Cisco Router/NAS and Windows IAS RADIUS

Discussion in 'Cisco' started by Richard Field, Jan 22, 2004.

  1. I'm having trouble getting a Pocket PC to connect to a NAS.

    The Pocket PC is an HP iPaq 4350, running Pocket PC 2003. I am trying
    to use the PPTP client that comes with the PPC to connect to a Cisco
    3640 router. The router/NAS talks to a Windows 2003 server running
    IAS.

    I CAN connect to this NAS with a laptop running Windows XP Pro and
    using the PPTP client that comes with it. Everything works fine on
    the laptop, while the pocket PC cannot connect.

    I'm pretty stumped here, I'm not really up on RADIUS, though I have
    learned more than I ever wished to know. Other then configuring the
    client, the only entry in IAS is the default "Use Windows
    Authentication" entry. Like I said, this is working for the laptop
    but not for the pocket PC.

    I have included my router config and some debug output. If anyone
    could be of assistance, I would be most grateful.

    Richard Field



    ----------------------------------------------------------------

    pptp#sh run
    Building configuration...

    Current configuration : 2293 bytes
    !
    version 12.2
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    hostname pptp
    !
    aaa new-model
    aaa authentication ppp default group radius local
    aaa authorization network default group radius if-authenticated
    aaa accounting network default start-stop group radius
    enable secret 5 *****
    !
    username john privilege 15 password 0 doe
    memory-size iomem 25
    ip subnet-zero
    ip cef
    !
    !
    ip name-server 10.9.200.14
    ip name-server 10.9.200.5
    ip dhcp excluded-address 10.180.8.1 10.180.8.99
    !
    ip audit notify log
    ip audit po max-events 100
    vpdn enable
    !
    vpdn-group 1
    ! Default PPTP VPDN group
    accept-dialin
    protocol pptp
    virtual-template 1
    !
    !
    call rsvp-sync
    !
    !
    !
    !
    !
    !
    !
    !
    interface Ethernet0/0
    ip address 10.9.150.1 255.255.0.0
    full-duplex
    no cdp enable
    !
    interface Serial0/0
    no ip address
    shutdown
    no fair-queue
    !
    interface Serial0/1
    no ip address
    shutdown
    !
    interface Ethernet1/0
    ip address 10.180.8.5 255.255.255.0
    full-duplex
    no cdp enable
    !
    interface Virtual-Template1
    bandwidth 10000
    ip unnumbered Ethernet1/0
    peer default ip address pool testpool
    compress mppc
    ppp encrypt mppe 40
    ppp authentication ms-chap
    ppp timeout idle 1000
    !
    ip local pool testpool 10.9.150.100 10.9.150.150
    ip default-gateway 10.9.201.79
    ip classless
    ip route 0.0.0.0 0.0.0.0 10.9.201.79
    no ip http server
    !
    no cdp run
    snmp-server community ***** RO
    snmp-server enable traps tty
    radius-server host 10.9.201.40 auth-port 1645 acct-port 1646
    radius-server key *****
    radius-server authorization permit missing Service-Type
    !
    dial-peer cor custom
    !
    !
    !
    !
    !
    line con 0
    line aux 0
    line vty 0 4
    login
    password *****
    !
    end

    pptp#
    ----------------------------------------
    pptp#sh debug
    General OS:
    AAA Authentication debugging is on
    AAA Authorization debugging is on
    AAA Per-user attributes debugging is on
    Radius protocol debugging is on
    ------Good Authentication output (Laptop)-------

