(RADIATOR) Cisco PPTP and MPPE
Hugh Irvine
hugh at open.com.au
Thu May 30 14:24:57 CDT 2002
Hello Lee -
If you are using the standard Radiator dictionary, you should change the
configuration file like this:
<Handler NAS-IP-Address = <ip address here> >
<AuthBy FILE>
Filename ./users
# Generate MPPE keys to encrypt pptp vpns
AutoMPPEKeys Yes
AddToReply Service-Type = Framed-User, \
..........
Cisco's are very picky about the Service-Type attribute.
The latest version of Radiator is 3.1 and upgrades are free - you can
download the new version from the web site.
regards
Hugh
On Fri, 31 May 2002 08:11, Lee Graham wrote:
> Hello,
>
> I am having a problem getting Radiator to work with a Cisco 2621 using
> PPTP/MPPE. I think I have followed the suggestions in the FAQ and
> reference manual.
>
> The configuration works fine if I don't use MPPE, but when I try to use
> MPPE I get a message on the Windows 2000 machine that I am trying to log in
> with which says "The remote computer does not support the required data
> encryption type". Is this because of the version of Radiator I am using?
> If so, is there a workaround? If not, how much does it cost to upgrade?
>
> I have also included debug information below all of the config files.
>
> Here are the user/radius/router_config files:
>
> ------------------------------------------------------------------
>
> # radius.cfg
> #
> # Configuration file for radius server
> #
> # Author: Mike McCauley (mikem at open.com.au)
> # Copyright (C) 1997 Open System Consultants
> # $Id: radius.cfg,v 1.6 1999/07/14 05:28:50 mikem Exp $
> #
> Foreground
> LogStdout
> AuthPort 1812
> AcctPort 1813
> LogDir .
> DbDir .
> LogFile %L/logfile2
> Trace 4
> DictionaryFile ./dictionary
>
> <Client DEFAULT>
> NasType CiscoVPDN
> Secret <password here>
> DupInterval 3
> </Client>
>
> # Check that Handlers work OK
> <Handler NAS-IP-Address = <ip address here> >
> <AuthBy FILE>
>
> Filename ./users
>
> # Generate MPPE keys to encrypt pptp vpns
> AutoMPPEKeys Yes
>
> AddToReply Service-Type = Framed,\
> Framed-Protocol = PPP,\
> Framed-IP-Netmask = 255.255.255.255,\
> Framed-Routing = None,\
> Framed-MTU = 1500,\
> Framed-Compression = Van-Jacobson-TCP-IP,\
> Message-Authenticator = 0000000000000000,\
> MS-MPPE-Encryption-Policy = Encryption-Allowed,\
> MS-MPPE-Encryption-Types = Encryption-Any
>
> </AuthBy>
>
> </Handler>
>
> ------------------------------------------------------------------
>
> # users
>
> DEFAULT Service-Type = Administrative-User, Auth-Type = System
> Idle-Timeout = 2000,
>
> DEFAULT Service-Type = Login-User, Expiration = "Feb 2 2010"
> Idle-Timeout = 2001,
> Fall-Through = yes
>
> DEFAULT Service-Type = Outbound-User, Expiration = "Feb 2 2010"
> Idle-Timeout = 2002
>
> DEFAULT Auth-Type = System, Group = group1, Auth-Type=Radius
> Reply-Message = you are in group 1
>
> DEFAULT Suffix=.ppp, Auth-Type = System
> Reply-Message = You are a suffix PPP user
>
> DEFAULT Prefix=P, Auth-Type = System
> Reply-Message = You are a prefix PPP user
>
> testperson User-Password = "test"
>
> ------------------------------------------------------------------
>
> router#sh run
> Building configuration...
>
> Current configuration : 1929 bytes
> !
> version 12.1
> no parser cache
> no service single-slot-reload-enable
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname router
> !
> no logging rate-limit
> aaa new-model
> aaa authentication login default group radius enable none
> aaa authentication ppp default group radius none
> aaa authorization network ppp group radius none
> enable password <password here>
> !
> ip subnet-zero
> ip cef
> !
> !
> no ip finger
> no ip domain-lookup
> no ip dhcp conflict logging
> ip dhcp excluded-address 192.168.1.1
> ip dhcp excluded-address 192.168.1.20 192.168.1.254
> ip dhcp excluded-address 192.168.1.17
> !
> ip dhcp pool public
> network 192.168.1.0 255.255.255.0
> default-router 192.168.1.1
> dns-server <ip address>
> !
> ip audit notify log
> ip audit po max-events 100
> ip ssh time-out 60
> ip ssh authentication-retries 2
> vpdn enable
> no vpdn logging
> !
