Freeradius - Cisco L2TP Tunnel - Authentication problem.

Tony Spencer tony at games-master.co.uk
Fri Feb 17 10:08:26 CET 2006 

Hi

 

I have an issue with authentication using Freeradius (freeradius-1.0.1-3)

 

We were running L2TPNS on a Linux box and authenticating fine using CHAP to
the Freeradius server.

However because of increased volume of users (DSL and Dial) we need to move
to a Cisco 7200 so it could terminate the tunnel.

The tunnel terminates fine but authentication is failing because the Cisco
is sending PAP authentication and we use CHAP, in fact I would know how to
move to PAP anyway.

 

No matter what we put into the Cisco config it still uses PAP, even telling
it to refuse PAP.

The Cisco is running IOS 12.2.(6) and here is the relevant lines of config
for the tunnel and authentication:

 

########################

aaa new-model

aaa authentication ppp default group radius

aaa authorization network default group radius if-authenticated

aaa accounting network default start-stop group radius

 

multilink virtual-template 1

vpdn enable

!

vpdn-group 1

 accept-dialin

  protocol l2tp

  virtual-template 1

 terminate-from hostname tunnel

 local name gw1

 l2tp tunnel password 7 xxxxxxxxxx

 source-ip 10.0.0.1

 

interface Virtual-Template1

 ip unnumbered FastEthernet1/0

 ip mroute-cache

 no logging event link-status

 no keepalive

 timeout absolute 4320 0

 no peer default ip address

 ppp authentication chap callin

 ppp multilink

!

ip local pool IP-POOL 192.168.0.1 192.168.1.254

ip classless

ip route 0.0.0.0 0.0.0.0 10.0.0.254

no ip http server

ip pim bidir-enable

!

radius-server host 192.168.1.12 auth-port 1645 acct-port 1646 key xxxxxx

radius-server retransmit 2

###############

 

 

Here is a line from the radius users file that authentication is failing
for:

 

######

user1      Auth-Type := Local, User-Password== "jijyocspok"

        Service-Type = Framed-User,

        Framed-Protocol = PPP,

        Framed-Address = 192.168.2.22,

        Framed-Netmask = 255.255.255.255,

        Framed-Compression = Van-Jacobsen-TCP-IP

######

 

Here is the radius log entries for when the login fails from the Cisco and
passes from the L2TPNS server:

 

####

Thu Feb 16 23:30:41 2006 : Auth: Login incorrect: [user1/jijyocspok] (from
client l2tp port 3)

Fri Feb 17 08:22:43 2006 : Auth: Login OK: [user1/<CHAP-Password>] (from
client l2tp port 3)

######

 

I was wondering if anyone had seen a problem like this before and found a
solution.

Is the Cisco at fault, does it have a bug in it?

Should I just move to PAP authentication, is so how do I do that? But
doesn't Windows PC's send CHAP? Would it still work?

 

Any help would be appreciated.

 

Thanks

Tony

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060217/47916fba/attachment.html>

More information about the Freeradius-Users mailing list