Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cicso VPN using microsoft IAS (Radius)

Reply
Thread Tools

Cicso VPN using microsoft IAS (Radius)

 
 
Newscene
Guest
Posts: n/a
 
      04-21-2004
I've been trying to configure a Cisco 2600 router to support PPTP VPN from
Microsoft Windows 2000 and XP clients using Microsoft' IAS (Radius) server
for authentication. Everything seems to be working OK with one exception.
When the client connects it fails authentication and the Windows Server
Event Log has an entry that "A signature attribute is required in
Access-Requests from client xxxxx".

However, I haven't found any Cisco command to set a "signature attributre"
function, or any IAS command to ignore the requirement. Can someone shed
some light on this?

Thanks

John


 
Reply With Quote
 
 
 
 
mh
Guest
Posts: n/a
 
      04-21-2004
check out the command "radius-server vsa send authentication"

http://cco.cisco.com/en/US/customer/...b.html#1001063
 
Reply With Quote
 
 
 
 
Newscene
Guest
Posts: n/a
 
      04-21-2004
Thanks

Now that I've worked my way around THAT problem I'm getting a connection
which is instantly dropped. The XP VPN Client reports an Error TCP/IP CP
733. According to MS Knowledgebase one cause of this is the client
attempting to negotiate a multilink connection when only single link is
available and one should turn this off (it is by default). Other sources on
the Web say 'if its on, turn it off, if its off turn it on'. Doesn't work
with either setting anyway.

Some sources say its because one of the requested protocols was not
available, but its only trying for TCP/IP anyway.





"mh" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> also see:
>
>

http://www.microsoft.com/windows2000...iasinterop.asp
>
>

http://communities.microsoft.com/new...er=3&nds=colla
pse


 
Reply With Quote
 
mh
Guest
Posts: n/a
 
      04-23-2004
send me a copy of your Cisco 2600 config (without passwords).
 
Reply With Quote
 
Newscene
Guest
Posts: n/a
 
      04-23-2004
Herewith the redacted config file:

---------------------------------------------------
Using 12183 out of 29688 bytes
!
! Last configuration change at 02:26:36 UTC Thu Apr 22 2004 by NNNNNNNNNNNn
! NVRAM config last updated at 02:26:51 UTC Thu Apr 22 2004 by NNNNNNNNNNNn!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname XXXXXXXXXXXXXx
!
boot system flash:c2600-jk9o3s-mz.122-17a.bin
no logging rate-limit
no logging console
aaa new-model
aaa authentication ppp default group radius local
aaa authorization network default if-authenticated
enable secret N XXXXXXXXXXXXXXXXxx
enable password N xxxxxxxxxxxxxxxxxxxxxxxxxxx
!
username XXXXXXXX access-class 99 password N NNNNNNNNNNNNNNNNNN
ip subnet-zero
no ip source-route
!
!
ip telnet source-interface Loopback0
ip ftp username XXXXXX
ip ftp password N XXXXXXXXXXXXXXXXxx
ip domain-name XXXXXX.XXXXX.XXXX
ip name-server NNN.NNN.NNN.NNN
ip name-server NNN.NNN.NNN.NNN
!
ip cef
ip audit info action alarm drop reset
ip audit attack action alarm drop reset
ip audit notify log
ip audit po max-events 100
ip audit protected NNN.NNN.NNN.NNN to NNN.NNN.NNN.NNN
ip audit protected NNN.NNN.NNN.NNN to NNN.NNN.NNN.NNN
ip audit smtp spam 100
ip audit signature 2000 disable
ip audit signature 2004 disable
ip audit name ios-attack attack action alarm drop reset
ip audit name ios-probe info action drop reset
async-bootp dns-server NNN.NNN.NNN.NNN
async-bootp nbns-server NNN.NNN.NNN.NNN
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
vty-async
!
call rsvp-sync
!
!
!
!
!
!
!
class-map match-any http-hacks
match protocol http url "*.ida*"
match protocol http url "*cmd.exe*"
match protocol http url "*root.exe*"
match protocol http url "*readme.eml*"
!
!
policy-map mark-inbound-http-hacks
class http-hacks
set ip dscp 1
!
!
!
interface Loopback0
no ip address
!
interface FastEthernet0/0
ip address NNN.NNN.NNN.NNN 255.255.255.0 secondary
ip address NNN.NNN.NNN.NNN 255.255.255.0
ip access-group 120 in
ip access-group 110 out
ip directed-broadcast
ip audit ios-attack out
speed auto
half-duplex
!
interface Serial0/0
no ip address
encapsulation frame-relay
no ip mroute-cache
service-module t1 remote-alarm-enable
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
ip address NNN.NNN.NNN.NNN 255.255.255.0
ip access-group 100 in
ip access-group 101 out
ip verify unicast reverse-path
ip directed-broadcast
ip audit ios-attack in
service-policy input mark-inbound-http-hacks
no ip mroute-cache
no cdp enable
frame-relay interface-dlci 16 IETF
!
interface Virtual-Template1
no ip address
ip mroute-cache
peer default ip address pool DIAL-IN
ppp encrypt mppe auto required
ppp authentication chap ms-chap
!
ip local pool DIAL-IN NNN.NNN.NNN.NNN NNN.NNN.NNN.NNN
ip classless
ip route 0.0.0.0 0.0.0.0 NNN.NNN.NNN.NNN
ip route NNN.NNN.NNN.NNN 255.255.255.0 NNN.NNN.NNN.NNN permanent
ip route NNN.NNN.NNN.NNN 255.255.255.0 NNN.NNN.NNN.NNN
no ip http server
!
logging trap debugging
logging NNN.NNN.NNN.NNN
!
{ Access-Lists Deleted for brevity }
!
snmp-server engineID local ZZZZZZZZZZZZZZzzzzzzzzzz
snmp-server community XXXXXX RO
snmp-server location Here
no snmp-server enable traps tty
radius-server host NNN.NNN.NNN auth-port 1645 acct-port 1646
radius-server key N The_RADIUS_Key
radius-server authorization permit missing Service-Type
!
dial-peer cor custom
!
!
!
!
!
line con 0
exec-timeout 0 0
password N NNNNNNNNNNNNNNNNNNnnn
logging synchronous
line aux 0
line vty 0 4
access-class 99 in
exec-timeout 5 0
password N NNNNNNNNNNNNNNNNNNnnn
transport input telnet
line vty 5 15

