IP : 第二层隧道协议(L2TP)

如何配置 TACACS+ 的第二层隧道协议认证

2016 年 10 月 27 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 8 月 22 日) | 反馈


目录


简介

本文档介绍如何使用 TACACS+ 配置第二层隧道协议 (L2TP)。其中包括适用于 L2TP 接入集中器 (LAC) TACACS+ 服务器、L2TP 网络服务器 (LNS) TACACS+ 服务器和路由器的配置示例。

先决条件

要求

本文档没有任何特定的要求。

使用的组件

本文档中的信息基于以下软件和硬件版本:

  • 两个 Cisco 2511 路由器

  • Cisco IOSï ¿  ½软件版本12.0(2).T

  • Cisco Secure UNIX、Cisco Secure Windows 或 TACACS+ 免费软件

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。

规则

有关文档规则的详细信息,请参阅 Cisco 技术提示规则

配置

本部分提供有关如何配置本文档所述功能的信息。

注意: 要查找本文档所用命令的其他信息,请使用命令查找工具仅限注册用户)。

网络图

本文档使用此图所示的网络设置。

/image/gif/paws/13858/l2tptac.gif

TACACS+ 服务器配置

LAC 配置 - Cisco Secure UNIX

# ./ViewProfile -p 9900 -u rtp.cisco.com user = rtp.cisco.com{ 
service=ppp { 
protocol=vpdn { 
set tunnel-type=l2tp 
set tunnel-id=rtp_tunnel 
set ip-addresses="10.31.1.56" 
} 
} 

} 

# ./ViewProfile -p 9900 -u rtp_tunnel
user = rtp_tunnel{
password = chap "FGHIJ" 
service=ppp {
protocol=lcp {
} 
protocol=ip {
} 
} 

} 

LNS 配置 - Cisco Secure UNIX

# ./ViewProfile -p 9900 -u janedoe@rtp.cisco.com
user = janedoe@rtp.cisco.com{
password = chap "rtprules" 
service=ppp {
protocol=lcp {
} 
protocol=ip {
} 
} 

}
# ./ViewProfile -p 9900 -u ABCDE
user = ABCDE{
password = chap "FGHIJ" 
service=ppp {
protocol=lcp {
} 
protocol=ip {
}
}

}

LAC配置 - Cisco Secure Windows

完成下列步骤以配置 Cisco Secure Windows 上的 LAC:

  1. 将用户 rtp_tunnel 设置为普通 PPP 用户(“User Setup”中的口令和/或 CHAP 口令)。

  2. 将用户放在 group_1 中,并选中 PPP/IP 服务。如果显示该框,请选中 PPP/LCP

  3. 设置用户 rtp.cisco.com。口令为“do not care”。

  4. 如果某些选项没有在“Group Settings”中显示,请转到 Interface Configuration 并选中相应的框使其显示。

  5. 将用户放在 group_2 中,并选中 PPP/VPDN 服务。tunnel-id 为rtp_tunnel,ip address list 为 10.31.1.56,在下方的长方形自定义属性框中键入 tunnel type=l2tp

LNS 配置 - Cisco Secure Windows

完成下列步骤以配置 Cisco Secure Windows 上的 LNS:

  1. 将用户“ABCDE”和“janedoe@rtp.cisco.com”设置为普通 PPP 用户(“User Setup”中的口令和/或 CHAP 口令)。

  2. 将用户放在 group_3 中,并选中 PPP/IP 服务。如果显示该框,请选中 PPP/LCP

LAC TACACS+ 免费软件配置

user = rtp.cisco.com {
service = ppp protocol = vpdn {
tunnel-type = l2tp
tunnel-id = rtp_tunnel
ip-addresses = "10.31.1.56"
}
}

user = rtp_tunnel {
chap = cleartext "FGHIJ"
service = ppp protocol = ip {
default attribute = permit
}
}

LAC TACACS+ 免费软件配置

key = "cisco"

user = janedoe@rtp.cisco.com {
chap = cleartext "rtprules"
service = ppp protocol = ip {
default attribute = permit
}
}

user = ABCDE {
chap = cleartext "FGHIJ"
service = ppp protocol = ip {
default attribute = permit
}
}

路由器配置

LAC 路由器配置
version 12.0
service timestamps debug datetime
service timestamps log uptime
no service password-encryption
!
hostname LAC
!
aaa new-model
aaa authentication ppp default if-needed tacacs+
aaa authorization network default tacacs+
aaa accounting network default start-stop tacacs+
enable secret level 7 5 $1$Dj3K$9jkyuJR6fJV2JO./Qt0lC1
enable password ww
!
username john password 0 doe
ip subnet-zero
no ip domain-lookup
! 
vpdn enable
!
vpdn search-order domain 
!
interface Loopback0
no ip address
no ip directed-broadcast
!
interface Ethernet0
ip address 10.31.1.144 255.255.255.0
no ip directed-broadcast
!
interface Serial0
no ip address
no ip directed-broadcast
no ip mroute-cache
shutdown
!
interface Serial1
no ip address
no ip directed-broadcast
shutdown
!
interface Async1
ip unnumbered Ethernet0
no ip directed-broadcast
ip tcp header-compression passive
encapsulation ppp
async mode dedicated
peer default ip address pool default
ppp authentication chap
!
ip local pool default 10.5.5.5 10.5.5.50
ip classless
ip route 0.0.0.0 0.0.0.0 10.31.1.1
!
tacacs-server host 171.68.118.106
tacacs-server key cisco
! 
line con 0
transport input none
line 1
exec-timeout 0 0
autoselect during-login
autoselect ppp
modem Dialin
transport preferred none
transport output none
speed 38400
flowcontrol hardware
line 2 16
modem InOut
transport input all
speed 38400
flowcontrol hardware
line aux 0
line vty 0 4
password WW
!
end

LNS 路由器配置
version 12.0
service timestamps debug datetime
service timestamps log uptime
no service password-encryption
!
hostname LNS
!
aaa new-model
aaa authentication ppp default if-needed tacacs+
aaa authorization network default tacacs+
aaa accounting network default start-stop tacacs+
enable secret 5 $1$wfMI$ixUG9hw7yhmsv.87.krpZ1
enable password WW
!
username john password 0 doe
ip subnet-zero
no ip domain-lookup

! 
vpdn enable
!
vpdn-group 1
accept dialin l2tp virtual-template 1 remote rtp_tunnel
local name ABCDE
!
interface Ethernet0
ip address 10.31.1.56 255.255.255.0
no ip directed-broadcast
!
interface Virtual-Template1
ip unnumbered Ethernet0
no ip directed-broadcast
peer default ip address pool default
ppp authentication chap
!
interface Serial0
no ip address
no ip directed-broadcast
no ip mroute-cache
shutdown
!
interface Serial1
no ip address
no ip directed-broadcast
shutdown
!
interface Async1
ip unnumbered Ethernet0
no ip directed-broadcast
ip tcp header-compression passive
encapsulation ppp
async mode dedicated
peer default ip address pool setup_pool
ppp authentication chap pap
!
!
!
!
ip local pool default 10.6.1.1 10.6.1.2
ip classless
ip route 0.0.0.0 0.0.0.0 10.31.1.1
!
tacacs-server host 171.68.118.101
tacacs-server key cisco
!
line con 0
transport input none
line 1 8 
autoselect during-login
autoselect ppp
modem Dialin
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
password WW
!
end

验证

两个路由器的 show 命令输出

本部分所提供的信息可用于确认您的配置是否正常工作。

命令输出解释程序工具仅限注册用户)支持某些 show 命令,使用此工具可以查看对 show 命令输出的分析。

LAC 路由器

LAC#show vpdn session
L2TP Session Information (Total tunnels=1 sessions=1)

LocID RemID TunID Intf Username State Last Chg
1 1 76 As1 janedoe@rtp.c est 00:00:32

% No active L2F tunnels

LAC#show vpdn tunnel

L2TP Tunnel Information (Total tunnels=1 sessions=1)

LocID RemID Remote Name State Remote Address Port Sessions
76 58 ABCDE est 10.31.1.56 1701 1 

% No active L2F tunnels

LNS 路由器

LNS#show vpdn session

L2TP Session Information (Total tunnels=1 sessions=1)

