Cicso VPN using microsoft IAS (Radius)

Discussion in 'Cisco' started by Newscene, Apr 21, 2004.

  1. Newscene

    Newscene Guest

    No joy yet --- still baffled
     
    Newscene, Apr 29, 2004
    #21
    1. Advertisements

  2. Newscene

    mh Guest

    Did you try removing the access-group command from the "outside"
    interface?

    You might want to try capturing the ouput of the following commands.
    Try each debug command one at a time:

    debug vpdn errors

    debug vpdn events

    debug vpdn packet
     
    mh, Apr 29, 2004
    #22
    1. Advertisements

  3. Newscene

    mh Guest

    BTW there are a number of Cisco software advisories out against the
    IOS version you are using. You may want to consider upgrading to 21b.
    I think there are issues with the 23 level versions ...
     
    mh, Apr 29, 2004
    #23
  4. Newscene

    mh Guest

    Based on reviewing all of the Cisco sample configs I could find, you
    may wish to try the follwong config for the virtual interface;


    no interface Virtual-Template1

    interface Virtual-Template1
    ip unnumbered FastEthernet0/0
    peer default ip address pool DIAL-IN
    ppp encrypt mppe auto
    ppp authentication ms-chap
    exit
     
    mh, Apr 30, 2004
    #24
  5. Newscene

    Newscene Guest

    Thanks. I'll give that a try and let you know what happens.
     
    Newscene, Apr 30, 2004
    #25
  6. Newscene

    Newscene Guest

    Guess what. With the configuration below I am able to get a connection BUT
    the only way I can do so is to DISABLE "Require Data Encryption" on the
    client. Not exactly what I had hoped for. Also, I never tried this with any
    of the other configs so I'm not sure it has anything to do with this
    particular config.

    I'm going to keep fiddling and see what I can determine.
     
    Newscene, May 1, 2004
    #26
  7. Newscene

    Newscene Guest

    As a followon to my previous response, the first thing I can see is that
    Compression (MPPC) is no on, and Encryption (MPPE) is now not on.
     
    Newscene, May 1, 2004
    #27
  8. Newscene

    mh Guest

    Try adding back the required option

    ppp encrypt mppe auto required
     
    mh, May 1, 2004
    #28
  9. Newscene

    Newscene Guest

    No go. Now its back to the way it was origianlly - it drops with an error
    742 - does not support the required encryption
     
    Newscene, May 2, 2004
    #29
  10. Newscene

    mh Guest

    So it looks like you are having a MPPE issue...


    This may mean that the MPPE attributes being returned by the IAS
    RADIUS server
    are not supported by Cisco...



    What attributes do you have configured with respect to MPPE on your
    IAS server????



    =========================================================================

    2.4.4. MS-MPPE-Encryption-Policy

    Description

    The MS-MPPE-Encryption-Policy Attribute may be used to signify
    whether the use of encryption is allowed or required. If the
    Policy field is equal to 1 (Encryption-Allowed), any or none of
    the encryption types specified in the MS-MPPE-Encryption-Types
    Attribute MAY be used. If the Policy field is equal to 2
    (Encryption-Required), any of the encryption types specified in
    the MS-MPPE-Encryption-Types Attribute MAY be used, but at least
    one MUST be used.

    2.4.5. MS-MPPE-Encryption-Types

    Description

    The MS-MPPE-Encryption-Types Attribute is used to signify the
    types of encryption available for use with MPPE. It is a four
    octet integer that is interpreted as a string of bits.

    If the L bit is set, RC4[5] encryption using a 40-bit key is
    allowed. If the S bit is set, RC4 encryption using a 128-bit
    key
    is allowed. If both the L and S bits are set, then either 40-
    or
    128-bit keys may be used with the RC4 algorithm.


    ========================================================================


    Try capturing ouput of

    debug ppp mppe packet - Displays all incoming outgoing MPPE traffic.

    debug ppp mppe event - Displays key MPPE occurrences.

    debug ppp mppe detailed - Displays verbose MPPE information.


    show ppp mppe virtual-access




    see MS KB article:
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;q235284


    see
    http://my.execpc.com/~keithp/pptp.htm


    see
    http://www.open.com.au/archives/radiator/2002-05/msg00221.html



    BTW I also saw a PPTP config that that the command compress mppc under
    the virtual-template1 interface

    interface Virtual-Template1
    compress mppc
    exit


    If you ever get your current issue solved, you might want to check
    that option out




    =================================================================================

    What does "Error 742" mean?

    A. This error means that the remote computer does not support the
    required data encryption type. For example, if you set the PC for
    "encrypted only" and delete the pptp encrypt mppe auto command from
    the router, then the PC and the router would not be able to agree on
    encryption. The debug ppp negotiation command shows the following.

    04:41:09: Vi1 LCP: O PROTREJ
    [Open] id 5 len 16 protocol CCP (0x80FD0102000A1206010000B0)


    Another example involves the router MPPE RADIUS problem. If you set
    the router for ppp encrypt mppe auto required and the PC for
    "encryption allowed with authentication to a RADIUS server not
    returning the MPPE key," then you get an error on the PC that states,
    "Error 742: The remote computer does not support the required data
    encryption type." The router debug shows a "Call-Clear-Request" (bytes
    9 and 10 = 0x000C = 12 = Call-Clear-Request per RFC) as seen below.

    00:45:58: Tnl 17 PPTP: CC I 001000011A2B3C4D000C000000000000
    00:45:58: Vi1 Tnl/Cl 17/17 PPTP: CC I ClearRQ
     
    mh, May 3, 2004
    #30
  11. Newscene

    mh Guest

    have you applied the latest IAS patches ???

    239864 Availability of Internet Authentication Service SP6 Rollup Hotfix
     
    mh, May 3, 2004
    #31
  12. Newscene

    mh Guest

    What size MPPE encyption key are you using 40 or 128 ?


    Perhaps you should consider using that value instead of auto in the
    2600 config

    i.e. ppp encrypt mppe 128 required


    i\It looks like the key size would from the IAS RADIUS server because
    on XP I do not see any place for that parameter to be configured ...


    128 bit key size may require MSCHAPv2
     
    mh, May 3, 2004
    #32
  13. Newscene

    Newscene Guest

    Merv
    First let me say that I REALLY appreciate all the assistance you are
    providing on this, I had about given up on it.

    I had been configuring the Cisco for "mppe auto" assuming that it would sort
    out what it needed with the client. We had tried forceing 128 bit to see if
    that made a difference but it didn't, but we never tried forcing 40-bit.

    The Cisco doesn't support MS-CHAPv2 so maybe you are right and we need to
    drop back to 40 bit. I'll recofigure and try that today.
     
    Newscene, May 3, 2004
    #33
  14. Newscene

    Newscene Guest

    Merv

    I am able to connect: Here's what I ended up with and this appears to be the
    ONLY combination that works:

    Cisco Config
    interface Virtual-Template1
    ip unnumbered FastEthernet0/0
    ip mroute-cache
    peer default ip address pool DIAL-IN
    compress mppc
    ppp encrypt mppe 40 passive
    ppp authentication ms-chap

    XP Client Details after connection
    Device Name WAN Miniport (PPTP)
    Device Type vpn
    Server Type PPP
    Transports TCP/IP
    Authentication MS CHAP
    Compression MPPC
    PPP multilink framing Off
    Server IP
    Client IP

    As you can see no level of Encryption is enabled. The XP Client encryption
    is set to OPTIONAL --- setting to required results in disconnect error that
    remote does not support the required encryption type. Yet we have tried 40,
    128, auto and never get encryption.
     
    Newscene, May 3, 2004
    #34
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.