    05:50:57: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to
    up
    05:50:57: Vi2 AAA/AUTHOR/FSM: (0): LCP succeeds trivially
    05:50:59: AAA: parse name=Virtual-Access2 idb type=21 tty=-1
    05:50:59: AAA: name=Virtual-Access2 flags=0x11 type=5 shelf=0 slot=0
    adapter=0 p
    ort=2 channel=0
    05:50:59: AAA: parse name=<no string> idb type=-1 tty=-1
    05:50:59: AAA/MEMORY: create_user (0x622CD2D8) user='rrf' ruser='NULL'
    ds0=0 por
    t='Virtual-Access2' rem_addr='' authen_type=MSCHAP service=PPP priv=1
    initial_ta
    sk_id='0'
    05:50:59: AAA/AUTHEN/START (3788462656): port='Virtual-Access2'
    list='' action=L
    OGIN service=PPP
    05:50:59: AAA/AUTHEN/START (3788462656): using "default" list
    05:50:59: AAA/AUTHEN/START (3788462656): Method=radius (radius)
    05:50:59: RADIUS: ustruct sharecount=1
    05:50:59: Radius: radius_port_info() success=1 radius_nas_port=1
    05:50:59: RADIUS: Initial Transmit Virtual-Access2 id 45
    10.9.201.40:1645, Acce
    ss-Request, len 129
    05:50:59: Attribute 4 6 BE099601
    05:50:59: Attribute 5 6 00000002
    05:50:59: Attribute 61 6 00000005
    05:50:59: Attribute 1 5 7272661A
    05:50:59: Attribute 26 16 000001370B0AFAD8
    05:50:59: Attribute 26 58 0000013701341001
    05:50:59: Attribute 6 6 00000002
    05:50:59: Attribute 7 6 00000001
    05:50:59: RADIUS: Received from id 45 10.9.201.40:1645, Access-Accept,
    len 120
    05:50:59: Attribute 7 6 00000001
    05:50:59: Attribute 6 6 00000002
    05:50:59: Attribute 25 32 54DA0610
    05:50:59: Attribute 26 40 000001370C22EED2
    05:50:59: Attribute 26 16 000001370A0A1048
    05:50:59: AAA/AUTHEN (3788462656): status = PASS
    05:50:59: Vi2 AAA/AUTHOR/LCP: Authorize LCP
    05:50:59: Vi2 AAA/AUTHOR/LCP (2272260671): Port='Virtual-Access2'
    list='' servic
    e=NET
    05:50:59: AAA/AUTHOR/LCP: Vi2 (2272260671) user='rrf'
    05:50:59: Vi2 AAA/AUTHOR/LCP (2272260671): send AV service=ppp
    05:50:59: Vi2 AAA/AUTHOR/LCP (2272260671): send AV protocol=lcp
    05:50:59: Vi2 AAA/AUTHOR/LCP (2272260671): found list "default"
    05:50:59: Vi2 AAA/AUTHOR/LCP (2272260671): Method=radius (radius)
    05:50:59: RADIUS: unrecognized Microsoft VSA type 10
    05:50:59: Vi2 AAA/AUTHOR (2272260671): Post authorization status =
    PASS_REPL
    05:50:59: Vi2 AAA/AUTHOR/LCP: Processing AV service=ppp
    05:50:59: Vi2 AAA/AUTHOR/LCP: Processing AV
    mschap_mppe_keys*1y1s1h1j1b1 1:111P1
    1-1Z1L1^1T1N111|1b1B1E1▬1^
    05:50:59: Vi2 AAA/AUTHOR/FSM: (0): Can we start IPCP?
    05:50:59: Vi2 AAA/AUTHOR/FSM (701152068): Port='Virtual-Access2'
    list='' service
    =NET
    05:50:59: AAA/AUTHOR/FSM: Vi2 (701152068) user='rrf'
    05:50:59: Vi2 AAA/AUTHOR/FSM (701152068): send AV service=ppp
    05:50:59: Vi2 AAA/AUTHOR/FSM (701152068): send AV protocol=ip
    05:50:59: Vi2 AAA/AUTHOR/FSM (701152068): found list "default"
