Cicso VPN using microsoft IAS (Radius)

Discussion in 'Cisco' started by Newscene, Apr 21, 2004.

  1. Newscene

    Newscene Guest

    I've been trying to configure a Cisco 2600 router to support PPTP VPN from
    Microsoft Windows 2000 and XP clients using Microsoft' IAS (Radius) server
    for authentication. Everything seems to be working OK with one exception.
    When the client connects it fails authentication and the Windows Server
    Event Log has an entry that "A signature attribute is required in
    Access-Requests from client xxxxx".

    However, I haven't found any Cisco command to set a "signature attributre"
    function, or any IAS command to ignore the requirement. Can someone shed
    some light on this?

    Thanks

    John
     
    Newscene, Apr 21, 2004
    #1
    1. Advertising

  2. Newscene

    mh Guest

    mh, Apr 21, 2004
    #2
    1. Advertising

  3. Newscene

    mh Guest

  4. Newscene

    Newscene Guest

    Thanks

    Now that I've worked my way around THAT problem I'm getting a connection
    which is instantly dropped. The XP VPN Client reports an Error TCP/IP CP
    733. According to MS Knowledgebase one cause of this is the client
    attempting to negotiate a multilink connection when only single link is
    available and one should turn this off (it is by default). Other sources on
    the Web say 'if its on, turn it off, if its off turn it on'. Doesn't work
    with either setting anyway.

    Some sources say its because one of the requested protocols was not
    available, but its only trying for TCP/IP anyway.





    "mh" <> wrote in message
    news:...
    > also see:
    >
    >

    http://www.microsoft.com/windows2000/techinfo/howitworks/communications/remoteaccess/iasinterop.asp
    >
    >

    http://communities.microsoft.com/ne...ublic.internet.radius&iPageNumber=3&nds=colla
    pse
     
    Newscene, Apr 21, 2004
    #4
  5. Newscene

    mh Guest

    send me a copy of your Cisco 2600 config (without passwords).
     
    mh, Apr 23, 2004
    #5
  6. Newscene

    Newscene Guest

    Herewith the redacted config file:

    ---------------------------------------------------
    Using 12183 out of 29688 bytes
    !
    ! Last configuration change at 02:26:36 UTC Thu Apr 22 2004 by NNNNNNNNNNNn
    ! NVRAM config last updated at 02:26:51 UTC Thu Apr 22 2004 by NNNNNNNNNNNn!
    version 12.2
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname XXXXXXXXXXXXXx
    !
    boot system flash:c2600-jk9o3s-mz.122-17a.bin
    no logging rate-limit
    no logging console
    aaa new-model
    aaa authentication ppp default group radius local
    aaa authorization network default if-authenticated
    enable secret N XXXXXXXXXXXXXXXXxx
    enable password N xxxxxxxxxxxxxxxxxxxxxxxxxxx
    !
    username XXXXXXXX access-class 99 password N NNNNNNNNNNNNNNNNNN
    ip subnet-zero
    no ip source-route
    !
    !
    ip telnet source-interface Loopback0
    ip ftp username XXXXXX
    ip ftp password N XXXXXXXXXXXXXXXXxx
    ip domain-name XXXXXX.XXXXX.XXXX
    ip name-server NNN.NNN.NNN.NNN
    ip name-server NNN.NNN.NNN.NNN
    !
    ip cef
    ip audit info action alarm drop reset
    ip audit attack action alarm drop reset
    ip audit notify log
    ip audit po max-events 100
    ip audit protected NNN.NNN.NNN.NNN to NNN.NNN.NNN.NNN
    ip audit protected NNN.NNN.NNN.NNN to NNN.NNN.NNN.NNN
    ip audit smtp spam 100
    ip audit signature 2000 disable
    ip audit signature 2004 disable
    ip audit name ios-attack attack action alarm drop reset
    ip audit name ios-probe info action drop reset
    async-bootp dns-server NNN.NNN.NNN.NNN
    async-bootp nbns-server NNN.NNN.NNN.NNN
    vpdn enable
    !
    vpdn-group 1
    ! Default PPTP VPDN group
    accept-dialin
    protocol pptp
    virtual-template 1
    !
    vty-async
    !
    call rsvp-sync
    !
    !
    !
    !
    !
    !
    !
    class-map match-any http-hacks
    match protocol http url "*.ida*"
    match protocol http url "*cmd.exe*"
    match protocol http url "*root.exe*"
    match protocol http url "*readme.eml*"
    !
    !
    policy-map mark-inbound-http-hacks
    class http-hacks
    set ip dscp 1
    !
    !
    !
    interface Loopback0
    no ip address
    !
    interface FastEthernet0/0
    ip address NNN.NNN.NNN.NNN 255.255.255.0 secondary
    ip address NNN.NNN.NNN.NNN 255.255.255.0
    ip access-group 120 in
    ip access-group 110 out
    ip directed-broadcast
    ip audit ios-attack out
    speed auto
    half-duplex
    !
    interface Serial0/0
    no ip address
    encapsulation frame-relay
    no ip mroute-cache
    service-module t1 remote-alarm-enable
    frame-relay lmi-type ansi
    !
    interface Serial0/0.1 point-to-point
    ip address NNN.NNN.NNN.NNN 255.255.255.0
    ip access-group 100 in
    ip access-group 101 out
    ip verify unicast reverse-path
    ip directed-broadcast
    ip audit ios-attack in
    service-policy input mark-inbound-http-hacks
    no ip mroute-cache
    no cdp enable
    frame-relay interface-dlci 16 IETF
    !
    interface Virtual-Template1
    no ip address
    ip mroute-cache
    peer default ip address pool DIAL-IN
    ppp encrypt mppe auto required
    ppp authentication chap ms-chap
    !
    ip local pool DIAL-IN NNN.NNN.NNN.NNN NNN.NNN.NNN.NNN
    ip classless
    ip route 0.0.0.0 0.0.0.0 NNN.NNN.NNN.NNN
    ip route NNN.NNN.NNN.NNN 255.255.255.0 NNN.NNN.NNN.NNN permanent
    ip route NNN.NNN.NNN.NNN 255.255.255.0 NNN.NNN.NNN.NNN
    no ip http server
    !
    logging trap debugging
    logging NNN.NNN.NNN.NNN
    !
    { Access-Lists Deleted for brevity }
    !
    snmp-server engineID local ZZZZZZZZZZZZZZzzzzzzzzzz
    snmp-server community XXXXXX RO
    snmp-server location Here
    no snmp-server enable traps tty
    radius-server host NNN.NNN.NNN auth-port 1645 acct-port 1646
    radius-server key N The_RADIUS_Key
    radius-server authorization permit missing Service-Type
    !
    dial-peer cor custom
    !
    !
    !
    !
    !
    line con 0
    exec-timeout 0 0
    password N NNNNNNNNNNNNNNNNNNnnn
    logging synchronous
    line aux 0
    line vty 0 4
    access-class 99 in
    exec-timeout 5 0
    password N NNNNNNNNNNNNNNNNNNnnn
    transport input telnet
    line vty 5 15

    -------------------------------


    "mh" <> wrote in message
    news:...
    > send me a copy of your Cisco 2600 config (without passwords).
     
    Newscene, Apr 23, 2004
    #6
  7. Newscene

    mh Guest

    mh, Apr 23, 2004
    #7
  8. Newscene

    Newscene Guest

    "mh" <> wrote in message
    news:...
    > see
    >

    http://cco.cisco.com/en/US/customer...s_configuration_example09186a00801e51e2.shtml
    >
    >
    > it looks like your are missing the encap ppp" command on the
    > virtual-template
    >
    > interface virtual-template 1
    > encapsulation ppp


    Thanks I'll try that

    > exit
    >
    >
    >
    > Was it the "radius-server authorization permit missing Service-Type"
    > that solved your 1st problem ???


    Yes. Put that in and voila, magic.
     
    Newscene, Apr 24, 2004
    #8
  9. Newscene

    Newscene Guest

    That did not do it. When I entered the command for the interface it took it
    but it never showed up in the config and the VPN still failed with Error 733




    "mh" <> wrote in message
    news:...
    > see
    >

    http://cco.cisco.com/en/US/customer...s_configuration_example09186a00801e51e2.shtml
    >
    >
    > it looks like your are missing the encap ppp" command on the
    > virtual-template
    >
    > interface virtual-template 1
    > encapsulation ppp
    > exit
    >
    >
    >
    > Was it the "radius-server authorization permit missing Service-Type"
    > that solved your 1st problem ???
     