-------------------------------


"mh" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> send me a copy of your Cisco 2600 config (without passwords).



 
Reply With Quote
 
mh
Guest
Posts: n/a
 
      04-23-2004
see
http://cco.cisco.com/en/US/customer/...801e51e2.shtml


it looks like your are missing the encap ppp" command on the
virtual-template

interface virtual-template 1
encapsulation ppp
exit



Was it the "radius-server authorization permit missing Service-Type"
that solved your 1st problem ???
 
Reply With Quote
 
Newscene
Guest
Posts: n/a
 
      04-24-2004

"mh" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> see
>

http://cco.cisco.com/en/US/customer/...801e51e2.shtml
>
>
> it looks like your are missing the encap ppp" command on the
> virtual-template
>
> interface virtual-template 1
> encapsulation ppp


Thanks I'll try that

> exit
>
>
>
> Was it the "radius-server authorization permit missing Service-Type"
> that solved your 1st problem ???


Yes. Put that in and voila, magic.


 
Reply With Quote
 
Newscene
Guest
Posts: n/a
 
      04-24-2004
That did not do it. When I entered the command for the interface it took it
but it never showed up in the config and the VPN still failed with Error 733




"mh" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> see
>

http://cco.cisco.com/en/US/customer/...801e51e2.shtml
>
>
> it looks like your are missing the encap ppp" command on the
> virtual-template
>
> interface virtual-template 1
> encapsulation ppp
> exit
>
>
>
> Was it the "radius-server authorization permit missing Service-Type"
> that solved your 1st problem ???



 
Reply With Quote
 
mh
Guest
Posts: n/a
 
      04-24-2004
Usually if a command is accepted and does not show in the config, then
the command is a default setting

a Cisco document stated:
"Note Windows clients must use Microsoft Challenge Handshake
Authentication Protocol (MS-CHAP) authentication
for MPPE to work. If you are performing mutual authentication with
MS-CHAP and MPPE, both sides of the tunnel
must use the same password."

It looks as you have both CHAP and MS_CHAP configured, try removeing
CHAP
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cicso Pix 501 VPN mvp Cisco 1 04-24-2008 09:32 AM
IPSEC Microsoft IAS Authentication - Cisco VPN Client machine Cisco 1 08-17-2006 11:49 AM
Microsoft IAS, PIX 515 and MS VPN Client Town Dummy Cisco 2 01-10-2006 07:41 AM
VOIP over VPN with cicso PIX series firewalls Rich VOIP 3 05-13-2005 11:11 PM
microsoft.public.dotnet.faqs,microsoft.public.dotnet.framework,microsoft.public.dotnet.framework.windowsforms,microsoft.public.dotnet.general,microsoft.public.dotnet.languages.vb Charles A. Lackman ASP .Net 1 12-08-2004 07:08 PM



Advertisments