安全 : 用于 Windows 的思科安全访问控制服务器

配置用于Windows 路由器 PPTP 认证的 CiscoSecure ACS

2015 年 8 月 28 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 4 月 22 日) | 反馈


目录


简介

点对点隧道协议(PPTP)支持被添加了到在Cisco 7100及7200平台(与Microsoft点对点加密(MPPE) [Cisco IOS软件版本12.0])的参考的PPTP的Cisco IOS�软件版本12.0.5.XE5。更多平台的支持在Cisco IOS软件版本12.1.5.T (参考的MSCHAP版本2)被添加了。

RFC 2637leavingcisco.com 描述PPTP。即,用PPTP术语,根据RFC, PPTP访问集线器(PAC)是客户端(PC呼叫方),并且PPTP网络服务器(PNS)是服务器(路由器,被呼叫端)。

本文假设,对路由器的PPTP连接有本地微软询问握手认证协议V1验证(和或者MPPE的,要求MS-CHAP V1)创建与使用这些文档并且已经是可操作的。RADIUS为MPPE加密支持要求。TACACS+为不是验证,但是MPPE密钥工作。MS-CHAP V2支持被添加了到Cisco IOS软件版本12.2(2)xb5和集成到Cisco IOS软件版本12.2(13)T (参考的MSCHAP版本2),然而, MPPE没有用MS-CHAP V2支持自。

此配置示例展示如何设置PC连接到路由器(在10.66.79.99),然后提供用户认证给思科安全访问控制系统(ACS) 4.2为Windows服务器(在10.66.79.120),在您允许用户到网络前。

注意: RADIUS服务器通常不是除了在实验室环境的路由器的外部。

PPTP支持被添加了到Cisco Secure ACS 2.5,但是可能不与路由器一起使用由于Cisco Bug ID CSCds92266 (仅限注册用户)。ACS 2.6及以后没有此问题。

Cisco Secure UNIX不支持MPPE。与MPPE支持的其他两个RADIUS应用程序包括Microsoft RADIUS和Funk RADIUS。

参考配置使用PPTP和MPPE的Cisco路由器和VPN客户端关于如何配置PPTP和MPPE的更多信息用路由器。

参考配置VPN 3000集中器和PPTP与Cisco Secure ACS for Windows RADIUS验证关于如何配置PPTP的更多信息在VPN 3000集中器有Cisco Secure ACS for Windows的RADIUS验证的。

要了解有关 Cisco PIX 安全设备运行软件版本 6.x 的相同方案的详细信息,请参阅 PIX 6.x:与RADIUS验证配置示例的PPTP为了配置对PIX的PPTP连接。

先决条件

要求

本文档没有任何特定的前提条件。

使用的组件

本文档中的信息基于以下软件和硬件版本:

  • Windows的Cisco Secure ACS 4.2

  • Cisco 3600 路由器

  • Cisco IOS软件版本12.4(3)

本文档中的信息都是基于特定实验室环境中的设备创建的。本文档中使用的所有设备最初均采用原始(默认)配置。如果是在真实网络,请保证您了解所有命令潜在影响,在您使用它前。

规则

有关文档规则的详细信息,请参阅 Cisco 技术提示规则

网络图

本文档使用以下网络设置:

/image/gif/paws/5433/pptp-network-diagram.gif

路由器配置

请使用此路由器配置。用户应该能连接“username john password doe”,即使RADIUS服务器是不可得到的(是可能的,如果服务器未配置与Cisco Secure ACS)。此示例假设该本地认证(并且,或者,加密)已经是可操作的。

Cisco 3600 路由器
Current configuration : 1729 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname moss
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
username john password 0 doe
aaa new-model
!

aaa authentication ppp default group radius local

aaa authentication login default local


!--- In order to set authentication, authorization, and accounting (AAA) authentication 
!--- at login, use the aaa authentication login command in global
!--- configuration mode as shown above.


aaa authorization network default group radius if-authenticated
aaa session-id common
ip subnet-zero
!
ip audit notify log
ip audit po max-events 100
vpdn enable
!
vpdn-group 1


!--- Default PPTP VPDN group.

accept-dialin
protocol pptp
virtual-template 1
!
no ftp-server write-enable
!
no voice hpi capture buffer
no voice hpi capture destination
!
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
half-duplex
!
interface Ethernet0/1
ip address 10.66.79.99 255.255.255.224
half-duplex
!
interface Virtual-Template1
ip unnumbered Ethernet0/1
peer default ip address pool testpool
ppp authentication ms-chap
!
ip local pool testpool 192.168.1.1 192.168.1.254
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 10.66.79.97
!
radius-server host 10.66.79.120 auth-port 1645 acct-port 1646
radius-server retransmit 3
radius-server key cisco
!
line con 0
line aux 0
line vty 0 4
password cisco
!
end