    Newscene, Apr 24, 2004
    #9
  10. Newscene

    mh Guest

    Usually if a command is accepted and does not show in the config, then
    the command is a default setting

    a Cisco document stated:
    "Note Windows clients must use Microsoft Challenge Handshake
    Authentication Protocol (MS-CHAP) authentication
    for MPPE to work. If you are performing mutual authentication with
    MS-CHAP and MPPE, both sides of the tunnel
    must use the same password."

    It looks as you have both CHAP and MS_CHAP configured, try removeing
    CHAP
     
    mh, Apr 24, 2004
    #10
  11. Newscene

    mh Guest

    try configuring the following debug commands and capture the output
    when you inititae a PPPTP session:

    debug ppp chap Displays CHAP packet exchanges.

    debug ppp negotiation Displays information about packets sent during
    PPP start-up and detailed PPP negotiation options.

    debug ppp mppe Displays debug messages for MPPE events.
     
    mh, Apr 24, 2004
    #11
  12. Newscene

    mh Guest

    PPTP uses TCP port 1723 for a control channel AND it use GRE tunnels
    using IP protocol number 47.

    Make sure your inbound and outbound access lists permits both of these

    Try removing your access lists temporarily to see if this is the cause
    of your latest issue.
     
    mh, Apr 24, 2004
    #12
  13. Newscene

    mh Guest

    see http://vpn.shmoo.com/vpn/vpn-pptp.html re acces-lists for PPTP



    On a Cisco:

    interface Serial0/0
    description Internet interface
    ip address xxx.xxx.xxx.xxx
    ip access-group inet_inbound in

    ip access-list extended inet_inbound #define the access-list
    deny ip 10.0.0.0 0.255.255.255 any
    deny ip 172.16.0.0 0.15.255.255 any
    deny ip 192.168.0.0 0.0.255.255 any #reject RFC1918 addresses
    permit tcp any host xxx.xxx.xxx.xxx eq 1723 #permit PPTP control
    traffic
    permit gre any host xxx.xxx.xxx.xxx #permit GRE for PPTP payload

    You may have to use an alternative syntax for GRE on some IOS
    versions:
    permit 47 any host xxx.xxx.xxx.xxx #permit GRE for PPTP payload


    If you have a pre-11.2 IOS that does not support named IP
    access-lists, you need to precede each access-list line with the
    access-list xxx command (where xxx=101-199), ie:


    access-list 101 permit tcp any host xxx.xxx.xxx.xxx eq 1723
    access-list 101 permit 47 any host xxx.xxx.xxx.xxx
     
    mh, Apr 24, 2004
    #13
  14. Newscene

    Newscene Guest

    Both ends of the tunnel are using MPPE and MS-CHAP the same password. CHAP
    is disabled by default in our security practices



    "mh" <> wrote in message
    news:...
    > Usually if a command is accepted and does not show in the config, then
    > the command is a default setting
    >
    > a Cisco document stated:
    > "Note Windows clients must use Microsoft Challenge Handshake
    > Authentication Protocol (MS-CHAP) authentication
    > for MPPE to work. If you are performing mutual authentication with
    > MS-CHAP and MPPE, both sides of the tunnel
    > must use the same password."
    >
    > It looks as you have both CHAP and MS_CHAP configured, try removeing
    > CHAP
     
    Newscene, Apr 25, 2004
    #14
  15. Newscene

    Newscene Guest

    I'll try this when I'm in the office on Monday and see if it tells me
    anything.


    "mh" <> wrote in message
    news:...
    > try configuring the following debug commands and capture the output
    > when you inititae a PPPTP session:
    >
    > debug ppp chap Displays CHAP packet exchanges.
    >
    > debug ppp negotiation Displays information about packets sent during
    > PPP start-up and detailed PPP negotiation options.
    >
    > debug ppp mppe Displays debug messages for MPPE events.
     
