[cisco-nas] l2tp PPP auth issue
jlewis at lewis.org
jlewis at lewis.org
Fri Apr 2 09:14:23 EST 2004
I had lcp renegotiation on-mismatch under the vpdn groups. I'll try
setting it to always.
On Fri, 2 Apr 2004, Tassos Chatzithomaoglou wrote:
> have you tried "lcp renog always" under the vpdn group?
>
> jlewis at lewis.org wrote:
>
> > We're having some difficulty with certain DSL routers authenticating
> > through what the telco calls "broadband gateway" or BBG. In this setup,
> > customers connect to us as l2tp sessions from the telco's Shastas. Our
> > prefered auth type is PAP, but as you can see in the following debug, the
> > customer negotiates PAP, but then sends CHAP which appears to be ignored.
> > Seeing this, I removed "ppp chap refuse" from the virtual-template, and
> > changed "ppp auth pap" to "ppp auth pap chap". That doesn't seem to have
> > made a difference. This debug was collected after making the
> > virtual-template changes.
> >
> > Apr 1 14:48:51: Vi9 Debug: Condition 1, username anonymized at atlantic.net triggered, count 1
> > Apr 1 14:48:51: Vi9 PPP: Phase is DOWN, Setup [0 sess, 1 load]
> > Apr 1 14:48:51: %LINK-3-UPDOWN: Interface Virtual-Access9, changed state to up
> > Apr 1 14:48:51: Vi9 PPP: Using set call direction
> > Apr 1 14:48:51: Vi9 PPP: Treating connection as a callin
> > Apr 1 14:48:51: Vi9 PPP: Phase is ESTABLISHING, Passive Open [0 sess, 1 load]
> > Apr 1 14:48:51: Vi9 LCP: State is Listen
> > Apr 1 14:48:51: Vi9 LCP: I FORCED CONFREQ len 15
> > Apr 1 14:48:51: Vi9 LCP: MagicNumber 0x0ED6A721 (0x05060ED6A721)
> > Apr 1 14:48:51: Vi9 LCP: MRU 1500 (0x010405DC)
> > Apr 1 14:48:51: Vi9 LCP: AuthProto CHAP (0x0305C22305)
> > Apr 1 14:48:51: Vi9 LCP: O CONFREQ [Listen] id 1 len 14
> > Apr 1 14:48:51: Vi9 LCP: AuthProto PAP (0x0304C023)
> > Apr 1 14:48:51: Vi9 LCP: MagicNumber 0x0DD8F091 (0x05060DD8F091)
> > Apr 1 14:48:51: Vi9 PPP: I pkt type 0xC021, datagramsize 12
> > Apr 1 14:48:51: Vi9 LCP: I CONFREQ [REQsent] id 96 len 8
> > Apr 1 14:48:51: Vi9 LCP: MRU 1500 (0x010405DC)
> > Apr 1 14:48:51: Vi9 LCP: O CONFACK [REQsent] id 96 len 8
> > Apr 1 14:48:51: Vi9 LCP: MRU 1500 (0x010405DC)
> > Apr 1 14:48:51: Vi9 PPP: I pkt type 0xC021, datagramsize 18
> > Apr 1 14:48:51: Vi9 LCP: I CONFACK [ACKsent] id 1 len 14
> > Apr 1 14:48:51: Vi9 LCP: AuthProto PAP (0x0304C023)
> > Apr 1 14:48:51: Vi9 LCP: MagicNumber 0x0DD8F091 (0x05060DD8F091)
> > Apr 1 14:48:51: Vi9 LCP: State is Open
> > Apr 1 14:48:51: Vi9 PPP: Phase is AUTHENTICATING, by this end [0 sess, 1 load]
> > Apr 1 14:48:54: Vi9 PPP: I pkt type 0xC223, datagramsize 55
> > Apr 1 14:48:54: Vi9 CHAP: I RESPONSE id 141 len 51 from "anonymized at atlantic.net"
> > Apr 1 14:48:54: Vi9 CHAP: Response ignored, expected id 0, got id 141