RADIUS服务器Fallback功能

当主要的RADIUS服务器不可用时,路由器将故障切换到下个有效的备份RADIUS服务器。路由器将始终继续使用辅助 RADIUS 服务器,即使主服务器可用也是如此。通常主服务器是高性能和首选的服务器。

为了设置验证、授权和统计(AAA)验证在登录,请使用aaa authentication login命令在全局配置模式。

Cisco Secure ACS for Windows配置

使用此步骤配置Cisco Secure ACS :

  1. 当你完成的时候,请点击网络配置,添加路由器的一个条目,并且点击Submit+Restart

    /image/gif/paws/5433/pptp-1.gif

  2. 选择Interface Configuration > RADIUS (Microsoft),然后检查您的MPPE属性并且单击提交

    /image/gif/paws/5433/pptp-2.gif

  3. 点击组建立和服务类型的,选择成帧。对于帧协议,挑选PPP和单击提交

    /image/gif/paws/5433/pptp-3.gif

  4. 组建立,请检查MS-MPPE RADIUS信息和,当您执行时,点击Submit+Restart

    /image/gif/paws/5433/pptp-4.gif

  5. 点击用户设置,添加密码,分配用户到组并且单击提交

    pptp-5.gif

  6. 对路由器的测验验证,在您添加加密前。如果验证不工作,请参阅本文的Troubleshoot部分

添加到配置

添加加密

您能添加MPPE加密用此命令:

interface virtual-template 1
(config-if)#ppp encrypt mppe 40|128|auto passive|required|stateful

由于示例假设,加密与本地认证(在路由器的用户名和密码一起使用), PC适当地配置。您能当前添加此命令允许最大的灵活性:

ppp encrypt mppe auto

服务器的静态 IP 地址分配

如果需要分配特定IP地址给用户,在ACS用户设置,请选择分配静态IP地址并且填写IP地址。

将访问列表添加到服务器

为了控制什么PPTP用户能一次访问用户连接到路由器,您能配置在路由器的一访问列表。例如,如果发出此命令:

access-list 101 permit ip any host 10.1.1.2 log

并且请选择过滤器ID (属性11)在ACS并且输入101在方框, PPTP用户能访问10.1.1.2主机,但是不是其他。当您发出show ip interface virtual-access x命令时,其中x是编号您能确定从show user命令,访问列表应该显示如应用:

Inbound access list is 101

添加记帐

您能添加会话的核算用此命令:

aaa accounting network default start-stop radius

当此输出显示,在Cisco Secure ACS的计费记录出现:

Date,Time,User-Name,Group-Name,Calling-Station-Id,
Acct-Status-Type,Acct-Session-Id,Acct-Session-Time,
Service-Type,Framed-Protocol,Acct-Input-Octets,
Acct-Output-Octets,Acct-Input-Packets,Acct-Output-Packets,
Framed-IP-Address,NAS-Port,NAS-IP-Address
09/28/2003,20:58:37,georgia,Default Group,,Start,00000005,,
Framed,PPP,,,,,,5,10.66.79.99
09/28/2000,21:00:38,georgia,Default Group,,Stop,00000005,121,
Framed,PPP,3696,1562,49,
38,192.168.1.1,5,10.66.79.99

注意: 线路中断被添加了到示例用于显示目的。线路中断在您的实际输出中是与显示的那些不同此处。

分割隧道

当PPTP通道在PC时出来, PPTP路由器比上一个默认安装与高度量标准,因此您丢失Internet连接。为了补救此,在的情况下网络在路由器里面是10.1.1.X,运行批处理文件(batch.bat)修改Microsoft路由删除默认和重新安装默认路由(这要求PPTP客户端分配的IP地址;对于示例,那是192.168.1.1) :

route delete 0.0.0.0
route add 0.0.0.0 mask 0.0.0.0 10.66.79.33 metric 1
route add 10.1.1.0 mask 255.255.255.0 192.168.1.1 metric 1

验证

本部分提供的信息可帮助您确认您的配置是否可正常运行。

命令输出解释程序仅限注册用户)(OIT) 支持某些 show 命令。使用 OIT 可查看对 show 命令输出的分析。

  • show vpdn session —显示关于活动第2层转发(L2F)协议隧道和消息标识符的信息在虚拟专用拨号网络(VPDN)。

moss#show vpdn session
%No active L2TP tunnels
%No active L2F tunnels

PPTP Session Information Total tunnels 1 sessions 1
LocID RemID TunID Intf    Username      State   Last Chg Uniq ID
7     32768 7     Vi3     georgia       estabd  00:00:25 6
moss#show vpdn
%No active L2TP tunnels
%No active L2F tunnels