    05:50:59: Vi2 AAA/AUTHOR/FSM (701152068): Method=radius (radius)
    05:50:59: RADIUS: unrecognized Microsoft VSA type 10
    05:50:59: Vi2 AAA/AUTHOR (701152068): Post authorization status =
    PASS_REPL
    05:50:59: Vi2 AAA/AUTHOR/FSM: We can start IPCP
    05:50:59: Vi2 AAA/AUTHOR/FSM: (0): Can we start CCP?
    05:50:59: Vi2 AAA/AUTHOR/FSM (190549852): Port='Virtual-Access2'
    list='' service
    =NET
    05:50:59: AAA/AUTHOR/FSM: Vi2 (190549852) user='rrf'
    05:50:59: Vi2 AAA/AUTHOR/FSM (190549852): send AV service=ppp
    05:50:59: Vi2 AAA/AUTHOR/FSM (190549852): send AV protocol=ccp
    05:50:59: Vi2 AAA/AUTHOR/FSM (190549852): found list "default"
    05:51:00: Vi2 AAA/AUTHOR/FSM (190549852): Method=radius (radius)
    05:51:00: RADIUS: unrecognized Microsoft VSA type 10
    05:51:00: Vi2 AAA/AUTHOR (190549852): Post authorization status =
    PASS_REPL
    05:51:00: Vi2 AAA/AUTHOR/FSM: We can start CCP
    05:51:00: RADIUS: ustruct sharecount=3
    05:51:00: Radius: radius_port_info() success=1 radius_nas_port=1
    05:51:00: RADIUS: Sent class "TZ♠►
    " at 622DB56C from u
    ser 622CD2D8
    05:51:00: RADIUS: Initial Transmit Virtual-Access2 id 46
    10.9.201.40:1646, Acco
    unting-Request, len 130
    05:51:00: Attribute 4 6 BE099601
    05:51:00: Attribute 5 6 00000002
    05:51:00: Attribute 61 6 00000005
    05:51:00: Attribute 1 5 72726628
    05:51:00: Attribute 40 6 00000001
    05:51:00: Attribute 25 32 54DA0610
    05:51:00: Attribute 45 6 00000001
    05:51:00: Attribute 6 6 00000002
    05:51:00: Attribute 44 10 00000009
    05:51:00: Attribute 7 6 00000001
    05:51:00: Attribute 66 15 31302E31
    05:51:00: Attribute 41 6 00000000
    05:51:00: RADIUS: Received from id 46 10.9.201.40:1646,
    Accounting-response, le
    n 20
    05:51:00: Vi2 AAA/AUTHOR/FSM: Check for unauthorized mandatory AV's
    05:51:00: Vi2 AAA/AUTHOR/FSM: Processing AV service=ppp
    05:51:00: Vi2 AAA/AUTHOR/FSM: Processing AV
    mschap_mppe_keys*1y1s1h1j1b1 1:111P1
    1-1Z1L1^1T1N111|1b1B1E1▬1^
    05:51:00: Vi2 AAA/AUTHOR/FSM: Succeeded
    05:51:00: Vi2 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we want
    0.0.0.0
    05:51:00: Vi2 AAA/AUTHOR/IPCP (121557109): Port='Virtual-Access2'
    list='' servic
    e=NET
    05:51:00: AAA/AUTHOR/IPCP: Vi2 (121557109) user='rrf'
    05:51:00: Vi2 AAA/AUTHOR/IPCP (121557109): send AV service=ppp
    05:51:00: Vi2 AAA/AUTHOR/IPCP (121557109): send AV protocol=ip
    05:51:00: Vi2 AAA/AUTHOR/IPCP (121557109): found list "default"
    05:51:00: Vi2 AAA/AUTHOR/IPCP (121557109): Method=radius (radius)
    05:51:00: RADIUS: unrecognized Microsoft VSA type 10
    05:51:00: Vi2 AAA/AUTHOR (121557109): Post authorization status =
    PASS_REPL
    05:51:00: Vi2 AAA/AUTHOR/IPCP: Processing AV service=ppp
    05:51:00: Vi2 AAA/AUTHOR/IPCP: Processing AV
    mschap_mppe_keys*1y1s1h1j1b1 1:111P
    1
    1-1Z1L1^1T1N111|1b1B1E1▬1^