LocID RemID TunID Intf Username State Last Chg
1 1 58 Vi1 janedoe@rtp.c est 00:01:55

% No active L2F tunnels

LNS#show vpdn tunnel 

L2TP Tunnel Information (Total tunnels=1 sessions=1)

LocID RemID Remote Name State Remote Address Port Sessions
58 76 rtp_tunnel est 10.31.1.144 1701 1 

% No active L2F tunnels

两个路由器的 show version 输出

LAC#show version
Cisco Internetwork Operating System Software 
IOS (tm) 2500 Software (C2500-IS-L), Version 12.0(2)T, RELEASE SOFTWARE (fc1) 
Copyright (c) 1986-1998 by cisco Systems, Inc.
Compiled Wed 09-Dec-98 02:31 by dschwart
Image text-base: 0x030403B0, data-base: 0x00001000

ROM: System Bootstrap, Version 11.0(10c), SOFTWARE
BOOTFLASH: 3000 Bootstrap Software (IGS-BOOT-R), Version 11.0(10c), RELEASE SOFTWARE (fc1)

LAC uptime is 20 hours, 22 minutes
System restarted by reload at 16:13:55 UTC Fri Jan 29 1999
System image file is "flash:c2500-is-l.120-2.T"

cisco 2511 (68030) processor (revision M) with 14336K/2048K bytes of memory.
Processor board ID 07041186, with hardware revision 00000000
Bridging software.
X.25 software, Version 3.0.0.
1 Ethernet/IEEE 802.3 interface(s)
2 Serial network interface(s)
16 terminal line(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read ONLY)
Configuration register is 0x2102

可能的出错原因 – LAC 的错误调试

此调试输出包括有关路由器配置错误时序列在何处停止的注释。

LAC#show debug
General OS:
AAA Authentication debugging is on
AAA Authorization debugging is on
AAA Accounting debugging is on
VPN:
L2X protocol events debugging is on
L2X protocol errors debugging is on
VPDN events debugging is on
VPDN errors debugging is on
VTEMPLATE:
Virtual Template debugging is on
LAC#
Jan 30 12:17:09: As1 AAA/AUTHOR/FSM: (0): LCP succeeds trivially
20:03:18: %LINK-3-UPDOWN: Interface Async1, changed state to up
Jan 30 12:17:09: As1 VPDN: Looking for tunnel -- rtp.cisco.com --
Jan 30 12:17:09: AAA: parse name=Async1 idb type=10 tty=1
Jan 30 12:17:09: AAA: name=Async1 flags=0x11 type=4 shelf=0 slot=0 adapter=0 
                port=1 channel=0
Jan 30 12:17:09: AAA/AUTHEN: create_user (0x278B90) user='rtp.cisco.com' 
                 ruser='' port='Async1' 
rem_addr='' authen_type=NONE service=LOGIN priv=0
Jan 30 12:17:09: AAA/AUTHOR/VPDN (898425447): Port='Async1' 
                 list='default' service=NET
Jan 30 12:17:09: AAA/AUTHOR/VPDN: (898425447) user='rtp.cisco.com'
Jan 30 12:17:09: AAA/AUTHOR/VPDN: (898425447) send AV service=ppp
Jan 30 12:17:09: AAA/AUTHOR/VPDN: (898425447) send AV protocol=vpdn
Jan 30 12:17:09: AAA/AUTHOR/VPDN (898425447) found list "default"
Jan 30 12:17:09: AAA/AUTHOR/VPDN: (898425447) Method=TACACS+
Jan 30 12:17:09: AAA/AUTHOR/TAC+: (898425447): user=rtp.cisco.com
Jan 30 12:17:09: AAA/AUTHOR/TAC+: (898425447): send AV service=ppp
Jan 30 12:17:09: AAA/AUTHOR/TAC+: (898425447): send AV protocol=vpdn
Jan 30 12:17:09: TAC+: (898425447): received author response status = PASS_ADD
Jan 30 12:17:09: AAA/AUTHOR (898425447): Post authorization status = PASS_ADD
Jan 30 12:17:09: AAA/AUTHOR/VPDN: Processing AV service=ppp
Jan 30 12:17:09: AAA/AUTHOR/VPDN: Processing AV protocol=vpdn
Jan 30 12:17:09: AAA/AUTHOR/VPDN: Processing AV tunnel-type=l2tp
Jan 30 12:17:09: AAA/AUTHOR/VPDN: Processing AV tunnel-id=rtp_tunnel

!--- If the wrong tunnel termination IP address 
!--- is in the profile:

Jan 30 12:56:30: AAA/AUTHOR/VPDN: Processing AV ip-addresses=1.1.1.1
Jan 30 12:17:09: AAA/AUTHOR/VPDN: Processing AV ip-addresses=10.31.1.56
Jan 30 12:17:09: As1 VPDN: Get tunnel info for rtp.cisco.com with LAC 
                 rtp_tunnel, IP 10.31.1.56
Jan 30 12:17:09: AAA/AUTHEN: free_user (0x278B90) user='rtp.cisco.com' 
                 ruser='' port='Async1' 
rem_addr='' authen_type=NONE service=LOGIN priv=0

!--- If the wrong tunnel termination IP 
!--- address is in the profile:

Jan 30 12:56:30: As1 VPDN: Forward to address 1.1.1.1

!--- The connection eventually drops on this end and no 
!--- debug is seen on the other end.

Jan 30 12:17:09: As1 VPDN: Forward to address 10.31.1.56
Jan 30 12:17:09: As1 VPDN: Forwarding...
Jan 30 12:17:09: AAA: parse name=Async1 idb type=10 tty=1
Jan 30 12:17:09: AAA: name=Async1 flags=0x11 type=4 shelf=0 slot=0 
                  adapter=0 port=1 channel=0
Jan 30 12:17:09: AAA/AUTHEN: create_user (0x22CDEC) 
                 user='janedoe@rtp.cisco.com' ruser='' 
port='Async1' rem_addr='async' authen_type=CHAP  service=PPP priv=1
Jan 30 12:17:09: As1 VPDN: Bind interface direction=1
Jan 30 12:17:09: Tnl/Cl 74/1 L2TP: Session FS enabled
Jan 30 12:17:09: Tnl/Cl 74/1 L2TP: Session state change from idle to 
                  wait-for-tunnel
Jan 30 12:17:09: As1 74/1 L2TP: Create session
Jan 30 12:17:09: Tnl 74 L2TP: SM State idle
Jan 30 12:17:09: Tnl 74 L2TP: O SCCRQ 
Jan 30 12:17:09: Tnl 74 L2TP: Tunnel state change from idle to wait-ctl-reply
Jan 30 12:17:09: Tnl 74 L2TP: SM State wait-ctl-reply
Jan 30 12:17:09: As1 VPDN: janedoe@rtp.cisco.com is forwarded
Jan 30 12:17:10: Tnl 74 L2TP: I SCCRP from ABCDE
Jan 30 12:17:10: Tnl 74 L2TP: Got a challenge from remote peer, ABCDE
Jan 30 12:17:10: AAA: parse name= idb type=-1 tty=-1
Jan 30 12:17:10: AAA/AUTHEN: create_user (0x23232C) user='rtp_tunnel' 
                 ruser='' port='' 
rem_addr='' authen_type=CHAP service=PPP priv=1
Jan 30 12:17:10: AAA/AUTHEN/START (1598999635): port='' list='default' 
                  action=SENDAUTH service=PPP
Jan 30 12:17:10: AAA/AUTHEN/START (1598999635): found list default
Jan 30 12:17:10: AAA/AUTHEN (1598999635): status = UNKNOWN
Jan 30 12:17:10: AAA/AUTHEN/START (1598999635): Method=TACACS+
Jan 30 12:17:10: TAC+: send AUTHEN/START packet ver=193 id=1598999635
Jan 30 12:17:10: TAC+: ver=192 id=1598999635 received AUTHEN status = ERROR
Jan 30 12:17:10: AAA: parse name= idb type=-1 tty=-1
Jan 30 12:17:10: AAA/AUTHEN: create_user (0x232470) user='rtp_tunnel' 
                 ruser='' port='' 
rem_addr='' authen_type=CHAP service=PPP priv=1
Jan 30 12:17:10: TAC+: ver=192 id=3400389836 received AUTHEN status = PASS
Jan 30 12:17:10: AAA/AUTHEN: free_user (0x232470) user='rtp_tunnel' ruser='' 
                 port='' 
rem_addr='' authen_type=CHAP service=PPP priv=1
Jan 30 12:17:10: AAA/AUTHEN (1598999635): status = PASS
Jan 30 12:17:10: AAA/AUTHEN: free_user (0x23232C) user='rtp_tunnel' 
                 ruser='' port='' 
rem_addr='' authen_type=CHAP service=PPP priv=1


