CHAP Authentication

Discussion in 'Cisco' started by Groper, Nov 13, 2003.

  1. Groper

    Groper Guest

    I have a working 3640 that I am trying to connect to from an ISDN W2K PC

    PAP works fine but, I am unable to get it to Authenticate with CHAP or even
    MS-CHAP

    I would appreciate any pointers.

    Thanks
    Groper
     
    Groper, Nov 13, 2003
    #1
    1. Advertisements

  2. Should work fine as long as the call direction is
    PC -> 3640 not 3640 -> PC (Windows RAS does not
    support standard CHAP.)

    What's the configuration? What do your debugs say?

    debug isdn q931
    debug ppp negotiation
    debug ppp authentication
    debug aaa authentication
    debug radius ! if using RADIUS
    debug tacacs ! if using TACACS

    ---

    ~ I have a working 3640 that I am trying to connect to from an ISDN W2K PC
    ~
    ~ PAP works fine but, I am unable to get it to Authenticate with CHAP or even
    ~ MS-CHAP
    ~
    ~ I would appreciate any pointers.
    ~
    ~ Thanks
    ~ Groper
    ~
     
    Aaron Leonard, Nov 13, 2003
    #2
    1. Advertisements

  3. Groper

    Groper Guest

    Thanks for your responce, I have turned on Debugging and get the following.
    Unfortunatly it does not make much sense to me.


    001971: Nov 14 10:35:22: ISDN Se2/0:15: RX <- SETUP pd = 8 callref = 0x0001
    001972: Nov 14 10:35:22: Sending Complete
    001973: Nov 14 10:35:22: Bearer Capability i = 0x8890
    001974: Nov 14 10:35:22: Channel ID i = 0xA98381
    001975: Nov 14 10:35:22.971 gmt: %LINK-3-UPDOWN: Interface Serial2/0:0,
    changed
    state to up
    001976: Nov 14 10:35:24: Se2/0:0 LCP: I CONFREQ [Listen] id 1 len 46
    001977: Nov 14 10:35:24: Se2/0:0 LCP: MagicNumber 0x06F330B1
    (0x050606F330B1)
    001978: Nov 14 10:35:24: Se2/0:0 LCP: PFC (0x0702)
    001979: Nov 14 10:35:24: Se2/0:0 LCP: ACFC (0x0802)
    001980: Nov 14 10:35:24: Se2/0:0 LCP: Callback 6 (0x0D0306)
    001981: Nov 14 10:35:24: Se2/0:0 LCP: MRRU 1500 (0x110405DC)
    001982: Nov 14 10:35:24: Se2/0:0 LCP: MultilinkShortSeq (0x1202)
    001983: Nov 14 10:35:24: Se2/0:0 LCP: EndpointDisc 4 Magic
    001984: Nov 14 10:35:24: Se2/0:0 LCP:
    (0x131704A9FA9FA14292522F5F3DE7DCB9)
    001985: Nov 14 10:35:24: Se2/0:0 LCP: (0xB636669A034034)
    001986: Nov 14 10:35:24.399 gmt: %LINK-3-UPDOWN: Interface Serial2/0:0,
    changed
    state to down
     
    Groper, Nov 14, 2003
    #3
  4. What kind of a terminal adapter? If external and serially attached, The
    sync to async conversion usually precludes the use of CHAP, unless the
    Terminal Adapter supports it.
     
    Phillip Remaker, Nov 15, 2003
    #4
  5. Groper

    Groper Guest

    Sorry to sound dumb, but I don't understand your reply!
     
    Groper, Nov 17, 2003
    #5
  6. The deal here is that (logically) you have this:

    [router]------------------------[TA]---[[COM] PC]
    \______________________/ ^
    ^ |
    two B channels async RS232
    (sync PPP)

    so from the standpoint of Windows DUN, it's just
    talking async PPP on one link. But between the
    TA and the router, there is in fact a multilink
    PPP bundle of two synchronous links.

    So your TA has to do the conversion between async
    PPP and sync PPP - also, it has to manage the
    bundle of two links and make them look like one link
    to the PC.

    Now, when the PC wants to bring up the link, it will
    send ONE PAP username/password. The TA has to be PAP-aware -
    it needs to grab this PAP password, use it to bring up the
    first link, then replay it for the second link.

    So it sounds like your TA is PAP- but not CHAP- (MS-CHAP)-
    aware - if the PC is trying to authenticate using CHAP
    rater than PAP, it doesn't know how to grab the CHAP
    secret and replay it.

    If you're still not following, then don't worry - just
    stick to PAP.

    Aaron

    ---

    ~ Sorry to sound dumb, but I don't understand your reply!
    ~
    ~
    ~ ~ >
    ~ > ~ > > I have a working 3640 that I am trying to connect to from an ISDN W2K PC
    ~ > >
    ~ > > PAP works fine but, I am unable to get it to Authenticate with CHAP or
    ~ > even
    ~ > > MS-CHAP
    ~ >
    ~ > What kind of a terminal adapter? If external and serially attached, The
    ~ > sync to async conversion usually precludes the use of CHAP, unless the
    ~ > Terminal Adapter supports it.
    ~ >
    ~ >
    ~
     
    Aaron Leonard, Nov 17, 2003
    #6
  7. Groper

    Groper Guest

    Cheers mate, perfect explanation.

    My TA was setup for PAP only. I changed it to CHAP, and now it works fine.

    Yippee.......................

    Thanks again, that was really starting to bug me.
    Groper
     
    Groper, Nov 18, 2003
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.