    Newscene, Apr 25, 2004
    #15
  16. Newscene

    Newscene Guest

    It APPEARS that the Cisco is setting up the connection and the RADIUS is
    authenticating it. syslog shows the connection was authenticated and access
    was allowed. The problem appears at the XP client (although it may not of
    course be caused at the client) based on what I can see from the logs and
    the behavior of the client. From the standpoint of the host network it looks
    as if the connection is accepted, its just that for some reason the client
    decides it doesn't have everything it needs to continue.





    "mh" <> wrote in message
    news:...
    > see http://vpn.shmoo.com/vpn/vpn-pptp.html re acces-lists for PPTP
    >
    >
    >
    > On a Cisco:
    >
    > interface Serial0/0
    > description Internet interface
    > ip address xxx.xxx.xxx.xxx
    > ip access-group inet_inbound in
    >
    > ip access-list extended inet_inbound #define the access-list
    > deny ip 10.0.0.0 0.255.255.255 any
    > deny ip 172.16.0.0 0.15.255.255 any
    > deny ip 192.168.0.0 0.0.255.255 any #reject RFC1918 addresses
    > permit tcp any host xxx.xxx.xxx.xxx eq 1723 #permit PPTP control
    > traffic
    > permit gre any host xxx.xxx.xxx.xxx #permit GRE for PPTP payload
    >
    > You may have to use an alternative syntax for GRE on some IOS
    > versions:
    > permit 47 any host xxx.xxx.xxx.xxx #permit GRE for PPTP payload
    >
    >
    > If you have a pre-11.2 IOS that does not support named IP
    > access-lists, you need to precede each access-list line with the
    > access-list xxx command (where xxx=101-199), ie:
    >
    >
    > access-list 101 permit tcp any host xxx.xxx.xxx.xxx eq 1723
    > access-list 101 permit 47 any host xxx.xxx.xxx.xxx
     