    05:51:00: Vi2 AAA/AUTHOR/IPCP: Authorization succeeded
    05:51:00: Vi2 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.0, we want
    0.0.0.0
    05:51:00: Vi2 AAA/AUTHOR/FSM: Check for unauthorized mandatory AV's
    05:51:00: Vi2 AAA/AUTHOR/FSM: Processing AV service=ppp
    05:51:00: Vi2 AAA/AUTHOR/FSM: Processing AV
    mschap_mppe_keys*1y1s1h1j1b1 1:111P1
    1-1Z1L1^1T1N111|1b1B1E1▬1^
    05:51:00: Vi2 AAA/AUTHOR/FSM: Succeeded
    05:51:00: Vi2 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we want
    10.9.150.10
    1
    05:51:00: Vi2 AAA/AUTHOR/IPCP (2903722541): Port='Virtual-Access2'
    list='' servi
    ce=NET
    05:51:00: AAA/AUTHOR/IPCP: Vi2 (2903722541) user='rrf'
    05:51:00: Vi2 AAA/AUTHOR/IPCP (2903722541): send AV service=ppp
    05:51:00: Vi2 AAA/AUTHOR/IPCP (2903722541): send AV protocol=ip
    05:51:00: Vi2 AAA/AUTHOR/IPCP (2903722541): found list "default"
    05:51:00: Vi2 AAA/AUTHOR/IPCP (2903722541): Method=radius (radius)
    05:51:00: RADIUS: unrecognized Microsoft VSA type 10
    05:51:00: Vi2 AAA/AUTHOR (2903722541): Post authorization status =
    PASS_REPL
    05:51:00: Vi2 AAA/AUTHOR/IPCP: Processing AV service=ppp
    05:51:00: Vi2 AAA/AUTHOR/IPCP: Processing AV
    mschap_mppe_keys*1y1s1h1j1b1 1:111P
    1
    1-1Z1L1^1T1N111|1b1B1E1▬1^
    05:51:00: Vi2 AAA/AUTHOR/IPCP: Authorization succeeded
    05:51:00: Vi2 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.0, we want
    10.9.150.101
    05:51:00: Vi2 AAA/AUTHOR/IPCP: Start. Her address 10.9.150.101, we
    want 10.9.
    150.101
    05:51:00: Vi2 AAA/AUTHOR/IPCP (2474677066): Port='Virtual-Access2'
    list='' servi
    ce=NET
    05:51:00: AAA/AUTHOR/IPCP: Vi2 (2474677066) user='rrf'
    05:51:00: Vi2 AAA/AUTHOR/IPCP (2474677066): send AV service=ppp
    05:51:00: Vi2 AAA/AUTHOR/IPCP (2474677066): send AV protocol=ip
    05:51:00: Vi2 AAA/AUTHOR/IPCP (2474677066): send AV addr*10.9.150.101
    05:51:00: Vi2 AAA/AUTHOR/IPCP (2474677066): found list "default"
    05:51:00: Vi2 AAA/AUTHOR/IPCP (2474677066): Method=radius (radius)
    05:51:00: RADIUS: unrecognized Microsoft VSA type 10
    05:51:00: Vi2 AAA/AUTHOR (2474677066): Post authorization status =
    PASS_REPL
    05:51:00: Vi2 AAA/AUTHOR/IPCP: Reject 10.9.150.101, using 10.9.150.101
    05:51:00: Vi2 AAA/AUTHOR/IPCP: Processing AV service=ppp
    05:51:00: Vi2 AAA/AUTHOR/IPCP: Processing AV
    mschap_mppe_keys*1y1s1h1j1b1 1:111P
    1
    1-1Z1L1^1T1N111|1b1B1E1▬1^
    05:51:00: Vi2 AAA/AUTHOR/IPCP: Processing AV addr*10.9.150.101
    05:51:00: Vi2 AAA/AUTHOR/IPCP: Authorization succeeded
    05:51:00: Vi2 AAA/AUTHOR/IPCP: Done. Her address 10.9.150.101, we
    want 10.9.1
    50.101
    05:51:00: Vi2 AAA/AUTHOR/PER-USER: Event IP_UP
    05:51:00: Vi2 AAA/AUTHOR: IP_UP
    05:51:00: Vi2 AAA/PER-USER: processing author params.
    05:51:00: %LINEPROTO-5-UPDOWN: Line protocol on Interface
    Virtual-Access2, chang
    ed state to up