!--- Change the CHAP passwords. The password rtp_tunnel 
!--- in the LAC TACACS+ users' file does not match the 
!--- password for "local name ABCDE" from the router 
!--- in the LNS TACACS+ users' file:

Jan 30 13:24:23: Tnl 88 L2TP: Tunnel Authentication fails for ABCDE
Jan 30 13:24:23: Tnl 88 L2TP: Expected 7C959CA96C1E4AAA68BB3D481249488B
Jan 30 13:24:23: Tnl 88 L2TP: Got E4118FB4C8C4467EA4BF8872276C20B2

Jan 30 12:17:10: Tnl 74 L2TP: Got a response from remote peer, ABCDE
Jan 30 12:17:10: AAA: parse name= idb type=-1 tty=-1
Jan 30 12:17:10: AAA/AUTHEN: create_user (0x22FBA4) user='rtp_tunnel' 
                 ruser='' port='' 
rem_addr='' authen_type=CHAP service=PPP priv=1
Jan 30 12:17:10: AAA/AUTHEN/START (2964849625): port='' list='default' 
                 action=SENDAUTH service=PPP
Jan 30 12:17:10: AAA/AUTHEN/START (2964849625): found list default
Jan 30 12:17:10: AAA/AUTHEN (2964849625): status = UNKNOWN
Jan 30 12:17:10: AAA/AUTHEN/START (2964849625): Method=TACACS+
Jan 30 12:17:10: TAC+: send AUTHEN/START packet ver=193 id=2964849625
20:03:20: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async1, 
           changed state to up
Jan 30 12:17:11: TAC+: ver=192 id=2964849625 received AUTHEN status = ERROR
Jan 30 12:17:11: AAA: parse name= idb type=-1 tty=-1
Jan 30 12:17:11: AAA/AUTHEN: create_user (0x22FC8C) user='rtp_tunnel' 
                  ruser='' port='' 
rem_addr='' authen_type=CHAP service=PPP priv=1
Jan 30 12:17:11: As1 74/1 L2TP: Discarding data packet because tunnel is not open
Jan 30 12:17:11: As1 74/1 L2TP: Discarding data packet because tunnel is not open
Jan 30 12:17:11: TAC+: ver=192 id=1474818051 received AUTHEN status = PASS
Jan 30 12:17:11: AAA/AUTHEN: free_user (0x22FC8C) user='rtp_tunnel' ruser=''
                 port='' 
rem_addr='' authen_type=CHAP service=PPP priv=1
Jan 30 12:17:11: AAA/AUTHEN (2964849625): status = PASS
Jan 30 12:17:11: AAA/AUTHEN: free_user (0x22FBA4) user='rtp_tunnel' ruser='' 
                  port='' 
rem_addr='' authen_type=CHAP service=PPP priv=1
Jan 30 12:17:11: Tnl 74 L2TP: Tunnel Authentication success
Jan 30 12:17:11: Tnl 74 L2TP: Tunnel state change from wait-ctl-reply to 
                 established
Jan 30 12:17:11: Tnl 74 L2TP: O SCCCN to ABCDE tnlid 56
Jan 30 12:17:11: Tnl 74 L2TP: SM State established
Jan 30 12:17:11: As1 74/1 L2TP: O ICRQ to ABCDE 56/0
Jan 30 12:17:11: As1 74/1 L2TP: Session state change from wait-for-tunnel 
                 to wait-reply
Jan 30 12:17:11: Tnl 74 L2TP: Dropping old CM, Ns 0, expected 1
Jan 30 12:17:11: As1 74/1 L2TP: O ICCN to ABCDE 56/1
Jan 30 12:17:11: As1 74/1 L2TP: Session state change from wait-reply to 
                 established
LAC#

可能的出错原因 - LNS 的错误调试

此调试输出包括有关路由器配置错误时序列在何处停止的注释。

LNS#show debug
General OS:
AAA Authentication debugging is on
AAA Authorization debugging is on
AAA Accounting debugging is on
VPN:
L2X protocol events debugging is on
L2X protocol errors debugging is on
VPDN events debugging is on
VPDN errors debugging is on
VTEMPLATE:
Virtual Template debugging is on
LNS#
Jan 30 12:17:09: L2TP: I SCCRQ from rtp_tunnel tnl 74
Jan 30 12:17:09: Tnl 56 L2TP: New tunnel created for remote rtp_tunnel, 
address 10.31.1.144


!--- Instead of the LAC sending the "rtp_tunnel" 
!--- (see the user profile on the TACACS+ server), it sends "junk".
!--- We are expecting "rtp_tunnel" as in "accept dialin l2tp 
!--- virtual-template 1 remote rtp_tunnel" in this configuration:

Jan 30 13:05:16: L2TP: I SCCRQ from junk tnl 81
Jan 30 13:05:16: L2X: Never heard of junk
Jan 30 13:05:16: L2TP: Could not find info block for junk
Jan 30 12:17:09: Tnl 56 L2TP: Got a challenge in SCCRQ, rtp_tunnel
Jan 30 12:17:09: AAA: parse name= idb type=-1 tty=-1
Jan 30 12:17:09: AAA/AUTHEN: create_user (0x21F6D0) user='ABCDE' 
                 ruser='' port='' 
rem_addr='' authen_type=CHAP service=PPP priv=1
Jan 30 12:17:09: AAA/AUTHEN/START (3194595626): port='' list='default' 
                 action=SENDAUTH service=PPP
Jan 30 12:17:09: AAA/AUTHEN/START (3194595626): found list default
Jan 30 12:17:09: AAA/AUTHEN (3194595626): status = UNKNOWN
Jan 30 12:17:09: AAA/AUTHEN/START (3194595626): Method=TACACS+
Jan 30 12:17:09: TAC+: send AUTHEN/START packet ver=193 id=3194595626
Jan 30 12:17:09: TAC+: ver=192 id=3194595626 received AUTHEN status = ERROR
Jan 30 12:17:09: AAA: parse name= idb type=-1 tty=-1
Jan 30 12:17:09: AAA/AUTHEN: create_user (0x2281AC) user='ABCDE' ruser='' port='' 
rem_addr='' authen_type=CHAP service=PPP priv=1
Jan 30 12:17:09: TAC+: ver=192 id=3639011179 received AUTHEN status = PASS
Jan 30 12:17:09: AAA/AUTHEN: free_user (0x2281AC) user='ABCDE' ruser='' port='' 
rem_addr='' authen_type=CHAP service=PPP priv=1
Jan 30 12:17:09: AAA/AUTHEN (3194595626): status = PASS
Jan 30 12:17:09: AAA/AUTHEN: free_user (0x21F6D0) user='ABCDE' ruser='' port='' 
rem_addr='' authen_type=CHAP service=PPP priv=1
Jan 30 12:17:09: Tnl 56 L2TP: O SCCRP to rtp_tunnel tnlid 74
Jan 30 12:17:09: Tnl 56 L2TP: Tunnel state change from idle to wait-ctl-reply
Jan 30 12:17:10: Tnl 56 L2TP: O Resend SCCRP, flg TLF, ver 2, len 152, 
                 tnl 74, cl 0, ns 0, nr 1
Jan 30 12:17:10: Tnl 56 L2TP: I SCCCN from rtp_tunnel tnl 74
Jan 30 12:17:10: Tnl 56 L2TP: Got a Challenge Response in SCCCN from rtp_tunnel
Jan 30 12:17:10: AAA: parse name= idb type=-1 tty=-1
Jan 30 12:17:10: AAA/AUTHEN: create_user (0x227F3C) user='ABCDE' ruser='' port='' 
rem_addr='' authen_type=CHAP service=PPP priv=1
Jan 30 12:17:10: AAA/AUTHEN/STARTTranslating "rtp.cisco.com"
(4117701992): port='' list='default' action=SENDAUTH service=PPP
Jan 30 12:17:10: AAA/AUTHEN/START (4117701992): found list default
Jan 30 12:17:10: AAA/AUTHEN (4117701992): status = UNKNOWN
Jan 30 12:17:10: AAA/AUTHEN/START (4117701992): Method=TACACS+
Jan 30 12:17:10: TAC+: send AUTHEN/START packet ver=193 id=4117701992
Jan 30 12:17:11: TAC+: ver=192 id=4117701992 received AUTHEN status = ERROR
Jan 30 12:17:11: AAA: parse name= idb type=-1 tty=-1
Jan 30 12:17:11: AAA/AUTHEN: create_user (0x228E68) user='ABCDE' ruser='' port='' 
rem_addr='' authen_type=CHAP service=PPP priv=1
Jan 30 12:17:11: TAC+: ver=192 id=2827432721 received AUTHEN status = PASS
Jan 30 12:17:11: AAA/AUTHEN: free_user (0x228E68) user='ABCDE' ruser='' port='' 
rem_addr='' authen_type=CHAP service=PPP priv=1
Jan 30 12:17:11: AAA/AUTHEN (4117701992): status = PASS
Jan 30 12:17:11: AAA/AUTHEN: free_user (0x227F3C) user='ABCDE' ruser='' port='' 
rem_addr='' authen_type=CHAP service=PPP priv=1
Jan 30 12:17:11: Tnl 56 L2TP: Tunnel Authentication success
Jan 30 12:17:11: Tnl 56 L2TP: Tunnel state change from wait-ctl-reply 
                 to established
Jan 30 12:17:11: Tnl 56 L2TP: SM State established
Jan 30 12:17:11: Tnl 56 L2TP: I ICRQ from rtp_tunnel tnl 74
Jan 30 12:17:11: Tnl/Cl 56/1 L2TP: Session FS enabled
Jan 30 12:17:11: Tnl/Cl 56/1 L2TP: Session state change from idle to 
                 wait-for-tunnel
Jan 30 12:17:11: Tnl/Cl 56/1 L2TP: New session created
Jan 30 12:17:11: Tnl/Cl 56/1 L2TP: O ICRP to rtp_tunnel 74/1
Jan 30 12:17:11: Tnl/Cl 56/1 L2TP: Session state change from wait-for-tunnel 
                 to wait-connect
Jan 30 12:17:11: Tnl/Cl 56/1 L2TP: I ICCN from rtp_tunnel tnl 74, cl 1
Jan 30 12:17:11: Tnl/Cl 56/1 L2TP: Session state change from wait-connect 
                  to established
Jan 30 12:17:11: Vi1 VTEMPLATE: Reuse Vi1, recycle queue size 0
Jan 30 12:17:11: Vi1 VTEMPLATE: Hardware address 00e0.1e68.942c
Jan 30 12:17:11: Vi1 VPDN: Virtual interface created for janedoe@rtp.cisco.com
Jan 30 12:17:11: Vi1 VPDN: Set to Async interface
Jan 30 12:17:11: Vi1 VPDN: Clone from Vtemplate 1 filterPPP=0 blocking
Jan 30 12:17:11: Vi1 VTEMPLATE: Has a new cloneblk vtemplate, now it has 
                 vtemplate
Jan 30 12:17:11: Vi1 VTEMPLATE: ************* CLONE VACCESS1 *****************
Jan 30 12:17:11: Vi1 VTEMPLATE: Clone from Virtual-Template1
interface Virtual-Access1
default ip address
no ip address
encap ppp
ip unnumbered Ethernet0
peer default ip address pool default
ppp authentication chap
ip unnum ethernet0
peer def ip address pool default
ppp authen chap
end

Jan 30 12:17:12: janedoe@rtp.cisco.com 56/1 L2TP: Session with no hwidb
20:12:14: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
Jan 30 12:17:13: Vi1 AAA/AUTHOR/FSM: (0): LCP succeeds trivially
Jan 30 12:17:13: Vi1 VPDN: Bind interface direction=2
Jan 30 12:17:13: Vi1 VPDN: PPP LCP accepted rcv CONFACK
Jan 30 12:17:13: Vi1 VPDN: PPP LCP accepted sent CONFACK
Jan 30 12:17:13: Vi1 L2X: Discarding packet because of no mid/session
Jan 30 12:17:13: AAA: parse name=Virtual-Access1 idb type=21 tty=-1
Jan 30 12:17:13: AAA: name=Virtual-Access1 flags=0x11 type=5 shelf=0 slot=0 
adapter=0 port=1 channel=0
Jan 30 12:17:13: AAA/AUTHEN: create_user (0x1F5100) user='janedoe@rtp.cisco.com' 
ruser='' port='Virtual-Access1' rem_addr='' authen_type=CHAP
service=PPP priv=1
Jan 30 12:17:13: AAA/AUTHEN/START (562517969): port='Virtual-Access1' list='' 
action=LOGIN service=PPP
Jan 30 12:17:13: AAA/AUTHEN/START (562517969): using "default" list
Jan 30 12:17:13: AAA/AUTHEN (562517969): status = UNKNOWN
Jan 30 12:17:13: AAA/AUTHEN/START (562517969): Method=TACACS+
Jan 30 12:17:13: TAC+: send AUTHEN/START packet ver=193 id=562517969
Jan 30 12:17:14: TAC+: ver=192 id=562517969 received AUTHEN status = GETPASS
Jan 30 12:17:14: AAA: parse name=Virtual-Access1 idb type=-1 tty=-1
Jan 30 12:17:14: AAA: name=Virtual-Access1 flags=0x11 type=6 shelf=0 slot=0 
adapter=0 port=1 channel=0
Jan 30 12:17:14: AAA/AUTHEN: create_user (0x1F5270) user='janedoe@rtp.cisco.com' 
ruser='' port='Virtual-Access1' rem_addr='' authen_type=CHAP
service=PPP priv=1
Jan 30 12:17:14: TAC+: ver=192 id=2384902384 received AUTHEN status = PASS
Jan 30 12:17:14: AAA/AUTHEN: free_user (0x1F5270) user='janedoe@rtp.cisco.com' 
ruser='' port='Virtual-Access1' rem_addr='' authen_type=CHAP
service=PPP priv=1


!--- Here, the tunnel is ok, but the user 
!--- enters a bad password in dialing:

Jan 30 13:39:44: AAA/AUTHEN (1958732267): status = FAIL
21:34:45: %VPDN-6-AUTHENFAIL: L2F HGW 10.31.1.144, AAA authentication
            failure for Vi1 user 
janedoe@rtp.cisco.com; Authentication failure
Jan 30 12:17:14: AAA/AUTHEN (562517969): status = PASS
Jan 30 12:17:14: Vi1 AAA/AUTHOR/LCP: Authorize LCP
Jan 30 12:17:14: AAA/AUTHOR/LCP Vi1 (413543389): Port='Virtual-Access1' 
                list='' service=NET
Jan 30 12:17:14: AAA/AUTHOR/LCP: Vi1 (413543389) user='janedoe@rtp.cisco.com'
Jan 30 12:17:14: AAA/AUTHOR/LCP: Vi1 (413543389) send AV service=ppp
Jan 30 12:17:14: AAA/AUTHOR/LCP: Vi1 (413543389) send AV protocol=lcp
Jan 30 12:17:14: AAA/AUTHOR/LCP (413543389) found list "default"
Jan 30 12:17:14: AAA/AUTHOR/LCP: Vi1 (413543389) Method=TACACS+
Jan 30 12:17:14: AAA/AUTHOR/TAC+: (413543389): user=janedoe@rtp.cisco.com
Jan 30 12:17:14: AAA/AUTHOR/TAC+: (413543389): send AV service=ppp
Jan 30 12:17:14: AAA/AUTHOR/TAC+: (413543389): send AV protocol=lcp
Jan 30 12:17:14: TAC+: (413543389): received author response status = PASS_ADD
Jan 30 12:17:14: AAA/AUTHOR (413543389): Post authorization status = PASS_ADD
Jan 30 12:17:14: AAA/ACCT/NET/START User janedoe@rtp.cisco.com, Port 
                 Virtual-Access1, List ""
Jan 30 12:17:14: AAA/ACCT/NET: Found list "default"
Jan 30 12:17:14: Vi1 AAA/AUTHOR/FSM: (0): Can we start IPCP?
Jan 30 12:17:14: AAA/AUTHOR/FSM Vi1 (1358526470): Port='Virtual-Access1' 
                 list='' service=NET
Jan 30 12:17:14: AAA/AUTHOR/FSM: Vi1 (1358526470) user='janedoe@rtp.cisco.com'
Jan 30 12:17:14: AAA/AUTHOR/FSM: Vi1 (1358526470) send AV service=ppp
Jan 30 12:17:14: AAA/AUTHOR/FSM: Vi1 (1358526470) send AV protocol=ip
Jan 30 12:17:14: AAA/AUTHOR/FSM (1358526470) found list "default"
Jan 30 12:17:14: AAA/AUTHOR/FSM: Vi1 (1358526470) Method=TACACS+
Jan 30 12:17:14: AAA/AUTHOR/TAC+: (1358526470): user=janedoe@rtp.cisco.com
Jan 30 12:17:14: AAA/AUTHOR/TAC+: (1358526470): send AV service=ppp
Jan 30 12:17:14: AAA/AUTHOR/TAC+: (1358526470): send AV protocol=ip
Jan 30 12:17:14: TAC+: (1358526470): received author response status = PASS_ADD
Jan 30 12:17:14: AAA/AUTHOR (1358526470): Post authorization status = PASS_ADD
Jan 30 12:17:14: Vi1 AAA/AUTHOR/FSM: We can start IPCP
Jan 30 12:17:14: TAC+: (1442592025): received acct response status = UNKNOWN
20:12:16: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, 
            changed state to up
Jan 30 12:17:16: Vi1 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we want 0.0.0.0
Jan 30 12:17:16: Vi1 AAA/AUTHOR/IPCP: Processing AV service=ppp
Jan 30 12:17:16: Vi1 AAA/AUTHOR/IPCP: Processing AV protocol=ip
Jan 30 12:17:16: Vi1 AAA/AUTHOR/IPCP: Authorization succeeded
Jan 30 12:17:16: Vi1 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.0, 
                 we want 0.0.0.0
Jan 30 12:17:16: Vi1 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, 
                 we want 10.6.1.1
Jan 30 12:17:16: Vi1 AAA/AUTHOR/IPCP: Processing AV service=ppp
Jan 30 12:17:16: Vi1 AAA/AUTHOR/IPCP: Processing AV protocol=ip
Jan 30 12:17:16: Vi1 AAA/AUTHOR/IPCP: Authorization succeeded
Jan 30 12:17:16: Vi1 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.0, 
                 we want 10.6.1.1
Jan 30 12:17:16: Vi1 AAA/AUTHOR/IPCP: Start. Her address 10.6.1.1, 
                  we want 10.6.1.1
Jan 30 12:17:16: AAA/AUTHOR/IPCP Vi1 (3572380713): Port='Virtual-Access1' 
                 list='' service=NET
Jan 30 12:17:16: AAA/AUTHOR/IPCP: Vi1 (3572380713) user='janedoe@rtp.cisco.com'
Jan 30 12:17:16: AAA/AUTHOR/IPCP: Vi1 (3572380713) send AV service=ppp
Jan 30 12:17:16: AAA/AUTHOR/IPCP: Vi1 (3572380713) send AV protocol=ip
Jan 30 12:17:16: AAA/AUTHOR/IPCP: Vi1 (3572380713) send AV addr*10.6.1.1
Jan 30 12:17:16: AAA/AUTHOR/IPCP (3572380713) found list "default"
Jan 30 12:17:16: AAA/AUTHOR/IPCP: Vi1 (3572380713) Method=TACACS+
Jan 30 12:17:16: AAA/AUTHOR/TAC+: (3572380713): user=janedoe@rtp.cisco.com
Jan 30 12:17:16: AAA/AUTHOR/TAC+: (3572380713): send AV service=ppp
Jan 30 12:17:16: AAA/AUTHOR/TAC+: (3572380713): send AV protocol=ip
Jan 30 12:17:16: AAA/AUTHOR/TAC+: (3572380713): send AV addr*10.6.1.1
Jan 30 12:17:17: TAC+: (3572380713): received author response status = PASS_ADD
Jan 30 12:17:17: AAA/AUTHOR (3572380713): Post authorization status = PASS_ADD
Jan 30 12:17:17: Vi1 AAA/AUTHOR/IPCP: Processing AV service=ppp
Jan 30 12:17:17: Vi1 AAA/AUTHOR/IPCP: Processing AV protocol=ip
Jan 30 12:17:17: Vi1 AAA/AUTHOR/IPCP: Processing AV addr*10.6.1.1
Jan 30 12:17:17: Vi1 AAA/AUTHOR/IPCP: Authorization succeeded
Jan 30 12:17:17: Vi1 AAA/AUTHOR/IPCP: Done. Her address 10.6.1.1, 
                 we want 10.6.1.1
LNS#

LNS计费记录

位于 LNS TACACS+ 服务器上。

Sat Jan 30 05:27:01 1999 10.31.1.56 janedoe@rtp.cisco.com 
Virtual-Access1 unknown 
start task_id=4 start_time=917700054 timezone=UTC service=ppp

Sat Jan 30 05:27:27 1999 10.31.1.56 janedoe@rtp.cisco.com 
Virtual-Access1 unknown 
stop task_id=4 start_time=917700054 timezone=UTC service=ppp
protocol=ip addr=10.6.1.1 disc-cause=2 disc-cause-ext=1011 
pre-bytes-in=0 pre-bytes-out=8 
pre-paks-in=0 pre-paks-out=2 bytes_in=862 bytes_out=142
paks_in=19 paks_out=8 pre-session-time=1 

