Cisco PPTP Authentication Failing (RA VPN)

Experts,

I've been fighting this all weekend, and cannot seem to get it to work for the life of me.  I'm unable to establish a VPN connection via the default Windows client to my Cisco Router (2621XM, IOS 12.4).

I have followed many different guides, all of which have nearly 100% identical co0nfigs, but the one that closest resembles my current config is:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00801e51e2.shtml

and

http://www.parkansky.com/tutorials/pptp.htm

I am using a Win2k8 Radius server, but I also need to point out that when I set "aaa authentication ppp default local" and take out the radius form of auth, I'm still stuck in the same problem.

On debugging the Raidus authentication, It's informing me that the authentication failed.  no matter what username I use.

Any ideas on what I can throw into the mix here to get this working?
LVL 5
usslindstromAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MrJemsonCommented:
I recall a few pitfalls with the 2008 server configuration for setting up radius auth with a Cisco.
Have attached a guide I was given that helped me out when I had to set this up.
Microsoft-NAP-authentication-fro.docx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
OzNetNerdCommented:
Can you please give us a copy of your running config?
0
usslindstromAuthor Commented:
Sorry for the late response.  Had to scrub the config.  Here she is at it stands now (Posted in the code block below.

Here's the authentication error debug I'm getting:

*Mar 30 21:24:45.358: ppp17 PPP: Using vpn set call direction
*Mar 30 21:24:45.358: ppp17 PPP: Treating connection as a callin
*Mar 30 21:24:45.358: ppp17 PPP: Session handle[EB000015] Session id[17]
*Mar 30 21:24:45.394: ppp17 PPP: Authorization NOT required
*Mar 30 21:24:45.454: ppp17 CHAP: O CHALLENGE id 1 len 31 from "*****"
*Mar 30 21:24:45.482: ppp17 CHAP: I RESPONSE id 1 len 46 from "*****"
*Mar 30 21:24:45.486: ppp17 PPP: Sent CHAP LOGIN Request
*Mar 30 21:24:45.490: ppp17 PPP: Received LOGIN Response FAIL
*Mar 30 21:24:45.490: ppp17 CHAP: O FAILURE id 1 len 25 msg is "Authentication failed"



Thank you very much for taking time to assist me.  I really appreciate it.
Current configuration : 5733 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname *****
!
boot-start-marker
boot-end-marker
!
enable secret *****
!
aaa new-model
!
!
aaa group server radius *****_DC
 server ***** auth-port 1645 acct-port 1646
 server ***** auth-port 1645 acct-port 1646
!
aaa group server radius *****_DC
 server ***** auth-port 1645 acct-port 1646
 server ***** auth-port 1645 acct-port 1646
!
aaa group server radius *****_DC
 server ***** auth-port 1645 acct-port 1646
 server ***** auth-port 1645 acct-port 1646
!
aaa authentication login *****_Access group *****_DC local
aaa authentication ppp default group *****_DC local
!
!
aaa session-id common
ip cef
!
!
!
!
ip domain name *****.com
ip name-server *****
ip name-server *****
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group *****_PPTP
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username ***** privilege 15 secret *****
username ***** privilege 15 secret *****
archive
 log config
  hidekeys
!
!
!
!
!
!
!
class-map match-any P2P
 match protocol edonkey
 match protocol gnutella
 match protocol kazaa2
 match protocol winmx
 match protocol bittorrent
!
!
policy-map Drop_P2P
 class P2P
   drop
!
!
!
!
!
interface FastEthernet0/0
 description *****
 ip address 10.0.0.1 255.255.254.0
 ip nbar protocol-discovery
 ip nat inside
 ip virtual-reassembly
 ip ospf message-digest-key 1 md5 *****
 speed 100
 full-duplex
 service-policy input Drop_P2P
!
interface FastEthernet0/1
 description *****
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly
 no ip mroute-cache
 speed 100
 full-duplex
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Virtual-Template1
 ip unnumbered Dialer1
 peer default ip address pool *****_PPTP
 no keepalive
 ppp encrypt mppe auto
 ppp authentication pap chap ms-chap
!
interface Dialer1
 description *****
 mtu 1424
 bandwidth 102400
 ip address negotiated
 no ip unreachables
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1396
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname *****
 ppp chap password *****
 ppp pap sent-username ***** password *****
 ppp ipcp route default
!
router ospf 1
 router-id 10.0.0.1
 log-adjacency-changes
 area 0 authentication message-digest
 redistribute rip
 network 10.0.0.0 0.0.1.255 area 0
 default-information originate
!
ip local pool *****_PPTP 10.0.0.51 10.0.0.59
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
ip http server
no ip http secure-server
ip dns server
ip nat inside source list *****_NAT interface Dialer1 overload
ip nat inside source static tcp ***** 80 interface Dialer1 80
ip nat inside source static tcp ***** 443 interface Dialer1 443
ip nat inside source static tcp ***** 25 interface Dialer1 25
ip nat inside source static tcp ***** 110 interface Dialer1 110
ip nat inside source static udp ***** 20 interface Dialer1 20
ip nat inside source static tcp ***** 20 interface Dialer1 20
ip nat inside source static tcp ***** 21 interface Dialer1 21
ip nat inside source static udp ***** 21 interface Dialer1 21
ip nat inside source static tcp ***** 3389 interface Dialer1 3389
ip nat inside source static udp ***** 3389 interface Dialer1 3389
!
ip access-list extended *****_NAT
 deny   ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255
 permit ip 10.0.0.0 0.0.255.255 any
!
snmp-server community public RO
!
!
!
!
radius-server host ***** auth-port 1645 acct-port 1646 key *****
radius-server host ***** auth-port 1645 acct-port 1646 key *****
radius-server host ***** auth-port 1645 acct-port 1646 key *****
radius-server host ***** auth-port 1645 acct-port 1646 key *****
radius-server host ***** auth-port 1645 acct-port 1646 key *****
radius-server host ***** auth-port 1645 acct-port 1646 key *****
!
control-plane
!
!
!
!
!
!
!
!
!
banner motd ^C
*************************************************************
************  Unauthorized Access is Prohibited  ************
*************************************************************

