(RADIATOR) Cisco VPN3000 and MS-CHAP

Romain Vergniol romain.vergniol at cegedim.fr
Wed Oct 16 05:02:06 CDT 2002


Hello,

I have trouble with setting up authentication with Cisco VPN3000 and MS-CHAP (v1 or v2).
The authentication works (with the accounting start packet), but when the user tries any connection to the internal network (a ping for example), the user is disconnected.
I tried almost everything I found on this mailing-list with no success....
Note that all is OK when I set internal authentication on the vpn concentrator.
I use Radiator 3.3.1

Thanks for your help.

Regards,
Romain VERGNIOL
-- C  E  G  E  D  I  M ---------
Équipe Réseau
Tel : +33 (0)1 49 09 84 02
Fax : +33 (0)1 46 03 45 95




--------------------------------------------------------------------------------

user attributes:

fpaczka:
Framed-IP-Address = 172.xxxxxxx 
MS-MPPE-Encryption-Policy = Encryption-Allowed 
MS-MPPE-Encryption-Types = Encryption-Any 
Class = reseaux 


--------------------------------------------------------------------------------

radius.cfg :

..............

<AuthBy SQL>
        Identifier AUTH_PPTP
                DBSource        dbi:mysql:radius
                DBUsername      xxxxxx
                DBAuth          xxxxxxxxxx

                FailureBackoffTime 20

                AutoMPPEKeys

                AuthSelect select S.PASSWORD, S.CHECKATTR, S.REPLYATTR \
                from SUBSCRIBERS as S, REL_PROFCOM as P \
                where S.USERNAME='%n' and S.NASIDENTIFIER='%N' \
                and S.PROFCOM=P.ID \
                and P.NUM='%{Called-Station-Id}'

                AuthColumnDef 0, User-Password, check
                AuthColumnDef 1, GENERIC, check
                AuthColumnDef 2, GENERIC, reply

</AuthBy>

.............

<Handler Request-Type=Access-Request,User-Name=fpaczka>
        RejectHasReason
        AuthBy AUTH_PPTP
        AuthLog AUTHLOG

        AddToReply  Service-Type = Framed,\
        Framed-Protocol = PPP,\
        Framed-IP-Netmask = 255.255.255.255,\
        Framed-Routing = None,\
        Framed-MTU = 1500,\
        Framed-Compression = Van-Jacobson-TCP-IP,\
        Message-Authenticator = 0000000000000000

</Handler>



--------------------------------------------------------------------------------

Trace 4 debug :

Wed Oct 16 11:17:07 2002: DEBUG: Handling request with Handler 'Request-Type=Access-Request'
Wed Oct 16 11:17:07 2002: DEBUG:  Deleting session for fpaczka, 172.xxxxxxxx, 1460
Wed Oct 16 11:17:07 2002: DEBUG: Handling with Radius::AuthRADIUS
Wed Oct 16 11:17:07 2002: DEBUG: Packet dump:
*** Sending to 172.xxxxxx port 1645 ....
Code:       Access-Request
Identifier: 155
Authentic:  <141>J<242><227>x_<248>F<13><<244><25><136>h<185>G
Attributes:
 User-Name = "fpaczka"
 NAS-Port = 1460
 Service-Type = Framed
 Framed-Protocol = PPP
 Tunnel-Client-Endpoint = "217.xxxxxxxx"
 MS-CHAP-Challenge = "<133><148><30><208><164><176>}<157>h<3><187><203><27>.<12><205>"
 MS-CHAP2-Response = "<2><0><133><144><180><208>+<8>x<21><223><132><162><170>_8N{<0><0><0><0><0><0><0><0><207><15><31><2>*<168>o<225>~<253><25><255>o<173><192>s<201>d<231><198><191> w<157>"
 NAS-IP-Address = 172.xxxxx
 NAS-Port-Type = Virtual

..........................