故障排除

本部分提供的信息可用于对配置进行故障排除。

故障排除命令

注意: 在发出 debug 命令之前,请参阅有关 Debug 命令的重要信息

  • debug aaa authentication - 显示 AAA/TACACS+ 身份验证的信息。

  • debug aaa authorization - 显示有关 AAA/TACACS+ 授权的信息。

  • debug aaa accounting - 在可记帐事件出现时显示其相关信息。使用此命令显示的信息与用于向服务器传输记帐信息的记帐协议无关。

  • debug tacacs+ -显示与TACACS+相关的详细调试信息。

  • debug vtemplate - 显示从虚拟模板克隆虚拟访问接口时到虚拟访问接口因呼叫结束而关闭时虚拟访问接口的克隆信息。

  • debug vpdn error -显示防止一个PPP隧道被设立造成一个已建隧道被关闭的错误。

  • debug vpdn events -显示关于正常PPP隧道建立或关闭的一部分事件的消息。

  • debug vpdn l2x-errors - 显示妨碍建立第二层或妨碍其正常操作的第二层协议错误。

  • debug vpdn l2x-events - 显示第二层的正常 PPP 隧道建立或关闭过程中的事件相关消息。

调试输出

LAC 路由器的正确调试

LAC#show debug
General OS:
AAA Authentication debugging is on
AAA Authorization debugging is on
AAA Accounting debugging is on
VPN:
L2X protocol events debugging is on
L2X protocol errors debugging is on
VPDN events debugging is on
VPDN errors debugging is on
VTEMPLATE:
Virtual Template debugging is on
LAC#
Jan 30 12:17:09: As1 AAA/AUTHOR/FSM: (0): LCP succeeds trivially
20:03:18: %LINK-3-UPDOWN: Interface Async1, changed state to up
Jan 30 12:17:09: As1 VPDN: Looking for tunnel -- rtp.cisco.com --
Jan 30 12:17:09: AAA: parse name=Async1 idb type=10 tty=1
Jan 30 12:17:09: AAA: name=Async1 flags=0x11 type=4 shelf=0 slot=0 adapter=0 
port=1 channel=0
Jan 30 12:17:09: AAA/AUTHEN: create_user (0x278B90) user='rtp.cisco.com' 
ruser='' 
port='Async1' rem_addr='' authen_type=NONE service=LOGIN priv=0
Jan 30 12:17:09: AAA/AUTHOR/VPDN (898425447): Port='Async1' list='default' 
service=NET
Jan 30 12:17:09: AAA/AUTHOR/VPDN: (898425447) user='rtp.cisco.com'
Jan 30 12:17:09: AAA/AUTHOR/VPDN: (898425447) send AV service=ppp
Jan 30 12:17:09: AAA/AUTHOR/VPDN: (898425447) send AV protocol=vpdn
Jan 30 12:17:09: AAA/AUTHOR/VPDN (898425447) found list "default"
Jan 30 12:17:09: AAA/AUTHOR/VPDN: (898425447) Method=TACACS+
Jan 30 12:17:09: AAA/AUTHOR/TAC+: (898425447): user=rtp.cisco.com
Jan 30 12:17:09: AAA/AUTHOR/TAC+: (898425447): send AV service=ppp
Jan 30 12:17:09: AAA/AUTHOR/TAC+: (898425447): send AV protocol=vpdn
Jan 30 12:17:09: TAC+: (898425447): received author response status = PASS_ADD
Jan 30 12:17:09: AAA/AUTHOR (898425447): Post authorization status = PASS_ADD
Jan 30 12:17:09: AAA/AUTHOR/VPDN: Processing AV service=ppp
Jan 30 12:17:09: AAA/AUTHOR/VPDN: Processing AV protocol=vpdn
Jan 30 12:17:09: AAA/AUTHOR/VPDN: Processing AV tunnel-type=l2tp
Jan 30 12:17:09: AAA/AUTHOR/VPDN: Processing AV tunnel-id=rtp_tunnel
Jan 30 12:17:09: AAA/AUTHOR/VPDN: Processing AV ip-addresses=10.31.1.56
Jan 30 12:17:09: As1 VPDN: Get tunnel info for rtp.cisco.com with LAC 
rtp_tunnel, IP 10.31.1.56
Jan 30 12:17:09: AAA/AUTHEN: free_user (0x278B90) user='rtp.cisco.com' ruser='' 
port='Async1' rem_addr='' authen_type=NONE service=LOGIN priv=0
Jan 30 12:17:09: As1 VPDN: Forward to address 10.31.1.56
Jan 30 12:17:09: As1 VPDN: Forwarding...
Jan 30 12:17:09: AAA: parse name=Async1 idb type=10 tty=1
Jan 30 12:17:09: AAA: name=Async1 flags=0x11 type=4 shelf=0 slot=0 adapter=0 
port=1 channel=0
Jan 30 12:17:09: AAA/AUTHEN: create_user (0x22CDEC) user='janedoe@rtp.cisco.com' 
ruser='' port='Async1' rem_addr='async' authen_type=CHAP
service=PPP priv=1
Jan 30 12:17:09: As1 VPDN: Bind interface direction=1
Jan 30 12:17:09: Tnl/Cl 74/1 L2TP: Session FS enabled
Jan 30 12:17:09: Tnl/Cl 74/1 L2TP: Session state change from idle to 
wait-for-tunnel
Jan 30 12:17:09: As1 74/1 L2TP: Create session
Jan 30 12:17:09: Tnl 74 L2TP: SM State idle
Jan 30 12:17:09: Tnl 74 L2TP: O SCCRQ 
Jan 30 12:17:09: Tnl 74 L2TP: Tunnel state change from idle to wait-ctl-reply
Jan 30 12:17:09: Tnl 74 L2TP: SM State wait-ctl-reply
Jan 30 12:17:09: As1 VPDN: janedoe@rtp.cisco.com is forwarded
Jan 30 12:17:10: Tnl 74 L2TP: I SCCRP from ABCDE
Jan 30 12:17:10: Tnl 74 L2TP: Got a challenge from remote peer, ABCDE
Jan 30 12:17:10: AAA: parse name= idb type=-1 tty=-1
Jan 30 12:17:10: AAA/AUTHEN: create_user (0x23232C) user='rtp_tunnel' 
ruser='' port='' 
rem_addr='' authen_type=CHAP service=PPP priv=1
Jan 30 12:17:10: AAA/AUTHEN/START (1598999635): port='' list='default' 
action=SENDAUTH service=PPP
Jan 30 12:17:10: AAA/AUTHEN/START (1598999635): found list default
Jan 30 12:17:10: AAA/AUTHEN (1598999635): status = UNKNOWN
Jan 30 12:17:10: AAA/AUTHEN/START (1598999635): Method=TACACS+
Jan 30 12:17:10: TAC+: send AUTHEN/START packet ver=193 id=1598999635
Jan 30 12:17:10: TAC+: ver=192 id=1598999635 received AUTHEN status = ERROR
Jan 30 12:17:10: AAA: parse name= idb type=-1 tty=-1
Jan 30 12:17:10: AAA/AUTHEN: create_user (0x232470) user='rtp_tunnel' 
ruser='' port='' 
rem_addr='' authen_type=CHAP service=PPP priv=1
Jan 30 12:17:10: TAC+: ver=192 id=3400389836 received AUTHEN status = PASS
Jan 30 12:17:10: AAA/AUTHEN: free_user (0x232470) user='rtp_tunnel' 
ruser='' port='' 
rem_addr='' authen_type=CHAP service=PPP priv=1
Jan 30 12:17:10: AAA/AUTHEN (1598999635): status = PASS
Jan 30 12:17:10: AAA/AUTHEN: free_user (0x23232C) user='rtp_tunnel'
ruser='' port='' 
rem_addr='' authen_type=CHAP service=PPP priv=1
Jan 30 12:17:10: Tnl 74 L2TP: Got a response from remote peer, ABCDE
Jan 30 12:17:10: AAA: parse name= idb type=-1 tty=-1
Jan 30 12:17:10: AAA/AUTHEN: create_user (0x22FBA4) user='rtp_tunnel' 
ruser='' port='' 
rem_addr='' authen_type=CHAP service=PPP priv=1
Jan 30 12:17:10: AAA/AUTHEN/START (2964849625): port='' list='default' 
action=SENDAUTH service=PPP
Jan 30 12:17:10: AAA/AUTHEN/START (2964849625): found list default
Jan 30 12:17:10: AAA/AUTHEN (2964849625): status = UNKNOWN
Jan 30 12:17:10: AAA/AUTHEN/START (2964849625): Method=TACACS+
Jan 30 12:17:10: TAC+: send AUTHEN/START packet ver=193 id=2964849625
20:03:20: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async1, 
changed state to up
Jan 30 12:17:11: TAC+: ver=192 id=2964849625 received AUTHEN status = ERROR
Jan 30 12:17:11: AAA: parse name= idb type=-1 tty=-1
Jan 30 12:17:11: AAA/AUTHEN: create_user (0x22FC8C) user='rtp_tunnel' 
ruser='' port='' 
rem_addr='' authen_type=CHAP service=PPP priv=1
Jan 30 12:17:11: As1 74/1 L2TP: Discarding data packet because tunnel 
is not open
Jan 30 12:17:11: As1 74/1 L2TP: Discarding data packet because tunnel 
is not open
Jan 30 12:17:11: TAC+: ver=192 id=1474818051 received AUTHEN status = PASS
Jan 30 12:17:11: AAA/AUTHEN: free_user (0x22FC8C) user='rtp_tunnel' 
ruser='' port='' 
rem_addr='' authen_type=CHAP service=PPP priv=1
Jan 30 12:17:11: AAA/AUTHEN (2964849625): status = PASS
Jan 30 12:17:11: AAA/AUTHEN: free_user (0x22FBA4) user='rtp_tunnel' 
ruser='' port='' 
rem_addr='' authen_type=CHAP service=PPP priv=1
Jan 30 12:17:11: Tnl 74 L2TP: Tunnel Authentication success
Jan 30 12:17:11: Tnl 74 L2TP: Tunnel state change from wait-ctl-reply to 
established
Jan 30 12:17:11: Tnl 74 L2TP: O SCCCN to ABCDE tnlid 56
Jan 30 12:17:11: Tnl 74 L2TP: SM State established
Jan 30 12:17:11: As1 74/1 L2TP: O ICRQ to ABCDE 56/0
Jan 30 12:17:11: As1 74/1 L2TP: Session state change from wait-for-tunnel 
to wait-reply
Jan 30 12:17:11: Tnl 74 L2TP: Dropping old CM, Ns 0, expected 1
Jan 30 12:17:11: As1 74/1 L2TP: O ICCN to ABCDE 56/1
Jan 30 12:17:11: As1 74/1 L2TP: Session state change from wait-reply to 
established
LAC#