    Newscene, Apr 25, 2004
    #16
  17. Newscene

    Newscene Guest

    Interesting, in the Cisco debug dump it says the "Required encryption not
    negotiated"
    --------------------------
    debug ppp negotiation
    1w2d: Vi1 LCP: O CONFACK [ACKrcvd] id 4 len 41
    1w2d: Vi1 LCP: MRU 1500 (0x010405DC)
    1w2d: Vi1 LCP: MagicNumber 0x60E317C1 (0x050660E317C1)
    1w2d: Vi1 LCP: PFC (0x0702)
    1w2d: Vi1 LCP: ACFC (0x0802)
    1w2d: Vi1 LCP: EndpointDisc 1 Local
    1w2d: Vi1 LCP: (0x131701C70641D14D1A40E091574EE56F)
    1w2d: Vi1 LCP: (0x02A81D0000000F)
    1w2d: Vi1 LCP: State is Open
    1w2d: Vi1 PPP: Phase is AUTHENTICATING, by this end [0 sess, 0 load]
    1w2d: Vi1 MS-CHAP: O CHALLENGE id 113 len 25 from "xxxxxxxxx"
    1w2d: Vi1 LCP: I IDENTIFY [Open] id 5 len 18 magic 0x60E317C1 MSRASV5.10
    1w2d: Vi1 LCP: I IDENTIFY [Open] id 6 len 21 magic 0x60E317C1 MSRAS-1-GONZO
    1w2d: Vi1 MS-CHAP: I RESPONSE id 113 len 68 from "domain\username"
    1w2d: Vi1 MS-CHAP: O SUCCESS id 113 len 4
    1w2d: Vi1 PPP: Phase is UP [0 sess, 1 load]
    1w2d: Vi1 CCP: O CONFREQ [Not negotiated] id 197 len 10
    1w2d: Vi1 CCP: MS-PPC supported bits 0x01000060 (0x120601000060)
    1w2d: Vi1 CCP: I CONFREQ [REQsent] id 7 len 10
    1w2d: Vi1 CCP: MS-PPC supported bits 0x010000F1 (0x1206010000F1)
    1w2d: Vi1 CCP: O CONFNAK [REQsent] id 7 len 10
    1w2d: Vi1 CCP: MS-PPC supported bits 0x01000060 (0x120601000060)
    1w2d: Vi1 IPCP: I CONFREQ [Not negotiated] id 8 len 22
    1w2d: Vi1 IPCP: Address 0.0.0.0 (0x030600000000)
    1w2d: Vi1 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
    1w2d: Vi1 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
    1w2d: Vi1 LCP: O PROTREJ [Open] id 158 len 28 protocol IPCP
    1w2d: Vi1 LCP: (0x80210108001603060000000082060000)
    1w2d: Vi1 LCP: (0x0000840600000000)
    1w2d: Vi1 CCP: I CONFNAK [REQsent] id 197 len 10
    1w2d: Vi1 CCP: MS-PPC supported bits 0x01000040 (0x120601000040)
    1w2d: Vi1 CCP: O CONFREQ [REQsent] id 198 len 10
    1w2d: Vi1 CCP: MS-PPC supported bits 0x01000040 (0x120601000040)
    1w2d: Vi1 CCP: I CONFREQ [REQsent] id 9 len 10
    1w2d: Vi1 CCP: MS-PPC supported bits 0x01000040 (0x120601000040)
    1w2d: Vi1 CCP: O CONFACK [REQsent] id 9 len 10
    1w2d: Vi1 CCP: MS-PPC supported bits 0x01000040 (0x120601000040)
    1w2d: Vi1 CCP: I CONFACK [ACKsent] id 198 len 10
    1w2d: Vi1 CCP: MS-PPC supported bits 0x01000040 (0x120601000040)
    1w2d: Vi1 CCP: State is Open
    1w2d: Vi1 CCP: O TERMREQ [Open] id 199 len 4
    1w2d: Vi1 LCP: I TERMREQ [Open] id 10 len 16 (0x60E317C1003CCD7400000000)
    1w2d: Vi1 LCP: O TERMACK [Open] id 10 len 4
    1w2d: Vi1 PPP: Phase is TERMINATING [0 sess, 1 load]
    1w2d: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to down
    1w2d: Vi1 LCP: State is Closed
    1w2d: Vi1 CCP: State is Closed
    1w2d: Vi1 MPPE: Required encryption not negotiated
    --------------------
    debug ppp mppe events
    1w2d: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
    1w2d: Vi1 MPPE: don't understand all options, NAK
    1w2d: Vi1 MPPE: RADIUS keying material missing
    1w2d: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to down
    1w2d: Vi1 MPPE: Required encryption not negotiated
    --------------------

    Now I really am confused, the Event Log on the Radius system says the client
    was authenticated properly but the Cisco debug says that the encrpyption was
    not negotiated.




    "mh" <> wrote in message
    news:...
    > try configuring the following debug commands and capture the output
    > when you inititae a PPPTP session:
    >
    > debug ppp chap Displays CHAP packet exchanges.
    >
    > debug ppp negotiation Displays information about packets sent during
    > PPP start-up and detailed PPP negotiation options.
    >
    > debug ppp mppe Displays debug messages for MPPE events.
     
    Newscene, Apr 25, 2004
    #17
  18. Newscene

    mh Guest

    Please post your inbound and outbound access lists.
     
    mh, Apr 25, 2004
    #18
  19. Newscene

    Newscene Guest

    Just FYI, VPN already works in this network, we currently using it through
    the router to a Windows 2000 VPN RAS server inside the net. We're just
    trying to change the end point of the tunnel from an interior server to the
    router.


    "mh" <> wrote in message
    news:...
    > Please post your inbound and outbound access lists.
     
    Newscene, Apr 26, 2004
    #19
  20. Newscene

    mh Guest

    Any luck ?
     
    mh, Apr 28, 2004
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jeff
    Replies:
    2
    Views:
    1,908
  2. AdminKen

    Microsoft IAS Radius and session timeout setting

    AdminKen, Apr 4, 2005, in forum: Wireless Networking
    Replies:
    3
    Views:
    4,214
    kapil [MSFT]
    Apr 7, 2005
  3. Martin Bodenstedt
    Replies:
    6
    Views:
    9,384
    dbcooper_1
    Apr 13, 2009
  4. TechGuy
    Replies:
    7
    Views:
    10,386
    John Smith
    Dec 5, 2004
  5. Ned
    Replies:
    0
    Views:
    444
Loading...

Share This Page