Monday, October 18, 2010

CiscoSecure ACS for Windows Router PPTP Authentication

If you need to migrate your PPTP users from a IOS device/PIX to a Cisco ACS, this is a good starting point:

Configuring CiscoSecure ACS for Windows Router PPTP Authentication

I was having an odd issue with this configuration, everything seemed fine but on my Windows 7 Test client I got the Error 742: "The remote server does not support encryption" every time I tried to connect, the ACS 4.2 showed the authentication as successful and nothing else, the debug on the router pretty much the same thing with the exception of :

"Vi1 MPPE: RADIUS keying material missing"

After 2 weeks with TAC,  We came to the conclusion that the issue was caused by the fact that starting with Vista, MS-CHAP v1 is deprecated, so in order for MS-CHAP v2 to work we needed to enable the extra MPPE Attributes:

[311\016] MS-MPPE-Send-Key
[311\017] MS-MPPE-Recv-Key

In the new Cisco ACS 5.x family, enabling the these particular attributes does not seem to be necessary  since "These are added to the profile as required". 

No comments:

Post a Comment