> > Apr 1 14:48:57: Vi9 PPP: I pkt type 0xC223, datagramsize 55
> > Apr 1 14:48:57: Vi9 CHAP: I RESPONSE id 141 len 51 from "anonymized at atlantic.net"
> > Apr 1 14:48:57: Vi9 CHAP: Response ignored, expected id 0, got id 141
> > Apr 1 14:49:00: Vi9 PPP: I pkt type 0xC223, datagramsize 55
> > Apr 1 14:49:00: Vi9 CHAP: I RESPONSE id 141 len 51 from "anonymized at atlantic.net"
> > Apr 1 14:49:00: Vi9 CHAP: Response ignored, expected id 0, got id 141
> > Apr 1 14:49:03: Vi9 PPP: I pkt type 0xC021, datagramsize 8
> > Apr 1 14:49:03: Vi9 LCP: I TERMREQ [Open] id 208 len 4
> > Apr 1 14:49:03: Vi9 LCP: O TERMACK [Open] id 208 len 4
> > Apr 1 14:49:03: Vi9 PPP: I pkt type 0xC021, datagramsize 12
> > Apr 1 14:49:03: Vi9 LCP: I CONFREQ [TERMsent] id 134 len 8
> > Apr 1 14:49:03: Vi9 LCP: MRU 1500 (0x010405DC)
> > Apr 1 14:49:03: Vi9 LCP: Dropping packet, state is TERMsent
> > Apr 1 14:49:05: Vi9 LCP: TIMEout: State TERMsent
> > Apr 1 14:49:05: Vi9 LCP: State is Closed
> > Apr 1 14:49:05: Vi9 Debug: Condition 1, username anonymized at atlantic.net cleared, count 0
> > Apr 1 14:49:05: %LINK-3-UPDOWN: Interface Virtual-Access9, changed state to down
> >
> > If I change "ppp auth pap chap" to "ppp auth chap pap", this customer is
> > able to connect, but I suspect others will have difficulty.
> >
> > Apr 1 14:52:40: Vi36 Debug: Condition 1, username anonymized at atlantic.net triggered, count 1
> > Apr 1 14:52:40: Vi36 PPP: Phase is DOWN, Setup [0 sess, 1 load]
> > Apr 1 14:52:41: %LINK-3-UPDOWN: Interface Virtual-Access36, changed state to upApr 1 14:52:41: Vi36 PPP: Using set call direction
> > Apr 1 14:52:41: Vi36 PPP: Treating connection as a callin
> > Apr 1 14:52:41: Vi36 PPP: Phase is ESTABLISHING, Passive Open [0 sess, 1 load]
> > Apr 1 14:52:41: Vi36 LCP: State is Listen
> > Apr 1 14:52:41: Vi36 LCP: I FORCED CONFREQ len 15
> > Apr 1 14:52:41: Vi36 LCP: MagicNumber 0x7E24FADB (0x05067E24FADB)
> > Apr 1 14:52:41: Vi36 LCP: MRU 1500 (0x010405DC)
> > Apr 1 14:52:41: Vi36 LCP: AuthProto CHAP (0x0305C22305)
> > Apr 1 14:52:41: Vi36 PPP: Phase is AUTHENTICATING, by this end [0 sess, 1 load]Apr 1 14:52:41: Vi36 CHAP: O CHALLENGE id 1 len 34 from "gsvlflma-br-1"
> > Apr 1 14:52:41: Vi36 PPP: I pkt type 0xC223, datagramsize 55
> > Apr 1 14:52:41: Vi36 CHAP: I RESPONSE id 156 len 51 from "anonymized at atlantic.net"
> > Apr 1 14:52:41: Vi36 CHAP: O SUCCESS id 156 len 4
> > Apr 1 14:52:41: Vi36 PPP: Phase is UP [0 sess, 1 load]
> > Apr 1 14:52:41: Vi36 IPCP: O CONFREQ [Closed] id 1 len 10
> > Apr 1 14:52:41: Vi36 IPCP: Address 209.208.6.225 (0x0306D1D006E1)
> > Apr 1 14:52:41: Vi36 PPP: I pkt type 0x8021, datagramsize 26
> > Apr 1 14:52:41: Vi36 IPCP: I CONFREQ [REQsent] id 235 len 22
> > Apr 1 14:52:41: Vi36 IPCP: Address 0.0.0.0 (0x030600000000)