LNS 路由器的正常调试

LNS#show debug
General OS:
AAA Authentication debugging is on
AAA Authorization debugging is on
AAA Accounting debugging is on
VPN:
L2X protocol events debugging is on
L2X protocol errors debugging is on
VPDN events debugging is on
VPDN errors debugging is on
VTEMPLATE:
Virtual Template debugging is on
LNS#
Jan 30 12:17:09: L2TP: I SCCRQ from rtp_tunnel tnl 74
Jan 30 12:17:09: Tnl 56 L2TP: New tunnel created for remote 
rtp_tunnel, address 10.31.1.144
Jan 30 12:17:09: Tnl 56 L2TP: Got a challenge in SCCRQ, rtp_tunnel
Jan 30 12:17:09: AAA: parse name= idb type=-1 tty=-1
Jan 30 12:17:09: AAA/AUTHEN: create_user (0x21F6D0) user='ABCDE' 
ruser='' port='' 
rem_addr='' authen_type=CHAP service=PPP priv=1
Jan 30 12:17:09: AAA/AUTHEN/START (3194595626): port='' list='default' 
action=SENDAUTH service=PPP
Jan 30 12:17:09: AAA/AUTHEN/START (3194595626): found list default
Jan 30 12:17:09: AAA/AUTHEN (3194595626): status = UNKNOWN
Jan 30 12:17:09: AAA/AUTHEN/START (3194595626): Method=TACACS+
Jan 30 12:17:09: TAC+: send AUTHEN/START packet ver=193 id=3194595626
Jan 30 12:17:09: TAC+: ver=192 id=3194595626 received AUTHEN status = ERROR
Jan 30 12:17:09: AAA: parse name= idb type=-1 tty=-1
Jan 30 12:17:09: AAA/AUTHEN: create_user (0x2281AC) user='ABCDE' 
ruser='' port='' 
rem_addr='' authen_type=CHAP service=PPP priv=1
Jan 30 12:17:09: TAC+: ver=192 id=3639011179 received AUTHEN status = PASS
Jan 30 12:17:09: AAA/AUTHEN: free_user (0x2281AC) user='ABCDE' ruser='' port='' 
rem_addr='' authen_type=CHAP service=PPP priv=1
Jan 30 12:17:09: AAA/AUTHEN (3194595626): status = PASS
Jan 30 12:17:09: AAA/AUTHEN: free_user (0x21F6D0) user='ABCDE' ruser='' port='' 
rem_addr='' authen_type=CHAP service=PPP priv=1
Jan 30 12:17:09: Tnl 56 L2TP: O SCCRP to rtp_tunnel tnlid 74
Jan 30 12:17:09: Tnl 56 L2TP: Tunnel state change from idle to 
wait-ctl-reply
Jan 30 12:17:10: Tnl 56 L2TP: O Resend SCCRP, flg TLF, ver 2, len 152, 
tnl 74, cl 0, ns 0, nr 1
Jan 30 12:17:10: Tnl 56 L2TP: I SCCCN from rtp_tunnel tnl 74
Jan 30 12:17:10: Tnl 56 L2TP: Got a Challenge Response in SCCCN from rtp_tunnel
Jan 30 12:17:10: AAA: parse name= idb type=-1 tty=-1
Jan 30 12:17:10: AAA/AUTHEN: create_user (0x227F3C) user='ABCDE' 
ruser='' port='' 
rem_addr='' authen_type=CHAP service=PPP priv=1
Jan 30 12:17:10: AAA/AUTHEN/STARTTranslating "rtp.cisco.com"
(4117701992): port='' list='default' action=SENDAUTH service=PPP
Jan 30 12:17:10: AAA/AUTHEN/START (4117701992): found list default
Jan 30 12:17:10: AAA/AUTHEN (4117701992): status = UNKNOWN
Jan 30 12:17:10: AAA/AUTHEN/START (4117701992): Method=TACACS+
Jan 30 12:17:10: TAC+: send AUTHEN/START packet ver=193 id=4117701992
Jan 30 12:17:11: TAC+: ver=192 id=4117701992 received AUTHEN status = ERROR
Jan 30 12:17:11: AAA: parse name= idb type=-1 tty=-1
Jan 30 12:17:11: AAA/AUTHEN: create_user (0x228E68) user='ABCDE' ruser='' port='' 
rem_addr='' authen_type=CHAP service=PPP priv=1
Jan 30 12:17:11: TAC+: ver=192 id=2827432721 received AUTHEN status = PASS
Jan 30 12:17:11: AAA/AUTHEN: free_user (0x228E68) user='ABCDE' ruser='' port='' 
rem_addr='' authen_type=CHAP service=PPP priv=1
Jan 30 12:17:11: AAA/AUTHEN (4117701992): status = PASS
Jan 30 12:17:11: AAA/AUTHEN: free_user (0x227F3C) user='ABCDE' ruser='' port='' 
rem_addr='' authen_type=CHAP service=PPP priv=1
Jan 30 12:17:11: Tnl 56 L2TP: Tunnel Authentication success
Jan 30 12:17:11: Tnl 56 L2TP: Tunnel state change from wait-ctl-reply 
to established
Jan 30 12:17:11: Tnl 56 L2TP: SM State established
Jan 30 12:17:11: Tnl 56 L2TP: I ICRQ from rtp_tunnel tnl 74
Jan 30 12:17:11: Tnl/Cl 56/1 L2TP: Session FS enabled
Jan 30 12:17:11: Tnl/Cl 56/1 L2TP: Session state change from idle to 
wait-for-tunnel
Jan 30 12:17:11: Tnl/Cl 56/1 L2TP: New session created
Jan 30 12:17:11: Tnl/Cl 56/1 L2TP: O ICRP to rtp_tunnel 74/1
Jan 30 12:17:11: Tnl/Cl 56/1 L2TP: Session state change from wait-for-tunnel 
to wait-connect
Jan 30 12:17:11: Tnl/Cl 56/1 L2TP: I ICCN from rtp_tunnel tnl 74, cl 1
Jan 30 12:17:11: Tnl/Cl 56/1 L2TP: Session state change from wait-connect 
to established
Jan 30 12:17:11: Vi1 VTEMPLATE: Reuse Vi1, recycle queue size 0
Jan 30 12:17:11: Vi1 VTEMPLATE: Hardware address 00e0.1e68.942c
Jan 30 12:17:11: Vi1 VPDN: Virtual interface created for janedoe@rtp.cisco.com
Jan 30 12:17:11: Vi1 VPDN: Set to Async interface
Jan 30 12:17:11: Vi1 VPDN: Clone from Vtemplate 1 filterPPP=0 blocking
Jan 30 12:17:11: Vi1 VTEMPLATE: Has a new cloneblk vtemplate, now it has vtemplate
Jan 30 12:17:11: Vi1 VTEMPLATE: ************* CLONE VACCESS1 *****************
Jan 30 12:17:11: Vi1 VTEMPLATE: Clone from Virtual-Template1
interface Virtual-Access1
default ip address
no ip address
encap ppp
ip unnumbered Ethernet0
peer default ip address pool default
ppp authentication chap
ip unnum ethernet0
peer def ip address pool default
ppp authen chap
end

