A customer has a Watchguard Firebox firewall and a Cisco ACS, all the users for Cisco related activities are on the ACS and the customer wants to migrate all the PPTP VPN users from the firewall to the Cisco ACS.
Both the ACS and Firebox support RADIUS, so it sounds quite easy.
I did the initial configuration; creating the AAA client in the ACS, changing the VPN configuration on the watchguard so it asks the ACS for the users, creating a test user and a test group with the following RADIUS parameters:
[011] Filter-Id PPTP-Users
[311\007] MS-MPPE-Encryption-Policy "Encryption Required"
[311\008] MS-MPPE-Encryption-Types "128-bit"
[311\012] MS-CHAP-MPPE-Keys
[311\016] MS-MPPE-Send-Key
[311\017] MS-MPPE-Recv-Key
Testing with a Windows 7 Enterprise client, I got the error:
Error 734: The PPP link control protocol was terminated.
The logs on the firewall showed:
level=''3'' msg=''pri=''3'' msg_id=''1401-3003'' msg=''pptp MSCHAPv2 authentication ok for peer wg''''
level=''7'' msg=''sent [CHAP Success id=0x32 ''S=5F85A740C65AD93F308ED6681B455486FC2EF4F5 M=Access granted'']'' new_msg='' level=''7'' msg=''sent [CHAP Success id=0x32 ''S=5F85A740C65AD93F308ED6681B455486FC2EF4F5 M=Access granted'']'''' Debug
pppd[1255] MPPE required, but keys are not available. Possible plugin problem?
pppd MPPE required but not available'''
Basically the issue seemed to be MPPE related, since the configuration requires encryption, no MPPE = no VPN.
In the ACS the authentication showed as successful and little else. I checked and double checked the RADIUS attributes. After sometime with Watchguard support, they suggested to get a packet capture of the ACS RADIUS response:
Using Wireshark, it was clear that the ACS was not sending any MPPE related attributes and in fact the only Microsoft attribute was the one indicating that the authentication was OK.
I replicated the VPN configuration using a cisco router and it worked without issues, after that, I was checking everything again and noticed that the cisco router was defined in the ACS AAA client section as "RADIUS (Cisco IOS/PIX 6.0)" while the Watchguard Firewall was defined as "RADIUS (IETF)"
I changed the firewall to "RADIUS (Cisco IOS/PIX 6.0)" and ta-da, everything worked.
All the Microsoft attributes were there and all was well in the land. Of course after reading the ACS help, it seems obvious:
"RADIUS (IETF). These are the standard IETF RADIUS attributes. Select this option if you are using devices supporting RADIUS but do not need to make use of the vendor-specific attributes (VSA) of the manufacturer.
RADIUS (Cisco IOS/PIX 6.0) Select the RADIUS (Cisco IOS) option when using a Cisco Systems IOS device as a AAA client. This option enables you to make use of the Cisco IOS and PIX 6.0 RADIUS VSAs."