  Access to this system is for the use of authorized
  personel only.

  You are hereby advised that all actions performed are
  subject to monitoring and are being recorded.  In the
  event of any possible criminal activity, evidence will
  be turned over to proper Law Enforcement personnel,
  and offenders will be prosecuted!

  You have accessed:  $(hostname).$(domain)

*************************************************************
************  Unauthorized Access is Prohibited  ************
*************************************************************
^C
!
line con 0
 privilege level 15
 logging synchronous
 login authentication *****_Access
line aux 0
 logging synchronous
 login authentication *****_Access
line vty 0 4
 logging synchronous
 login authentication *****_Access
line vty 5 181
 logging synchronous
 login authentication *****_Access
!
!
end

Open in new window

0
INTRODUCING: WatchGuard's New MFA Solution

WatchGuard is proud to announce the launch of AuthPoint, a powerful, yet simple, Cloud-based MFA service designed to eliminate the vulnerabilities that put your data, systems, and users at risk.

usslindstromAuthor Commented:
*Oh - and side note - Mr.Jemson, thanks for the suggestion.  I do have NPS correctly configured to supply radius to the router for login authentication though.

There might be a problem with how it's set up for authenticating the PPTP - but I'm seeing the same debugs when I set authentication to local on the router.
0
MrJemsonCommented:
I did have a similar issue. Logon to the router itself but not PPTP.
Have a look at the Framed Protocols on the 2008 box. That was my issue, might be worth looking at anyway. Not sure why you couldn't auth locally though.
0
usslindstromAuthor Commented:
No prob.  Thanks for the suggestion Jemson, will look into it to be on the safe side once I finish my prison sentance at work today.  :)
0
usslindstromAuthor Commented:
Unfortunately, still no go.  I went step-by-step on the configuration guide you gave me (Thank you very much btw) - and double-checked that there weren't any framed protocol references.

One item of difference in my setup vs yours was that in mine, I just did an all-encompassing "Cisco" vendor in the connection request policies.  Yours was different in that you separated each individual radius client to their own connection policy.

I went ahead and copied your config, where I separated everything into their own.  But like I mentioned above - it's still a no go.  I can authenticate to the devices 100% on login, but cannot (using the exact same username/password) authenticate PPTP VPNs.

Side note, I made a couple changes to my running-config (posted in the code block below:

Any more troubleshooting I can throw into the mix would be very appreciated.  I'm at wits end.
aaa authentication ppp *****_PPTP group Master_DC local
aaa authorization network *****_NetAuth if-authenticated



interface Virtual-Template1
 ip unnumbered FastEthernet0/0
 peer default ip address pool *****_PPTP
 no keepalive
 ppp encrypt mppe auto
 ppp authentication ms-chap-v2 *****_PPTP

Open in new window

0
MrJemsonCommented:
What are you using to auth against the router?
A Windows box? Can this box connect to any other PPTP server?
0
usslindstromAuthor Commented:
Yes on the Windows box - it's a netbook with Win7 installed...

As far as other PPTP servers, I'm not sure at this point.  Gimme' a few, and I'll stand up a RRAS server on one of the 2k8 boxes to check.
0
usslindstromAuthor Commented:
Thank you very much for the information Mr.Jemson.  I really appreciate it.

Unfortunately - I'm stuck at this point with the Cisco router...  I went ahead and just forwarded PPTP requests to one of my windows boxes, for remote access.  I'm going to resolve this question and award you the points.

Thanks for the assistance.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.