PPTP Tunnel and Session Information Total tunnels 1 sessions 1
LocID Remote Name     State    Remote Address  Port  Sessions VPDN Group
7                     estabd   10.66.79.60     3454  1        1

LocID RemID TunID Intf    Username      State   Last Chg Uniq ID
7     32768 7     Vi3     georgia       estabd  00:00:51 6

故障排除

本部分提供的信息可用于对配置进行故障排除。

  1. PC指定加密,但是路由器不。

    PC用户看到:

    The remote computer does not support the required data encryption type.
  2. PC和路由器指定加密,但是RADIUS服务器没有配置发送在MPPE密钥下(这些通常出现作为属性26)。

    PC用户看到:

    The remote computer does not support the required 
    data encryption type.
  3. 路由器指定(必需)的加密,但是PC不(没允许)。

    PC用户看到:

    The specified port is not connected.
  4. 用户输入不正确的用户名或密码。

    PC用户看到:

    Access was denied because the username and/or 
    password was invalid on the domain.

    路由器调试显示:

    注意: 线路中断被添加了到此示例用于显示目的。线路中断在您的实际输出中是与显示的那些不同此处。

    Sep 28 21:34:16.299: RADIUS: Received from id 21645/13 10.66.79.120:1645, 
    Access-Reject, len 54
    Sep 28 21:34:16.299: RADIUS: authenticator 37 BA 2B 4F 23 02 44 4D - D4 
    A0 41 3B 61 2D 5E 0C
    Sep 28 21:34:16.299: RADIUS:  Vendor, Microsoft   [26]  22
    Sep 28 21:34:16.299: RADIUS:   MS-CHAP-ERROR      [2]   16
    Sep 28 21:34:16.299: RADIUS:   01 45 3D 36 39 31 20 52 3D 30 20 56 3D
    [?E=691 R=0 V=]
    Sep 28 21:34:16.299: RADIUS:  Reply-Message       [18]  12
    Sep 28 21:34:16.299: RADIUS:   52 65 6A 65 63 74 65 64 0A 0D                    
    [Rejected??]
  5. RADIUS服务器不能通迅。

    PC用户看到:

    Access was denied because the username and/or password 
    was invalid on the domain.

    路由器调试显示:

    注意: 线路中断被添加了到此示例用于显示目的。线路中断在您的实际输出中是与显示的那些不同此处。

    Sep 28 21:46:56.135: RADIUS: Retransmit to (10.66.79.120:1645,1646) 
    for id 21645/43
    Sep 28 21:47:01.135: RADIUS: Retransmit to (10.66.79.120:1645,1646) 
    for id 21645/43
    Sep 28 21:47:06.135: RADIUS: Retransmit to (10.66.79.120:1645,1646) 
    for id 21645/43
    Sep 28 21:47:11.135: RADIUS: No response from (10.66.79.120:1645,1646) 
    for id 21645/43
    Sep 28 21:47:11.135: RADIUS/DECODE: parse response no app start; FAIL
    Sep 28 21:47:11.135: RADIUS/DECODE: parse response; FAIL

故障排除命令

命令输出解释程序仅限注册用户)(OIT) 支持某些 show 命令。使用 OIT 可查看对 show 命令输出的分析。

注意: 使用 debug 命令之前,请参阅有关 Debug 命令的重要信息

如果事不工作,最小调试include命令:

  • debug aaa authentication —显示关于AAA/TACACS+验证的信息。

  • debug aaa authorization - 显示有关 AAA/TACACS+ 授权的信息。

  • debug ppp negotiation — 显示在 PPP 启动期间传输的 PPP 数据包,在此启动期间将协商 PPP 选项。

  • debug ppp authentication —显示认证协议消息,包括CHAP信息包交换和密码认证协议交换。

  • debug radius - 显示与 RADIUS 关联的详细调试信息。

如果验证工作,但是有与MPPE加密的问题,请使用这些命令:

  • debug ppp mppe packet —显示所有流入和流出的MPPE流量。

  • debug ppp mppe event —显示关键MPPE出现。

  • debug ppp mppe detailed —显示冗长MPPE信息。

  • debug vpdn l2x-packets —显示关于L2F协议报头和状态的消息。

  • debug vpdn events —显示关于是正常隧道建立的一部分或关闭的事件的消息。

  • debug vpdn errors —显示防止一个通道设立造成一个已建隧道关闭的错误或错误。

  • debug vpdn packets —显示被交换的每个协议信息包。此选项可能导致很大数量的调试消息,并且您应该以单个激活的会话通常只使用此on命令调试机箱。

您能也使用这些命令为了实现故障排除目的:

  • clear interface virtual-access x —关闭一个指定的隧道和所有会话在通道内。

成功调试输出示例

此调试显示从RFC的重大活动:

  • SCCRQ =启动控制连接请求-消息代码字节9和10 = 0001

  • SCCRP =开始-控制-连接-回复

  • OCRQ = Outgoing-Call-Request -消息代码字节9和10 = 0007

  • OCRP =传出呼叫回复

注意: 线路中断被添加了到此示例用于显示目的。线路中断在您的实际输出中是与显示的那些不同此处。

moss#show debug
General OS:
  AAA Authentication debugging is on
  AAA Authorization debugging is on
PPP:
  PPP protocol negotiation debugging is on
Radius protocol debugging is on
Radius packet protocol debugging is on
VPN:
  L2X control packets debugging is on
Sep 28 21:53:22.403:  Tnl 23 PPTP: 
I 009C00011A2B3C4D0001000001000000000000010000...
Sep 28 21:53:22.403:  Tnl 23 PPTP: I SCCRQ
Sep 28 21:53:22.403:  Tnl 23 PPTP: protocol version 100
Sep 28 21:53:22.403:  Tnl 23 PPTP: framing caps 1
Sep 28 21:53:22.403:  Tnl 23 PPTP: bearer caps 1
Sep 28 21:53:22.403:  Tnl 23 PPTP: max channels 0
Sep 28 21:53:22.403:  Tnl 23 PPTP: firmware rev 893
Sep 28 21:53:22.403:  Tnl 23 PPTP: hostname ""
Sep 28 21:53:22.403:  Tnl 23 PPTP: vendor "Microsoft Windows NT"
Sep 28 21:53:22.403:  Tnl 23 PPTP: O SCCRP
Sep 28 21:53:22.407:  Tnl 23 PPTP: I 
00A800011A2B3C4D0007000080007C0E0000012C05F5...
Sep 28 21:53:22.407:  Tnl 23 PPTP: CC I OCRQ
Sep 28 21:53:22.407:  Tnl 23 PPTP: call id 32768
Sep 28 21:53:22.411:  Tnl 23 PPTP: serial num 31758
Sep 28 21:53:22.411:  Tnl 23 PPTP: min bps 300
Sep 28 21:53:22.411:  Tnl 23 PPTP: max bps 100000000
Sep 28 21:53:22.411:  Tnl 23 PPTP: bearer type 3
Sep 28 21:53:22.411:  Tnl 23 PPTP: framing type 3
Sep 28 21:53:22.411:  Tnl 23 PPTP: recv win size 64
Sep 28 21:53:22.411:  Tnl 23 PPTP: ppd 0
Sep 28 21:53:22.411:  Tnl 23 PPTP: phone num len 0
Sep 28 21:53:22.411:  Tnl 23 PPTP: phone num ""
Sep 28 21:53:22.411: AAA/BIND(0000001C): Bind i/f Virtual-Template1
Sep 28 21:53:22.415:  Tnl/Sn 23/23 PPTP: CC O OCRP
Sep 28 21:53:22.415: ppp27 PPP: Using vpn set call direction
Sep 28 21:53:22.415: ppp27 PPP: Treating connection as a callin
Sep 28 21:53:22.415: ppp27 PPP: Phase is ESTABLISHING, Passive Open
Sep 28 21:53:22.415: ppp27 LCP: State is Listen
Sep 28 21:53:22.459:  Tnl 23 PPTP: I 
001800011A2B3C4D000F000000170000FFFFFFFFFFFFFFFF
Sep 28 21:53:22.459:  Tnl/Sn 23/23 PPTP: CC I SLI
Sep 28 21:53:22.459: ppp27 LCP: I CONFREQ [Listen] id 0 len 44
Sep 28 21:53:22.459: ppp27 LCP:    MagicNumber 0x377413E2 (0x0506377413E2)
Sep 28 21:53:22.459: ppp27 LCP:    PFC (0x0702)
Sep 28 21:53:22.459: ppp27 LCP:    ACFC (0x0802)
Sep 28 21:53:22.459: ppp27 LCP:    Callback 6  (0x0D0306)
Sep 28 21:53:22.459: ppp27 LCP:    MRRU 1614 (0x1104064E)
Sep 28 21:53:22.459: ppp27 LCP:    EndpointDisc 1 Local
Sep 28 21:53:22.459: ppp27 LCP:     (0x1317010D046656E8C7445895763667BB)
Sep 28 21:53:22.463: ppp27 LCP:     (0x2D0E8100000016)
Sep 28 21:53:22.463: ppp27 LCP: O CONFREQ [Listen] id 1 len 15
Sep 28 21:53:22.463: ppp27 LCP:    AuthProto MS-CHAP (0x0305C22380)
Sep 28 21:53:22.463: ppp27 LCP:    MagicNumber 0xD0B06B2C (0x0506D0B06B2C)
