cisco pptp+mppe problems on ios 12.3T and later

jakobp freeradius at
Mon Feb 20 18:09:25 CET 2006


maybe one of the cisco users here on the list can help me.

I want to run dialin vpdn on a cisco 1712, using pptp tunnels with mppe 
encryption and authenticate against freeradius 1.1.0

The strange thing is, my setup used to work just fine, until i tried to 
upgrade IOS from 12.2 to 12.3T or 12.4. in both trains (> 12.2) mppe 
suddenly fails to work. a normal, unencrypted pptp works.

"debug" shows that cisco gets a radius reply with ms-chap mppe attributes, 
but seems to miss/misunderstand something. "debug mppe" says:
MPPE: keying material missing from radius

the relevant parts of my cisco config:

aaa authentication login vpnauth group radius
aaa authentication ppp default group radius local
aaa authorization network default if-authenticated
aaa authorization network vpnauth group radius

vpdn enable
vpdn multihop
vpdn source-ip
vpdn logging
vpdn logging user
vpdn logging tunnel-drop
vpdn session-limit 10
vpdn search-order multihop-hostname

vpdn-group pptp
! Default PPTP VPDN group
   protocol pptp
   virtual-template 1
  lcp renegotiation on-mismatch

interface Virtual-Template1
  ip unnumbered FastEthernet0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  ip virtual-reassembly
  peer default ip address pool vpnpool
  compress mppc
  ppp encrypt mppe auto
  ppp authentication ms-chap ms-chap-v2
  ppp eap refuse callin

radius-server host x.x.x.x auth-port 1812 acct-port 1813 key xxx
radius-server authorization default Framed-Protocol ppp
radius-server vsa send accounting
radius-server vsa send authentication

... and from radiusd.conf:
         mschap {
                 authtype = MS-CHAP
                 use_mppe = yes
                 require_encryption = no
                 require_strong = no

i already tried to find information or to change some of the config 
settings, but no luck :(

thanks in advance,

More information about the Freeradius-Users mailing list