Radiator-3.0>perl radiusd -config_file radius.cfg
Thu May 30 14:58:40 2002: DEBUG: Reading users file ./users
Thu May 30 14:58:40 2002: INFO: Server started: Radiator 3.0 on NC
Thu May 30 14:58:53 2002: DEBUG: Packet dump:
*** Received from <ip address> port 1645 ....
Code:       Access-Request
Identifier: 100
Authentic:  <185><162><215><180><171>4<144>2<0><0><0><0><0><0><0><0>
Attributes:
        NAS-IP-Address = <ip address>
        NAS-Port = 1
        NAS-Port-Type = Virtual
        User-Name = "testperson"
        MS-CHAP-Challenge = "<185><162><215><180><171>4<144>2"
        MS-CHAP-Response =
"=<1><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
<0><0><0><0><0><0><0><0><172>~<23>:<233><203><17><7>ng<133>}<157>PK<235><138
>>C@
Y<159><220>C"
        Service-Type = Framed-User
        Framed-Protocol = PPP

Thu May 30 14:58:53 2002: DEBUG: Handling request with Handler
'NAS-IP-Address =
 <ip address>'
Thu May 30 14:58:53 2002: DEBUG:  Deleting session for testperson, <ip
address>, 1
Thu May 30 14:58:53 2002: DEBUG: Handling with Radius::AuthFILE:
Thu May 30 14:58:53 2002: DEBUG: Radius::AuthFILE looks for match with
testperson
Thu May 30 14:58:53 2002: DEBUG: Radius::AuthFILE ACCEPT:
Thu May 30 14:58:53 2002: DEBUG: Access accepted for testperson
Thu May 30 14:58:53 2002: ERR: There is no value named Framed for attribute
Serv
ice-Type. Using 0.
Thu May 30 14:58:53 2002: DEBUG: Packet dump:
*** Sending to <ip address> port 1645 ....
Code:       Access-Accept
Identifier: 100
Authentic:  <185><162><215><180><171>4<144>2<0><0><0><0><0><0><0><0>
Attributes:
        MS-CHAP-MPPE-Keys =
"<6><193><243>na<209>Q_<19>/<234><171>IWo<227>IHJ<21
>D<128><134><208><138>5<143>?<212><16>r<201>"
        Service-Type = Framed
        Framed-Protocol = PPP
        Framed-IP-Netmask = 255.255.255.255
        Framed-Routing = None
        Framed-MTU = 1500
        Framed-Compression = Van-Jacobson-TCP-IP
        Message-Authenticator = 0000000000000000
        MS-MPPE-Encryption-Policy = Encryption-Allowed
        MS-MPPE-Encryption-Types = Encryption-Any

-------------------------------------------------------------



Thanks for the help,

Lee

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list