Sep 28 21:53:22.463: ppp27 LCP: O CONFREJ [Listen] id 0 len 11
Sep 28 21:53:22.463: ppp27 LCP:    Callback 6  (0x0D0306)
Sep 28 21:53:22.463: ppp27 LCP:    MRRU 1614 (0x1104064E)
Sep 28 21:53:22.467: ppp27 LCP: I CONFACK [REQsent] id 1 len 15
Sep 28 21:53:22.467: ppp27 LCP:    AuthProto MS-CHAP (0x0305C22380)
Sep 28 21:53:22.467: ppp27 LCP:    MagicNumber 0xD0B06B2C (0x0506D0B06B2C)
Sep 28 21:53:22.467: ppp27 LCP: I CONFREQ [ACKrcvd] id 1 len 37
Sep 28 21:53:22.467: ppp27 LCP:    MagicNumber 0x377413E2 (0x0506377413E2)
Sep 28 21:53:22.467: ppp27 LCP:    PFC (0x0702)
Sep 28 21:53:22.467: ppp27 LCP:    ACFC (0x0802)
Sep 28 21:53:22.471: ppp27 LCP:    EndpointDisc 1 Local
Sep 28 21:53:22.471: ppp27 LCP:     (0x1317010D046656E8C7445895763667BB)
Sep 28 21:53:22.471: ppp27 LCP:     (0x2D0E8100000016)
Sep 28 21:53:22.471: ppp27 LCP: O CONFACK [ACKrcvd] id 1 len 37
Sep 28 21:53:22.471: ppp27 LCP:    MagicNumber 0x377413E2 (0x0506377413E2)
Sep 28 21:53:22.471: ppp27 LCP:    PFC (0x0702)
Sep 28 21:53:22.471: ppp27 LCP:    ACFC (0x0802)
Sep 28 21:53:22.471: ppp27 LCP:    EndpointDisc 1 Local
Sep 28 21:53:22.471: ppp27 LCP:     (0x1317010D046656E8C7445895763667BB)
Sep 28 21:53:22.471: ppp27 LCP:     (0x2D0E8100000016)
Sep 28 21:53:22.471: ppp27 LCP: State is Open
Sep 28 21:53:22.471: ppp27 PPP: Phase is AUTHENTICATING, by this end
Sep 28 21:53:22.475: ppp27 MS-CHAP: O CHALLENGE id 1 len 21 from "SV3-2   "
Sep 28 21:53:22.475:  Tnl 23 PPTP: I 
001800011A2B3C4D000F000000170000FFFFFFFFFFFFFFFF
Sep 28 21:53:22.475:  Tnl/Sn 23/23 PPTP: CC I SLI
Sep 28 21:53:22.479: ppp27 LCP: I IDENTIFY [Open] id 2 len 
18 magic 0x377413E2 MSRASV5.00
Sep 28 21:53:22.479: ppp27 LCP: I IDENTIFY [Open] id 3 len 
30 magic 0x377413E2 MSRAS-0-CSCOAPACD12364
Sep 28 21:53:22.479: ppp27 MS-CHAP: I RESPONSE id 1 len 61 from "georgia"
Sep 28 21:53:22.483: ppp27 PPP: Phase is FORWARDING, Attempting Forward
Sep 28 21:53:22.483: ppp27 PPP: Phase is AUTHENTICATING, Unauthenticated User
Sep 28 21:53:22.483: AAA/AUTHEN/PPP (0000001C): Pick method list 'default'
Sep 28 21:53:22.483: RADIUS:  AAA Unsupported     [152] 14
Sep 28 21:53:22.483: RADIUS:   55 6E 69 71 2D 53 65 73 73 2D 49 44              
[Uniq-Sess-ID]
Sep 28 21:53:22.483: RADIUS(0000001C): Storing nasport 27 in rad_db
Sep 28 21:53:22.483: RADIUS(0000001C): Config NAS IP: 0.0.0.0
Sep 28 21:53:22.483: RADIUS/ENCODE(0000001C): acct_session_id: 38
Sep 28 21:53:22.487: RADIUS(0000001C): sending
Sep 28 21:53:22.487: RADIUS/ENCODE: Best Local IP-Address 10.66.79.99 
for Radius-Server 10.66.79.120
Sep 28 21:53:22.487: RADIUS(0000001C): Send Access-Request to 
10.66.79.120:1645 id 21645/44, len 133
Sep 28 21:53:22.487: RADIUS:  authenticator 15 8A 3B EE 03 24 
0C F0 - 00 00 00 00 00 00 00 00
Sep 28 21:53:22.487: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
Sep 28 21:53:22.487: RADIUS:  User-Name           [1]   9   "georgia"
Sep 28 21:53:22.487: RADIUS:  Vendor, Microsoft   [26]  16