> vpdn-group 1
> ! Default PPTP VPDN group
> accept-dialin
> protocol pptp
> virtual-template 1
> !
> !
> !
> call rsvp-sync
> !
> !
> !
> !
> !
> !
> !
> !
> interface FastEthernet0/0
> ip address <ip address> 255.255.255.0
> ip nat outside
> no ip mroute-cache
> speed 100
> full-duplex
> !
> interface FastEthernet0/1
> ip address 192.168.1.1 255.255.255.0
> ip nat inside
> no ip mroute-cache
> speed 100
> full-duplex
> !
> interface Virtual-Template1
> ip unnumbered FastEthernet0/0
> no logging event link-status
> no keepalive
> peer default ip address pool default
> ppp encrypt mppe 128
> ppp authentication ms-chap
> !
> ip local pool default 192.168.1.20 192.168.1.25
> ip nat inside source list 7 interface FastEthernet0/0 overload
> ip classless
> ip route 0.0.0.0 0.0.0.0 <ip address>
> no ip http server
> !
> access-list 7 permit 192.168.1.0 0.0.0.255
> access-list 101 permit ip any any
> radius-server host <ip address> auth-port 1812 acct-port 1813
> radius-server retransmit 3
> radius-server key <password>
> !
> dial-peer cor custom
> !
> !
> !
> !
> !
> line con 0
> transport input none
> line aux 0
> line vty 0 4
> !
> end
>
> router#
>
> ----------------------------------------------------------------
>
> Also, here are the debug files
>
> ----------------------------------------------------------------
>
> router#
> 5d07h: Vi1 MPPE: don't understand all options, NAK
> 5d07h: Vi1 MPPE: RADIUS keying material missing
> getz#sh debug
> PPP:
> MPPE Events debugging is on
> MPPE Packets debugging is on
> MPPE Packet Details debugging is on
> router#
>
> ----------------------------------------------------------------
>
> C:\Radiator-3.0>perl radiusd -config_file radius.cfg
> Thu May 30 14:58:40 2002: DEBUG: Reading users file ./users
> Thu May 30 14:58:40 2002: INFO: Server started: Radiator 3.0 on NC
> Thu May 30 14:58:53 2002: DEBUG: Packet dump:
> *** Received from <ip address> port 1645 ....
> Code: Access-Request
> Identifier: 100
> Authentic: <185><162><215><180><171>4<144>2<0><0><0><0><0><0><0><0>
> Attributes:
> NAS-IP-Address = <ip address>
> NAS-Port = 1
> NAS-Port-Type = Virtual
> User-Name = "testperson"
> MS-CHAP-Challenge = "<185><162><215><180><171>4<144>2"
> MS-CHAP-Response =
> "=<1><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> <0><0><0><0><0><0><0><0><172>~<23>:<233><203><17><7>ng<133>}<157>PK<235><13
>8
>
> >>C@
>
> Y<159><220>C"
> Service-Type = Framed-User
> Framed-Protocol = PPP
>
> Thu May 30 14:58:53 2002: DEBUG: Handling request with Handler
> 'NAS-IP-Address =
> <ip address>'
> Thu May 30 14:58:53 2002: DEBUG: Deleting session for testperson, <ip
> address>, 1
> Thu May 30 14:58:53 2002: DEBUG: Handling with Radius::AuthFILE:
> Thu May 30 14:58:53 2002: DEBUG: Radius::AuthFILE looks for match with
> testperson
> Thu May 30 14:58:53 2002: DEBUG: Radius::AuthFILE ACCEPT:
> Thu May 30 14:58:53 2002: DEBUG: Access accepted for testperson
> Thu May 30 14:58:53 2002: ERR: There is no value named Framed for attribute
> Serv
> ice-Type. Using 0.
> Thu May 30 14:58:53 2002: DEBUG: Packet dump:
> *** Sending to <ip address> port 1645 ....
> Code: Access-Accept
> Identifier: 100
> Authentic: <185><162><215><180><171>4<144>2<0><0><0><0><0><0><0><0>
> Attributes:
> MS-CHAP-MPPE-Keys =
> "<6><193><243>na<209>Q_<19>/<234><171>IWo<227>IHJ<21
>
> >D<128><134><208><138>5<143>?<212><16>r<201>"
>
> Service-Type = Framed
> Framed-Protocol = PPP
> Framed-IP-Netmask = 255.255.255.255
> Framed-Routing = None
> Framed-MTU = 1500
> Framed-Compression = Van-Jacobson-TCP-IP
> Message-Authenticator = 0000000000000000
> MS-MPPE-Encryption-Policy = Encryption-Allowed
> MS-MPPE-Encryption-Types = Encryption-Any
>
> -------------------------------------------------------------
>
>
>
> Thanks for the help,
>
> Lee
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list