> > Apr 1 14:52:41: Vi36 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
> > Apr 1 14:52:41: Vi36 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
> > Apr 1 14:52:41: Vi36 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we want 0.0.0.0
> > Apr 1 14:52:41: Vi36 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.0, we want 209.208.X.Y
> > Apr 1 14:52:41: Vi36 IPCP: O CONFNAK [REQsent] id 235 len 22
> > Apr 1 14:52:41: Vi36 IPCP: Address 209.208.X.Y (0x0306D1D02255)
> > Apr 1 14:52:41: Vi36 IPCP: PrimaryDNS 209.208.0.2 (0x8106D1D00002)
> > Apr 1 14:52:41: Vi36 IPCP: SecondaryDNS 209.208.0.3 (0x8306D1D00003)
> > Apr 1 14:52:41: Vi36 PPP: I pkt type 0x8021, datagramsize 14
> > Apr 1 14:52:41: Vi36 IPCP: I CONFACK [REQsent] id 1 len 10
> > Apr 1 14:52:41: Vi36 IPCP: Address 209.208.6.225 (0x0306D1D006E1)
> > Apr 1 14:52:41: Vi36 PPP: I pkt type 0x8021, datagramsize 26
> > Apr 1 14:52:41: Vi36 IPCP: I CONFREQ [ACKrcvd] id 188 len 22
> > Apr 1 14:52:41: Vi36 IPCP: Address 209.208.X.Y (0x0306D1D02255)
> > Apr 1 14:52:41: Vi36 IPCP: PrimaryDNS 209.208.0.2 (0x8106D1D00002)
> > Apr 1 14:52:41: Vi36 AAA/AUTHOR/IPCP: Start. Her address 209.208.X.Y, we wangsvlflma-br-1#
> > gsvlflma-br-1#t 209.208.X.Y
> > Apr 1 14:52:41: Vi36 AAA/AUTHOR/IPCP: Done. Her address 209.208.X.Y, we want 209.208.X.Y
> > Apr 1 14:52:41: Vi36 IPCP: O CONFACK [ACKrcvd] id 188 len 22
> > Apr 1 14:52:41: Vi36 IPCP: Address 209.208.X.Y (0x0306D1D02255)
> > Apr 1 14:52:41: Vi36 IPCP: PrimaryDNS 209.208.0.2 (0x8106D1D00002)
> > Apr 1 14:52:41: Vi36 IPCP: SecondaryDNS 209.208.0.3 (0x8306D1D00003)
> > Apr 1 14:52:41: Vi36 IPCP: State is Open
> > Apr 1 14:52:41: Vi36 IPCP: Install route to 209.208.X.Y
> >
> > Anyone know why this is happening? The routers that we're having this
> > problem with are an older version of iBlitz DSL router. The latest
> > version (which apparently uses a differente chipset) doesn't seem to have
> > this problem.
> >
> > ----------------------------------------------------------------------
> > Jon Lewis *jlewis at lewis.org*| I route
> > Senior Network Engineer | therefore you are
> > Atlantic Net |
> > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
> > _______________________________________________
> > cisco-nas mailing list
> > cisco-nas at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nas
> >
>
> --
> ***************************************
> Chatzithomaoglou Anastasios
> Network Design & Development Department
> FORTHnet S.A.
> <achatz at forthnet.gr>
> ***************************************
>
----------------------------------------------------------------------
Jon Lewis *jlewis at lewis.org*| I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the cisco-nas
mailing list