Sep 28 21:53:22.487: RADIUS:   MSCHAP_Challenge   [11]  10
Sep 28 21:53:22.487: RADIUS:   15 8A 3B EE 03 24 0C  [??;??$?]
Sep 28 21:53:22.487: RADIUS:  Vendor, Microsoft   [26]  58
Sep 28 21:53:22.487: RADIUS:   MS-CHAP-Response   [1]   52  *
Sep 28 21:53:22.487: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
Sep 28 21:53:22.487: RADIUS:  NAS-Port            [5]   6   27
Sep 28 21:53:22.487: RADIUS:  Service-Type        [6]   6   Framed                    [2]
Sep 28 21:53:22.491: RADIUS:  NAS-IP-Address      [4]   6   10.66.79.99
Sep 28 21:53:22.515: RADIUS: Received from id 21645/44 10.66.79.120:1645, 
Access-Accept, len 141
Sep 28 21:53:22.515: RADIUS:  authenticator ED 3F 8A 08 2D A2 EB 4F - 78 
3F 5D 80 58 7B B5 3E
Sep 28 21:53:22.515: RADIUS:  Service-Type        [6]   6   Framed                    [2]
Sep 28 21:53:22.515: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
Sep 28 21:53:22.515: RADIUS:  Filter-Id           [11]  8
Sep 28 21:53:22.515: RADIUS:   31 30 31 2E 69 6E  [101.in]
Sep 28 21:53:22.515: RADIUS:  Vendor, Microsoft   [26]  12
Sep 28 21:53:22.515: RADIUS:   MS-MPPE-Enc-Policy [7]   6
Sep 28 21:53:22.515: RADIUS:   00 00 00          [???]
Sep 28 21:53:22.515: RADIUS:  Vendor, Microsoft   [26]  12
Sep 28 21:53:22.515: RADIUS:   MS-MPPE-Enc-Type   [8]   6
Sep 28 21:53:22.515: RADIUS:   00 00 00          [???]
Sep 28 21:53:22.515: RADIUS:  Vendor, Microsoft   [26]  40
Sep 28 21:53:22.515: RADIUS:   MS-CHAP-MPPE-Keys  [12]  34  *
Sep 28 21:53:22.519: RADIUS:  Framed-IP-Address   [8]   6   192.168.1.1
Sep 28 21:53:22.519: RADIUS:  Class               [25]  31
Sep 28 21:53:22.519: RADIUS:   
43 49 53 43 4F 41 43 53 3A 30 30 30 30 30 30 36  [CISCOACS:0000006]
Sep 28 21:53:22.519: RADIUS:   
33 2F 30 61 34 32 34 66 36 33 2F 32 37           [3/0a424f63/27]
Sep 28 21:53:22.519: RADIUS(0000001C): Received from id 21645/44
Sep 28 21:53:22.523: ppp27 PPP/AAA: Check Attr: service-type
Sep 28 21:53:22.523: ppp27 PPP/AAA: Check Attr: Framed-Protocol
Sep 28 21:53:22.523: ppp27 PPP/AAA: Check Attr: inacl: Peruser
Sep 28 21:53:22.523: ppp27 PPP/AAA: Check Attr: MS-CHAP-MPPE-Keys
Sep 28 21:53:22.523: ppp27 PPP/AAA: Check Attr: addr
Sep 28 21:53:22.523: ppp27 PPP: Phase is FORWARDING, Attempting Forward
Sep 28 21:53:22.523: Vi3 PPP: Phase is DOWN, Setup
Sep 28 21:53:22.527: AAA/BIND(0000001C): Bind i/f Virtual-Access3
Sep 28 21:53:22.531: %LINK-3-UPDOWN: Interface Virtual-Access3, 
changed state to up
Sep 28 21:53:22.531: Vi3 PPP: Phase is AUTHENTICATING, Authenticated User
Sep 28 21:53:22.531: Vi3 AAA/AUTHOR/LCP: Process Author
Sep 28 21:53:22.531: Vi3 AAA/AUTHOR/LCP: Process Attr: service-type
Sep 28 21:53:22.531: Vi3 MS-CHAP: O SUCCESS id 1 len 4
Sep 28 21:53:22.535: Vi3 PPP: Phase is UP
Sep 28 21:53:22.535: Vi3 AAA/AUTHOR/IPCP: FSM authorization not needed
Sep 28 21:53:22.535: Vi3 AAA/AUTHOR/FSM: We can start IPCP
Sep 28 21:53:22.535: Vi3 IPCP: O CONFREQ [Closed] id 1 len 10
