CHAP Authentication

Discussion in 'Cisco' started by Groper, Nov 13, 2003.

  1. Groper

    Groper Guest

    I have a working 3640 that I am trying to connect to from an ISDN W2K PC

    PAP works fine but, I am unable to get it to Authenticate with CHAP or even
    MS-CHAP

    I would appreciate any pointers.

    Thanks
    Groper
     
    Groper, Nov 13, 2003
    #1
    1. Advertising

  2. Should work fine as long as the call direction is
    PC -> 3640 not 3640 -> PC (Windows RAS does not
    support standard CHAP.)

    What's the configuration? What do your debugs say?

    debug isdn q931
    debug ppp negotiation
    debug ppp authentication
    debug aaa authentication
    debug radius ! if using RADIUS
    debug tacacs ! if using TACACS

    ---

    ~ I have a working 3640 that I am trying to connect to from an ISDN W2K PC
    ~
    ~ PAP works fine but, I am unable to get it to Authenticate with CHAP or even
    ~ MS-CHAP
    ~
    ~ I would appreciate any pointers.
    ~
    ~ Thanks
    ~ Groper
    ~
     
    Aaron Leonard, Nov 13, 2003
    #2
    1. Advertising

  3. Groper

    Groper Guest

    Thanks for your responce, I have turned on Debugging and get the following.
    Unfortunatly it does not make much sense to me.


    001971: Nov 14 10:35:22: ISDN Se2/0:15: RX <- SETUP pd = 8 callref = 0x0001
    001972: Nov 14 10:35:22: Sending Complete
    001973: Nov 14 10:35:22: Bearer Capability i = 0x8890
    001974: Nov 14 10:35:22: Channel ID i = 0xA98381
    001975: Nov 14 10:35:22.971 gmt: %LINK-3-UPDOWN: Interface Serial2/0:0,
    changed
    state to up
    001976: Nov 14 10:35:24: Se2/0:0 LCP: I CONFREQ [Listen] id 1 len 46
    001977: Nov 14 10:35:24: Se2/0:0 LCP: MagicNumber 0x06F330B1
    (0x050606F330B1)
    001978: Nov 14 10:35:24: Se2/0:0 LCP: PFC (0x0702)
    001979: Nov 14 10:35:24: Se2/0:0 LCP: ACFC (0x0802)
    001980: Nov 14 10:35:24: Se2/0:0 LCP: Callback 6 (0x0D0306)
    001981: Nov 14 10:35:24: Se2/0:0 LCP: MRRU 1500 (0x110405DC)
    001982: Nov 14 10:35:24: Se2/0:0 LCP: MultilinkShortSeq (0x1202)
    001983: Nov 14 10:35:24: Se2/0:0 LCP: EndpointDisc 4 Magic
    001984: Nov 14 10:35:24: Se2/0:0 LCP:
    (0x131704A9FA9FA14292522F5F3DE7DCB9)
    001985: Nov 14 10:35:24: Se2/0:0 LCP: (0xB636669A034034)
    001986: Nov 14 10:35:24.399 gmt: %LINK-3-UPDOWN: Interface Serial2/0:0,
    changed
    state to down



    "Aaron Leonard" <> wrote in message
    news:...
    > Should work fine as long as the call direction is
    > PC -> 3640 not 3640 -> PC (Windows RAS does not
    > support standard CHAP.)
    >
    > What's the configuration? What do your debugs say?
    >
    > debug isdn q931
    > debug ppp negotiation
    > debug ppp authentication
    > debug aaa authentication
    > debug radius ! if using RADIUS
    > debug tacacs ! if using TACACS
    >
    > ---
    >
    > ~ I have a working 3640 that I am trying to connect to from an ISDN W2K PC
    > ~
    > ~ PAP works fine but, I am unable to get it to Authenticate with CHAP or

    even
    > ~ MS-CHAP
    > ~
    > ~ I would appreciate any pointers.
    > ~
    > ~ Thanks
    > ~ Groper
    > ~
    >
     
    Groper, Nov 14, 2003
    #3
  4. "Groper" <michael.groves@valuelink_nospam_.co.uk> wrote in message
    news:3fb3bcbc$0$22603$...
    > I have a working 3640 that I am trying to connect to from an ISDN W2K PC
    >
    > PAP works fine but, I am unable to get it to Authenticate with CHAP or

    even
    > MS-CHAP


    What kind of a terminal adapter? If external and serially attached, The
    sync to async conversion usually precludes the use of CHAP, unless the
    Terminal Adapter supports it.
     
    Phillip Remaker, Nov 15, 2003
    #4
  5. Groper

    Groper Guest

    Sorry to sound dumb, but I don't understand your reply!


    "Phillip Remaker" <> wrote in message
    news:1068856573.771727@sj-nntpcache-3...
    >
    > "Groper" <michael.groves@valuelink_nospam_.co.uk> wrote in message
    > news:3fb3bcbc$0$22603$...
    > > I have a working 3640 that I am trying to connect to from an ISDN W2K PC
    > >
    > > PAP works fine but, I am unable to get it to Authenticate with CHAP or

    > even
    > > MS-CHAP

    >
    > What kind of a terminal adapter? If external and serially attached, The
    > sync to async conversion usually precludes the use of CHAP, unless the
    > Terminal Adapter supports it.
    >
    >
     
    Groper, Nov 17, 2003
    #5
  6. The deal here is that (logically) you have this:

    [router]------------------------[TA]---[[COM] PC]
    \______________________/ ^
    ^ |
    two B channels async RS232
    (sync PPP)

    so from the standpoint of Windows DUN, it's just
    talking async PPP on one link. But between the
    TA and the router, there is in fact a multilink
    PPP bundle of two synchronous links.