    ------Bad Authentication output (pocket pc)------
    05:52:59: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to
    up
    05:52:59: Vi1 AAA/AUTHOR/FSM: (0): LCP succeeds trivially
    05:53:02: AAA: parse name=Virtual-Access1 idb type=21 tty=-1
    05:53:02: AAA: name=Virtual-Access1 flags=0x11 type=5 shelf=0 slot=0
    adapter=0 p
    ort=1 channel=0
    05:53:02: AAA: parse name=<no string> idb type=-1 tty=-1
    05:53:02: AAA/MEMORY: create_user (0x6252FD98) user='rrf' ruser='NULL'
    ds0=0 por
    t='Virtual-Access1' rem_addr='' authen_type=MSCHAP service=PPP priv=1
    initial_ta
    sk_id='0'
    05:53:02: AAA/AUTHEN/START (2302672513): port='Virtual-Access1'
    list='' action=L
    OGIN service=PPP
    05:53:02: AAA/AUTHEN/START (2302672513): using "default" list
    05:53:02: AAA/AUTHEN/START (2302672513): Method=radius (radius)
    05:53:02: RADIUS: ustruct sharecount=1
    05:53:02: Radius: radius_port_info() success=1 radius_nas_port=1
    05:53:02: RADIUS: Initial Transmit Virtual-Access1 id 48
    10.9.201.40:1645, Acce
    ss-Request, len 129
    05:53:02: Attribute 4 6 BE099601
    05:53:02: Attribute 5 6 00000001
    05:53:02: Attribute 61 6 00000005
    05:53:02: Attribute 1 5 7272661A
    05:53:02: Attribute 26 16 000001370B0AD1ED
    05:53:02: Attribute 26 58 0000013701341001
    05:53:02: Attribute 6 6 00000002
    05:53:02: Attribute 7 6 00000001
    05:53:02: RADIUS: Received from id 48 10.9.201.40:1645, Access-Reject,
    len 42
    05:53:02: Attribute 26 22 0000013702101045
    05:53:02: AAA/AUTHEN (2302672513): status = FAIL
    05:53:02: AAA/MEMORY: free_user (0x6252FD98) user='rrf' ruser='NULL'
    port='Virtu
    al-Access1' rem_addr='' authen_type=MSCHAP service=PPP priv=1
    05:53:02: Vi1 AAA/AUTHOR/PER-USER: Event LCP_DOWN
    05:53:02: Vi1 AAA/AUTHOR: LCP_DOWN
    05:53:02: Vi1 AAA/AUTHOR/FSM: (0): LCP succeeds trivially
    05:53:02: Vi1 AAA/AUTHOR/PER-USER: Event LCP_DOWN
    05:53:02: Vi1 AAA/AUTHOR: LCP_DOWN
    05:53:02: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to
    down
    05:53:02: Vi1 AAA/AUTHOR/PER-USER: Event LCP_DOWN
    05:53:02: Vi1 AAA/AUTHOR: LCP_DOWN
     
    Richard Field, Jan 22, 2004
    #1
    1. Advertisements

  2. I fixed my own problem. turns out the Pocket PC uses an older version
    of the pptp client. I had to change a registry value on the IAS
    server to accept LAN Manager connections.
     
    Richard Field, Jan 23, 2004
    #2
    1. Advertisements

  3. The registry key to enable lan man authentication is:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Policy\All
    ow LM Authentication DWORD 1
     
    Sam Salhi [MSFT], Jan 23, 2004
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.