Sep 28 21:53:22.535: Vi3 IPCP:    Address 10.66.79.99 (0x03060A424F63)
Sep 28 21:53:22.535: Vi3 AAA/AUTHOR/CCP: FSM authorization not needed
Sep 28 21:53:22.535: Vi3 AAA/AUTHOR/FSM: We can start CCP
Sep 28 21:53:22.535: Vi3 CCP: O CONFREQ [Closed] id 1 len 10
Sep 28 21:53:22.535: Vi3 CCP: MS-PPC supported bits 0x01000060 (0x120601000060)
Sep 28 21:53:22.535: Vi3 PPP: Process pending packets
Sep 28 21:53:22.539: RADIUS(0000001C): Using existing nas_port 27
Sep 28 21:53:22.539: RADIUS(0000001C): Config NAS IP: 0.0.0.0
Sep 28 21:53:22.539: RADIUS(0000001C): sending
Sep 28 21:53:22.539: RADIUS/ENCODE: Best Local IP-Address 
10.66.79.99 for Radius-Server 10.66.79.120
Sep 28 21:53:22.539: RADIUS(0000001C): Send Accounting-Request 
to 10.66.79.120:1646 id 21645/45, len 147
Sep 28 21:53:22.539: RADIUS:  authenticator 1A 76 20 95 95 F8 
81 42 - 1F E8 E7 C1 8F 10 BA 94
Sep 28 21:53:22.539: RADIUS:  Acct-Session-Id     [44]  10  "00000026"
Sep 28 21:53:22.539: RADIUS:  Tunnel-Server-Endpoi[67]  13  "10.66.79.99"
Sep 28 21:53:22.539: RADIUS:  Tunnel-Client-Endpoi[66]  13  "10.66.79.60"
Sep 28 21:53:22.543: RADIUS:  Tunnel-Assignment-Id[82]  3   "1"
Sep 28 21:53:22.543: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
Sep 28 21:53:22.543: RADIUS:  Acct-Authentic      [45]  6   RADIUS                    [1]
Sep 28 21:53:22.543: RADIUS:  User-Name           [1]   9   "georgia"
Sep 28 21:53:22.543: RADIUS:  Acct-Status-Type    [40]  6   Start                     [1]
Sep 28 21:53:22.543: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
Sep 28 21:53:22.543: RADIUS:  NAS-Port            [5]   6   27
Sep 28 21:53:22.543: RADIUS:  Class               [25]  31
Sep 28 21:53:22.543: RADIUS:   43 49 53 43 4F 41 43 53 3A 30 30 30 30 
30 30 36  [CISCOACS:0000006]
Sep 28 21:53:22.543: RADIUS:   33 2F 30 61 34 32 34 66 36 33 2F 32 37
           [3/0a424f63/27]
Sep 28 21:53:22.547: RADIUS:  Service-Type        [6]   6   Framed                    [2]
Sep 28 21:53:22.547: RADIUS:  NAS-IP-Address      [4]   6   10.66.79.99
Sep 28 21:53:22.547: RADIUS:  Acct-Delay-Time     [41]  6   0
Sep 28 21:53:22.547: Vi3 CCP: I CONFREQ [REQsent] id 4 len 10
Sep 28 21:53:22.547: Vi3 CCP:    MS-PPC supported bits 0x010000F1 
(0x1206010000F1)
Sep 28 21:53:22.547: Vi3 CCP: O CONFNAK [REQsent] id 4 len 10
Sep 28 21:53:22.551: Vi3 CCP:    MS-PPC supported bits 0x01000060 
(0x120601000060)
Sep 28 21:53:22.551: Vi3 CCP: I CONFNAK [REQsent] id 1 len 10
Sep 28 21:53:22.551: Vi3 CCP:    MS-PPC supported bits 0x01000040 
(0x120601000040)
Sep 28 21:53:22.551: Vi3 CCP: O CONFREQ [REQsent] id 2 len 10
Sep 28 21:53:22.551: Vi3 CCP:    MS-PPC supported bits 0x01000040 
(0x120601000040)
Sep 28 21:53:22.551: Vi3 IPCP: I CONFREQ [REQsent] id 5 len 34
Sep 28 21:53:22.551: Vi3 IPCP:    Address 0.0.0.0 (0x030600000000)
Sep 28 21:53:22.551: Vi3 IPCP:    PrimaryDNS 0.0.0.0 (0x810600000000)
Sep 28 21:53:22.551: Vi3 IPCP:    PrimaryWINS 0.0.0.0 (0x820600000000)