Jan 30 12:17:12: janedoe@rtp.cisco.com 56/1 L2TP: Session with no hwidb
20:12:14: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
Jan 30 12:17:13: Vi1 AAA/AUTHOR/FSM: (0): LCP succeeds trivially
Jan 30 12:17:13: Vi1 VPDN: Bind interface direction=2
Jan 30 12:17:13: Vi1 VPDN: PPP LCP accepted rcv CONFACK
Jan 30 12:17:13: Vi1 VPDN: PPP LCP accepted sent CONFACK
Jan 30 12:17:13: Vi1 L2X: Discarding packet because of no mid/session
Jan 30 12:17:13: AAA: parse name=Virtual-Access1 idb type=21 tty=-1
Jan 30 12:17:13: AAA: name=Virtual-Access1 flags=0x11 type=5 shelf=0 slot=0 
adapter=0 port=1 channel=0
Jan 30 12:17:13: AAA/AUTHEN: create_user (0x1F5100) user='janedoe@rtp.cisco.com' 
ruser='' port='Virtual-Access1' rem_addr='' authen_type=CHAP
service=PPP priv=1
Jan 30 12:17:13: AAA/AUTHEN/START (562517969): port='Virtual-Access1' list='' 
action=LOGIN service=PPP
Jan 30 12:17:13: AAA/AUTHEN/START (562517969): using "default" list
Jan 30 12:17:13: AAA/AUTHEN (562517969): status = UNKNOWN
Jan 30 12:17:13: AAA/AUTHEN/START (562517969): Method=TACACS+
Jan 30 12:17:13: TAC+: send AUTHEN/START packet ver=193 id=562517969
Jan 30 12:17:14: TAC+: ver=192 id=562517969 received AUTHEN status = GETPASS
Jan 30 12:17:14: AAA: parse name=Virtual-Access1 idb type=-1 tty=-1
Jan 30 12:17:14: AAA: name=Virtual-Access1 flags=0x11 type=6 shelf=0 slot=0 
adapter=0 port=1 channel=0
Jan 30 12:17:14: AAA/AUTHEN: create_user (0x1F5270) user='janedoe@rtp.cisco.com' 
ruser='' port='Virtual-Access1' rem_addr='' authen_type=CHAP
service=PPP priv=1
Jan 30 12:17:14: TAC+: ver=192 id=2384902384 received AUTHEN status = PASS
Jan 30 12:17:14: AAA/AUTHEN: free_user (0x1F5270) user='janedoe@rtp.cisco.com' 
ruser='' port='Virtual-Access1' rem_addr='' authen_type=CHAP
service=PPP priv=1
Jan 30 12:17:14: AAA/AUTHEN (562517969): status = PASS
Jan 30 12:17:14: Vi1 AAA/AUTHOR/LCP: Authorize LCP
Jan 30 12:17:14: AAA/AUTHOR/LCP Vi1 (413543389): Port='Virtual-Access1' 
list='' service=NET
Jan 30 12:17:14: AAA/AUTHOR/LCP: Vi1 (413543389) user='janedoe@rtp.cisco.com'
Jan 30 12:17:14: AAA/AUTHOR/LCP: Vi1 (413543389) send AV service=ppp
Jan 30 12:17:14: AAA/AUTHOR/LCP: Vi1 (413543389) send AV protocol=lcp
Jan 30 12:17:14: AAA/AUTHOR/LCP (413543389) found list "default"
Jan 30 12:17:14: AAA/AUTHOR/LCP: Vi1 (413543389) Method=TACACS+
Jan 30 12:17:14: AAA/AUTHOR/TAC+: (413543389): user=janedoe@rtp.cisco.com
Jan 30 12:17:14: AAA/AUTHOR/TAC+: (413543389): send AV service=ppp
Jan 30 12:17:14: AAA/AUTHOR/TAC+: (413543389): send AV protocol=lcp
Jan 30 12:17:14: TAC+: (413543389): received author response status = PASS_ADD
Jan 30 12:17:14: AAA/AUTHOR (413543389): Post authorization status = PASS_ADD
Jan 30 12:17:14: AAA/ACCT/NET/START User janedoe@rtp.cisco.com, 
Port Virtual-Access1, List ""
Jan 30 12:17:14: AAA/ACCT/NET: Found list "default"
Jan 30 12:17:14: Vi1 AAA/AUTHOR/FSM: (0): Can we start IPCP?
Jan 30 12:17:14: AAA/AUTHOR/FSM Vi1 (1358526470): Port='Virtual-Access1' 
list='' service=NET
Jan 30 12:17:14: AAA/AUTHOR/FSM: Vi1 (1358526470) user='janedoe@rtp.cisco.com'
Jan 30 12:17:14: AAA/AUTHOR/FSM: Vi1 (1358526470) send AV service=ppp
Jan 30 12:17:14: AAA/AUTHOR/FSM: Vi1 (1358526470) send AV protocol=ip
Jan 30 12:17:14: AAA/AUTHOR/FSM (1358526470) found list "default"
Jan 30 12:17:14: AAA/AUTHOR/FSM: Vi1 (1358526470) Method=TACACS+
Jan 30 12:17:14: AAA/AUTHOR/TAC+: (1358526470): user=janedoe@rtp.cisco.com
Jan 30 12:17:14: AAA/AUTHOR/TAC+: (1358526470): send AV service=ppp
Jan 30 12:17:14: AAA/AUTHOR/TAC+: (1358526470): send AV protocol=ip
Jan 30 12:17:14: TAC+: (1358526470): received author response status = PASS_ADD
Jan 30 12:17:14: AAA/AUTHOR (1358526470): Post authorization status = PASS_ADD
Jan 30 12:17:14: Vi1 AAA/AUTHOR/FSM: We can start IPCP
Jan 30 12:17:14: TAC+: (1442592025): received acct response status = UNKNOWN
20:12:16: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, 
changed state to up
Jan 30 12:17:16: Vi1 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we want 0.0.0.0
Jan 30 12:17:16: Vi1 AAA/AUTHOR/IPCP: Processing AV service=ppp
Jan 30 12:17:16: Vi1 AAA/AUTHOR/IPCP: Processing AV protocol=ip
Jan 30 12:17:16: Vi1 AAA/AUTHOR/IPCP: Authorization succeeded
Jan 30 12:17:16: Vi1 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.0, we want 0.0.0.0
Jan 30 12:17:16: Vi1 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we want 10.6.1.1
Jan 30 12:17:16: Vi1 AAA/AUTHOR/IPCP: Processing AV service=ppp
Jan 30 12:17:16: Vi1 AAA/AUTHOR/IPCP: Processing AV protocol=ip
Jan 30 12:17:16: Vi1 AAA/AUTHOR/IPCP: Authorization succeeded
Jan 30 12:17:16: Vi1 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.0, we want 10.6.1.1
Jan 30 12:17:16: Vi1 AAA/AUTHOR/IPCP: Start. Her address 10.6.1.1, we want 10.6.1.1
Jan 30 12:17:16: AAA/AUTHOR/IPCP Vi1 (3572380713): Port='Virtual-Access1' 
list='' service=NET
Jan 30 12:17:16: AAA/AUTHOR/IPCP: Vi1 (3572380713) user='janedoe@rtp.cisco.com'
Jan 30 12:17:16: AAA/AUTHOR/IPCP: Vi1 (3572380713) send AV service=ppp
Jan 30 12:17:16: AAA/AUTHOR/IPCP: Vi1 (3572380713) send AV protocol=ip
Jan 30 12:17:16: AAA/AUTHOR/IPCP: Vi1 (3572380713) send AV addr*10.6.1.1
Jan 30 12:17:16: AAA/AUTHOR/IPCP (3572380713) found list "default"
Jan 30 12:17:16: AAA/AUTHOR/IPCP: Vi1 (3572380713) Method=TACACS+
Jan 30 12:17:16: AAA/AUTHOR/TAC+: (3572380713): user=janedoe@rtp.cisco.com
Jan 30 12:17:16: AAA/AUTHOR/TAC+: (3572380713): send AV service=ppp
Jan 30 12:17:16: AAA/AUTHOR/TAC+: (3572380713): send AV protocol=ip
Jan 30 12:17:16: AAA/AUTHOR/TAC+: (3572380713): send AV addr*10.6.1.1
Jan 30 12:17:17: TAC+: (3572380713): received author response status = PASS_ADD
Jan 30 12:17:17: AAA/AUTHOR (3572380713): Post authorization status = PASS_ADD
Jan 30 12:17:17: Vi1 AAA/AUTHOR/IPCP: Processing AV service=ppp
Jan 30 12:17:17: Vi1 AAA/AUTHOR/IPCP: Processing AV protocol=ip
Jan 30 12:17:17: Vi1 AAA/AUTHOR/IPCP: Processing AV addr*10.6.1.1
Jan 30 12:17:17: Vi1 AAA/AUTHOR/IPCP: Authorization succeeded
Jan 30 12:17:17: Vi1 AAA/AUTHOR/IPCP: Done. Her address 10.6.1.1, we want 10.6.1.1
LNS#

相关信息


Document ID: 13858