PPTP VPN with MPPE problem

classic Classic list List threaded Threaded
4 messages Options
| Threaded
Open this post in threaded view
|

PPTP VPN with MPPE problem

王岩
Hi, I have a problem about Cisco PPTP VPN with MPPE Authentication.

I use FreeRadius 1.0.4 with MySQL 4.1.10.
I want to establish a PPTP VPN authenticated by FreeRadius.
The problem is when I use pix525(os6.34), I can establish the PPTP VPN with
MPPE 128, MS-CHAP.
But when I use cisco7204(12.2-29), I can only establish the PPTP VPN without
MPPE, MS-CHAP.
When I use cisco7204 local db for authentication, I can establish the PPTP
VPN with MPPE 128, MS-CHAP.
I use the same configuration on radius server.
I think the problem is freeradius.
But it is strange. Because FreeRadius support mppe key and the pix test
succeed.


----7204 configuration----
interface Virtual-Template1
 ip unnumbered FastEthernet1/0
 peer default ip address pool test
 ppp encrypt mppe auto stateful
 ppp authentication ms-chap chap

----windowsxp vpn client----
MS-CHAP, maximum strength encryption.

It displayed the encrytion type is not match.

7204 debug ppp mppe event
5:41:33: Vi1 MS-CHAP: O SUCCESS id 29 len 4
15:41:33: Vi1 MPPE: don't understand all options, NAK
15:41:33: Vi1 MPPE: RADIUS keying material missing


Any one can help me?


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: PPTP VPN with MPPE problem

Alan DeKok
wangyan <[hidden email]> wrote:
> The problem is when I use pix525(os6.34), I can establish the PPTP VPN with
> MPPE 128, MS-CHAP.
> But when I use cisco7204(12.2-29), I can only establish the PPTP VPN without
> MPPE, MS-CHAP.

  It would appear that the NASes aren't the same.

> When I use cisco7204 local db for authentication, I can establish the PPTP
> VPN with MPPE 128, MS-CHAP.
> I use the same configuration on radius server.
> I think the problem is freeradius.

  Nope.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: PPTP VPN with MPPE problem

Giovanni Torrisi
In reply to this post by 王岩
hi,
you must be sure that IOS running on 7204 support encryption.
try this:
on interface virtual-template you use for auth add: ppp encrypt xxx
where xxx can be auto, 40 or 128

cheers,
giovanni


wangyan wrote:

> Hi, I have a problem about Cisco PPTP VPN with MPPE Authentication.
>
> I use FreeRadius 1.0.4 with MySQL 4.1.10.
> I want to establish a PPTP VPN authenticated by FreeRadius.
> The problem is when I use pix525(os6.34), I can establish the PPTP VPN
> with MPPE 128, MS-CHAP.
> But when I use cisco7204(12.2-29), I can only establish the PPTP VPN
> without MPPE, MS-CHAP.
> When I use cisco7204 local db for authentication, I can establish the
> PPTP VPN with MPPE 128, MS-CHAP.
> I use the same configuration on radius server.
> I think the problem is freeradius.
> But it is strange. Because FreeRadius support mppe key and the pix
> test succeed.
>
>
> ----7204 configuration----
> interface Virtual-Template1
> ip unnumbered FastEthernet1/0
> peer default ip address pool test
> ppp encrypt mppe auto stateful
> ppp authentication ms-chap chap
>
> ----windowsxp vpn client----
> MS-CHAP, maximum strength encryption.
>
> It displayed the encrytion type is not match.
>
> 7204 debug ppp mppe event
> 5:41:33: Vi1 MS-CHAP: O SUCCESS id 29 len 4
> 15:41:33: Vi1 MPPE: don't understand all options, NAK
> 15:41:33: Vi1 MPPE: RADIUS keying material missing
>
>
> Any one can help me?
>
>
> - List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Callback Cisco to WinXP

Stefan A.
Hi,

I have to configure an async callback solution using Cisco IOS and
Freeradius.
Up to now, the user can dial in and will be authenticated against my
freeradius server. Anything works fine.

After setting up the callback things on the router and on the radius server,
the user will still be granted access without any callback options.
Debugging the cisco callback during the session setup, I will get the
message:

Se0/1 MCB: Start
Se0/1 MCB: Callback not authorized for this user stefancb
...


What I've done so far:
On WinXP, I left anything default, so that the user will be given the
choice, to be called back if the server makes an offer.

On the Cisco, I've configured:

interface Serial0/1
 physical-layer async
 ip address 10.1.20.200 255.255.255.0
 ip nat inside
 encapsulation ppp
 ip tcp adjust-mss 1452
 async mode interactive
 peer default ip address pool modemippool
 no keepalive
 ppp callback accept
 ppp authentication chap
!

chat-script offhook "" "ATH1" OK
chat-script callback ABORT ERROR ABORT BUSY "" "ATZ" OK "ATDT \T" TIMEOUT60
CONNECT \c

line 2
 flush-at-activation
 script modem-off-hook offhook
 script callback callback
 modem InOut
 modem autoconfigure discovery
 transport input all
 autoselect during-login
 autoselect ppp
 speed 115200


The user is configured on the radius server:

stefancb Auth-Type := Local, User-Password == "hello"
        Service-Type = Callback-Framed-User,
        Framed-Protocol = PPP,
        Cisco-AVPair = "ip:dns-servers=10.1.1.2",
        Cisco-AVPair != "ip:wins-servers=10.1.1.2",
        Cisco-AVPair != "lcp:callback-dialstring=0123456",

I've also tested
        Service-Type = Framed-User,



What's wrong here?
How do I have to set up the user on my Radius Server?

Thank You.
Regards Stefan


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html