Sep 28 21:53:22.551: Vi3 IPCP:    SecondaryDNS 0.0.0.0 (0x830600000000)
Sep 28 21:53:22.551: Vi3 IPCP:    SecondaryWINS 0.0.0.0 (0x840600000000)
Sep 28 21:53:22.551: Vi3 AAA/AUTHOR/IPCP: Start.  Her address 0.0.0.0, 
we want 0.0.0.0
Sep 28 21:53:22.551: Vi3 AAA/AUTHOR/IPCP: Processing AV inacl
Sep 28 21:53:22.555: Vi3 AAA/AUTHOR/IPCP: Processing AV addr
Sep 28 21:53:22.555: Vi3 AAA/AUTHOR/IPCP: Authorization succeeded
Sep 28 21:53:22.555: Vi3 AAA/AUTHOR/IPCP: Done.  Her address 0.0.0.0, 
we want 192.168.1.1
Sep 28 21:53:22.555: Vi3 AAA/AUTHOR/IPCP: no author-info for primary dns
Sep 28 21:53:22.555: Vi3 AAA/AUTHOR/IPCP: no author-info for primary wins
Sep 28 21:53:22.555: Vi3 AAA/AUTHOR/IPCP: no author-info for seconday dns
Sep 28 21:53:22.555: Vi3 AAA/AUTHOR/IPCP: no author-info for seconday wins
Sep 28 21:53:22.555: Vi3 IPCP: O CONFREJ [REQsent] id 5 len 28
Sep 28 21:53:22.555: Vi3 IPCP:    PrimaryDNS 0.0.0.0 (0x810600000000)
Sep 28 21:53:22.555: Vi3 IPCP:    PrimaryWINS 0.0.0.0 (0x820600000000)
Sep 28 21:53:22.555: Vi3 IPCP:    SecondaryDNS 0.0.0.0 (0x830600000000)
Sep 28 21:53:22.555: Vi3 IPCP:    SecondaryWINS 0.0.0.0 (0x840600000000)
Sep 28 21:53:22.555: Vi3 IPCP: I CONFACK [REQsent] id 1 len 10
Sep 28 21:53:22.555: Vi3 IPCP:    Address 10.66.79.99 (0x03060A424F63)
Sep 28 21:53:22.563: Vi3 CCP: I CONFREQ [REQsent] id 6 len 10
Sep 28 21:53:22.563: Vi3 CCP:    MS-PPC supported bits 0x01000040 
(0x120601000040)
Sep 28 21:53:22.563: Vi3 CCP: O CONFACK [REQsent] id 6 len 10
Sep 28 21:53:22.563: Vi3 CCP:    MS-PPC supported bits 0x01000040 
(0x120601000040)
Sep 28 21:53:22.567: Vi3 CCP: I CONFACK [ACKsent] id 2 len 10
Sep 28 21:53:22.567: Vi3 CCP:    MS-PPC supported bits 0x01000040 
(0x120601000040)
Sep 28 21:53:22.567: Vi3 CCP: State is Open
Sep 28 21:53:22.567: Vi3 IPCP: I CONFREQ [ACKrcvd] id 7 len 10
Sep 28 21:53:22.567: Vi3 IPCP:    Address 0.0.0.0 (0x030600000000)
Sep 28 21:53:22.567: Vi3 IPCP: O CONFNAK [ACKrcvd] id 7 len 10
Sep 28 21:53:22.571: Vi3 IPCP:    Address 192.168.1.1 (0x0306C0A80101)
Sep 28 21:53:22.575: Vi3 IPCP: I CONFREQ [ACKrcvd] id 8 len 10
Sep 28 21:53:22.575: Vi3 IPCP:    Address 192.168.1.1 (0x0306C0A80101)
Sep 28 21:53:22.575: Vi3 IPCP: O CONFACK [ACKrcvd] id 8 len 10
Sep 28 21:53:22.575: Vi3 IPCP:    Address 192.168.1.1 (0x0306C0A80101)
Sep 28 21:53:22.575: Vi3 IPCP: State is Open
Sep 28 21:53:22.575: AAA/AUTHOR: Processing PerUser AV inacl
Sep 28 21:53:22.583: Vi3 IPCP: Install route to 192.168.1.1
Sep 28 21:53:22.583: Vi3 IPCP: Add link info for cef entry 192.168.1.1
Sep 28 21:53:22.603: RADIUS: Received from id 21645/45 10.66.79.120:1646, 
Accounting-response, len 20
Sep 28 21:53:22.603: RADIUS:  authenticator A6 B3 4C 4C 04 1B BE 8E - 6A 
BF 91 E2 3C 01 3E CA
Sep 28 21:53:23.531: %LINEPROTO-5-UPDOWN: Line protocol on Interface
 Virtual-Access3, changed state to up

相关的思科支持社区讨论

思科支持社区是您提问、解答问题、分享建议以及与工作伙伴协作的论坛。


相关信息


Document ID: 5433