Wed Oct 16 11:17:07 2002: DEBUG: Access accepted for fpaczka
Wed Oct 16 11:17:07 2002: DEBUG: Packet dump:
*** Sending to 172.27.64.6 port 1052 ....
Code:       Access-Accept
Identifier: 191
Authentic:  <141>J<242><227>x_<248>F<13><<244><25><136>h<185>G
Attributes:
 MS-CHAP2-Success = "<2>S=AB6A1D5C04B5C3A0B0353F49597545C97401CEE3"
 MS-MPPE-Send-Key = "<178>H<169><153>;i'^Z<135>g<206><178>v;r<234><12><180><0>TY<189>?<249>r<6>P[4<160><225>$<250>"
 MS-MPPE-Recv-Key = "<198>.<168><213><207><253><233><172>8<189><254>22<141>u<7><162>46<151>>&<18><216><132><196><245><136><179><236><157>U<184><8>"
 Framed-IP-Address = 172.xxxxxxxx
 MS-MPPE-Encryption-Policy = Encryption-Allowed
 MS-MPPE-Encryption-Types = Encryption-Any
 Class = "reseaux"
 Framed-MTU = 1000
 Service-Type = Framed
 Framed-Protocol = PPP
 Framed-IP-Netmask = 255.255.255.255
 Framed-Routing = None
 Framed-MTU = 1500
 Framed-Compression = Van-Jacobson-TCP-IP
 Message-Authenticator = p!4,D<184><8><28><233><132><229>><136>Ul<172>
 User-Name = "fpaczka"

..............

Wed Oct 16 11:17:15 2002: DEBUG: Handling request with Handler 'Request-Type=Accounting-Request'
Wed Oct 16 11:17:15 2002: DEBUG:  Adding session for fpaczka, 172.xxxxxxx, 1460
Wed Oct 16 11:17:15 2002: DEBUG: Handling with Radius::AuthRADIUS
Wed Oct 16 11:17:15 2002: DEBUG: Packet dump:
*** Sending to 172.xxxxxxxx port 1646 ....
Code:       Accounting-Request
Identifier: 35
Authentic:  <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Attributes:
 User-Name = "fpaczka"
 NAS-Port = 1460
 Service-Type = Framed
 Framed-Protocol = PPP
 Framed-IP-Address = 172.xxxxxxx
 Class = "reseaux"
 Acct-Status-Type = Start
 Acct-Session-Id = "2E70011C"
 Tunnel-Client-Endpoint = "217.xxxxxxx"
 Acct-Authentic = RADIUS
 Acct-Delay-Time = 0
 NAS-IP-Address = 172.xxxxxxx
 NAS-Port-Type = Virtual
 Timestamp = 1034759835


Wed Oct 16 11:17:15 2002: DEBUG: Accounting accepted
Wed Oct 16 11:17:15 2002: DEBUG: Packet dump:
*** Sending to 172xxxxxxx port 1058 ....
Code:       Accounting-Response
Identifier: 55
Authentic:  <12>hTN<164>b<211><215><235>a<3><223><192>?yZ
Attributes:

...........................


Wed Oct 16 11:17:37 2002: DEBUG: Handling request with Handler 'Request-Type=Accounting-Request'
Wed Oct 16 11:17:37 2002: DEBUG:  Deleting session for fpaczka, 172.xxxxxxx, 1460
Wed Oct 16 11:17:37 2002: DEBUG: Handling with Radius::AuthRADIUS
Wed Oct 16 11:17:37 2002: DEBUG: Packet dump:
*** Sending to 172.xxxxxxx port 1646 ....
Code:       Accounting-Request
Identifier: 56
Authentic:  <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Attributes:
 User-Name = "fpaczka"
 NAS-Port = 1460
 Service-Type = Framed
 Framed-Protocol = PPP
 Framed-IP-Address = 172.xxxxxxx
 Class = "reseaux"
 Acct-Status-Type = Stop
 Acct-Input-Octets = 1016
 Acct-Output-Octets = 9585
 Acct-Session-Id = "2E70011C"
 Acct-Session-Time = 21
 Acct-Input-Packets = 8
 Acct-Output-Packets = 8
 Acct-Terminate-Cause = User-Request
 Tunnel-Client-Endpoint = "217.xxxxxxx"
 Acct-Authentic = RADIUS
 Acct-Delay-Time = 0
 NAS-IP-Address = 172.xxxxxxx
 NAS-Port-Type = Virtual
 Timestamp = 1034759857

...............................


Wed Oct 16 11:17:37 2002: DEBUG: Accounting accepted
Wed Oct 16 11:17:37 2002: DEBUG: Packet dump:
*** Sending to 172.xxxxxx port 1058 ....
Code:       Accounting-Response
Identifier: 56
Authentic:  <213><133><15><202><156><251><26><226><192><149><18><253><233><246><163>j
Attributes:


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20021016/f865986e/attachment.html>


More information about the radiator mailing list