    So your TA has to do the conversion between async
    PPP and sync PPP - also, it has to manage the
    bundle of two links and make them look like one link
    to the PC.

    Now, when the PC wants to bring up the link, it will
    send ONE PAP username/password. The TA has to be PAP-aware -
    it needs to grab this PAP password, use it to bring up the
    first link, then replay it for the second link.

    So it sounds like your TA is PAP- but not CHAP- (MS-CHAP)-
    aware - if the PC is trying to authenticate using CHAP
    rater than PAP, it doesn't know how to grab the CHAP
    secret and replay it.

    If you're still not following, then don't worry - just
    stick to PAP.

    Aaron

    ---

    ~ Sorry to sound dumb, but I don't understand your reply!
    ~
    ~
    ~ "Phillip Remaker" <> wrote in message
    ~ news:1068856573.771727@sj-nntpcache-3...
    ~ >
    ~ > "Groper" <michael.groves@valuelink_nospam_.co.uk> wrote in message
    ~ > news:3fb3bcbc$0$22603$...
    ~ > > I have a working 3640 that I am trying to connect to from an ISDN W2K PC
    ~ > >
    ~ > > PAP works fine but, I am unable to get it to Authenticate with CHAP or
    ~ > even
    ~ > > MS-CHAP
    ~ >
    ~ > What kind of a terminal adapter? If external and serially attached, The
    ~ > sync to async conversion usually precludes the use of CHAP, unless the
    ~ > Terminal Adapter supports it.
    ~ >
    ~ >
    ~
     
    Aaron Leonard, Nov 17, 2003
    #6
  7. Groper

    Groper Guest

    Cheers mate, perfect explanation.

    My TA was setup for PAP only. I changed it to CHAP, and now it works fine.

    Yippee.......................

    Thanks again, that was really starting to bug me.
    Groper




    "Aaron Leonard" <> wrote in message
    news:...
    > The deal here is that (logically) you have this:
    >
    > [router]------------------------[TA]---[[COM] PC]
    > \______________________/ ^
    > ^ |
    > two B channels async RS232
    > (sync PPP)
    >
    > so from the standpoint of Windows DUN, it's just
    > talking async PPP on one link. But between the
    > TA and the router, there is in fact a multilink
    > PPP bundle of two synchronous links.
    >
    > So your TA has to do the conversion between async
    > PPP and sync PPP - also, it has to manage the
    > bundle of two links and make them look like one link
    > to the PC.
    >
    > Now, when the PC wants to bring up the link, it will
    > send ONE PAP username/password. The TA has to be PAP-aware -
    > it needs to grab this PAP password, use it to bring up the
    > first link, then replay it for the second link.
    >
    > So it sounds like your TA is PAP- but not CHAP- (MS-CHAP)-
    > aware - if the PC is trying to authenticate using CHAP
    > rater than PAP, it doesn't know how to grab the CHAP
    > secret and replay it.
    >
    > If you're still not following, then don't worry - just
    > stick to PAP.
    >
    > Aaron
    >
    > ---
    >
    > ~ Sorry to sound dumb, but I don't understand your reply!
    > ~
    > ~
    > ~ "Phillip Remaker" <> wrote in message
    > ~ news:1068856573.771727@sj-nntpcache-3...
    > ~ >
    > ~ > "Groper" <michael.groves@valuelink_nospam_.co.uk> wrote in message
    > ~ > news:3fb3bcbc$0$22603$...
    > ~ > > I have a working 3640 that I am trying to connect to from an ISDN

    W2K PC
    > ~ > >
    > ~ > > PAP works fine but, I am unable to get it to Authenticate with CHAP

    or
    > ~ > even
    > ~ > > MS-CHAP
    > ~ >
    > ~ > What kind of a terminal adapter? If external and serially attached,

    The
    > ~ > sync to async conversion usually precludes the use of CHAP, unless the
    > ~ > Terminal Adapter supports it.
    > ~ >
    > ~ >
    > ~
    >
     
    Groper, Nov 18, 2003
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. me

    MAC OS X and PEAP and Chap !

    me, Aug 24, 2005, in forum: Wireless Networking
    Replies:
    0
    Views:
    670
  2. Fabien Venries

    CHAP authentication failure in ISDN

    Fabien Venries, Apr 8, 2004, in forum: Cisco
    Replies:
    2
    Views:
    5,072
    Fabien Venries
    Apr 9, 2004
  3. CHAP request & reject

    , Apr 28, 2005, in forum: Cisco
    Replies:
    1
    Views:
    1,693
  4. Replies:
    2
    Views:
    580
    Aaron Leonard
    Aug 5, 2005
  5. T-Werkplek

    combining c700 & c800 with CHAP

    T-Werkplek, Sep 20, 2005, in forum: Cisco
    Replies:
    0
    Views:
    408
    T-Werkplek
    Sep 20, 2005
Loading...

Share This Page