Freeradius - Cisco L2TP Tunnel - Authentication problem.
Tony Spencer
tony at games-master.co.uk
Fri Feb 17 10:08:26 CET 2006
Hi
I have an issue with authentication using Freeradius (freeradius-1.0.1-3)
We were running L2TPNS on a Linux box and authenticating fine using CHAP to
the Freeradius server.
However because of increased volume of users (DSL and Dial) we need to move
to a Cisco 7200 so it could terminate the tunnel.
The tunnel terminates fine but authentication is failing because the Cisco
is sending PAP authentication and we use CHAP, in fact I would know how to
move to PAP anyway.
No matter what we put into the Cisco config it still uses PAP, even telling
it to refuse PAP.
The Cisco is running IOS 12.2.(6) and here is the relevant lines of config
for the tunnel and authentication:
########################
aaa new-model
aaa authentication ppp default group radius
aaa authorization network default group radius if-authenticated
aaa accounting network default start-stop group radius
multilink virtual-template 1
vpdn enable
!
vpdn-group 1
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname tunnel
local name gw1
l2tp tunnel password 7 xxxxxxxxxx
source-ip 10.0.0.1
interface Virtual-Template1
ip unnumbered FastEthernet1/0
ip mroute-cache
no logging event link-status
no keepalive
timeout absolute 4320 0
no peer default ip address
ppp authentication chap callin
ppp multilink
!
ip local pool IP-POOL 192.168.0.1 192.168.1.254
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.254
no ip http server
ip pim bidir-enable
!
radius-server host 192.168.1.12 auth-port 1645 acct-port 1646 key xxxxxx
radius-server retransmit 2
###############
Here is a line from the radius users file that authentication is failing
for:
######
user1 Auth-Type := Local, User-Password== "jijyocspok"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Address = 192.168.2.22,
Framed-Netmask = 255.255.255.255,
Framed-Compression = Van-Jacobsen-TCP-IP
######
Here is the radius log entries for when the login fails from the Cisco and
passes from the L2TPNS server:
####
Thu Feb 16 23:30:41 2006 : Auth: Login incorrect: [user1/jijyocspok] (from
client l2tp port 3)
Fri Feb 17 08:22:43 2006 : Auth: Login OK: [user1/<CHAP-Password>] (from
client l2tp port 3)
######
I was wondering if anyone had seen a problem like this before and found a
solution.
Is the Cisco at fault, does it have a bug in it?
Should I just move to PAP authentication, is so how do I do that? But
doesn't Windows PC's send CHAP? Would it still work?
Any help would be appreciated.
Thanks
Tony
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060217/47916fba/attachment.html>
More information about the Freeradius-Users
mailing list