安全 : 用于 Windows 的思科安全访问控制服务器

用 TACACS+ 配置 PPP 回呼

2015 年 8 月 28 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 4 月 22 日) | 反馈


目录


简介

本文显示路由器和AAA服务器的配置示例执行与TACACS+的点对点协议(PPP)回拨。使用Windows 2000客户端指定的由AAA服务器或回拨号码的两示例包括。

  • 执行初始测试与本地认证和回拨(请删除aaa new-model命令)。如果回拨不与本地认证一起使用,不与TACACS+一起使用。参考配置在一个路由器和一个Windows PC之间的MS回拨示例的如何使用本地认证。

  • 执行进一步PPP认证测试与TACACS+,不用回拨。如果用户FAIL验证和授权没有回拨,认证和授权不与回拨一起使用。

  • 一旦回拨的与TACACS+的本地认证和PPP认证工作,从路由器的本地用户请添加信息(例如回拨拨号字符串)到在服务器的用户配置文件。

注意: 这些测验的客户端是Windows 2000 Professional客户端, DUN,为一PPP连接照常设置,与Microsoft回叫设置作为“要求我在正在拨号期间,当服务器提示时”。Cisco IOS�软件版本11.3.2.T和以上支持Microsoft回叫。

先决条件

要求

本文档没有任何特定的要求。

使用的组件

本文档中的信息基于以下软件和硬件版本:

  • Cisco IOS软件版本12.1(7)aa

  • Cisco Secure ACS UNIX 2.3(2)

  • Cisco Secure ACS for Windows 3.3

  • TACACS免费软件后台程序4.0(3)

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。

规则

有关文档规则的详细信息,请参阅 Cisco 技术提示规则

配置

本部分提供有关如何配置本文档所述功能的信息。

注意: 要查找本文档所用命令的其他信息,请使用命令查找工具仅限注册用户)。

网络图

本文档使用此图所示的网络设置。

/image/gif/paws/13859/pppcallback_tac1.gif

带有服务器指定号码的 PPP 回拨

服务器配置

这些是PPP回呼的AAA服务器配置用AAA服务器指定的电话号码。

服务器设置- Cisco Secure ACS for Windows

  • 要启用用户和组的LCP选项,请去Interface Configuration屏幕,选择TACACS+ (Cisco IOS),并且保证PPP IPPPP LCP选项被检查用户

  • 回拨在组或用户设置可能配置。

    • 配置回拨的一组:在Group Setup屏幕,在回拨下,请选择选项使用Windows数据库回拨设置(在ACS早版本此选项叫作“使用Microsoft NT回拨设置”)。然后请检查选项PPP IPPPP LCP。在空白字段选择回拨线路和类型84007

      对于是组的组员的用户,请去User Setup屏幕并且选择使用组设置在回拨下。单击 Submit+ Restart

    • 配置回拨的个人用户:在User Setup屏幕,在回拨下,请选择回拨使用此编号和类型84007在空白字段。然后请检查选项PPP IPPPP LCP。单击 Submit+ Restart

服务器设置- Cisco Secure UNIX

<coachella>/export/home/brownr> ViewProfile -p 9900 -u callback_user
User Profile Information
user = callback_user{
profile_id = 113
profile_cycle = 15
member = ccie_study
password = chap "********"
service=ppp {
protocol=ip {
}
protocol=lcp {
set callback-dialstring=84007
}
}

}

服务器设置- TACACS+免费软件

user = callback_user {
chap= cleartext "chapuser"
service = ppp protocol = lcp {
callback-dialstring=84007
}
service = ppp protocol = ip {
}
}

带有用户指定号码的 PPP 回拨

示例前在本文是回拨在一个预定义的编号(指定在AAA服务器)。回拨可能也完成在用户指定号码使用回拨号码和指定作为在AAA服务器的空。这会导致路由器要求用户提供回拨号码。初始测试应该完成与指定的本地回叫。参考在接入服务器和PC示例之间的异步PPP回呼并且注意到, “回叫拨号字符串”指定作为报价单("")。

这些测验的客户端照常是Windows 2000 Professional客户端,设置一PPP连接的,与Microsoft回叫设置作为“呼叫我回到在下面的编号”。

注意: 显示的网络图路由器配置适用于讨论的回叫配置此处。

服务器配置

显示此处PPP回呼的AAA服务器配置用用户指定的电话号码。

服务器设置- Windows的Cisco Secure

  • 要启用用户和组的LCP选项,请去Interface Configuration屏幕,选择TACACS+ (Cisco IOS),并且保证PPP IPPPP LCP选项被检查用户

  • 回拨在组或用户设置可能配置。

    • 配置回拨的一组:在Group Setup屏幕,在回拨下,请选择拨号客户端的选项指定回拨号码。然后请检查选项PPP IPPPP LCP

      对于是组的组员的用户,请去User Setup屏幕并且选择使用组设置在回拨下。单击 Submit+ Restart

    • 配置回拨的个人用户:在User Setup屏幕,在回拨下,请选择拨号客户端的选项指定回拨号码。然后请检查选项PPP IPPPP LCP。单击 Submit+ Restart

服务器设置- Cisco Secure UNIX

<coachella>ViewProfile -p 9900 -u callback_user
User Profile Information
user = callback_user{
profile_id = 113
profile_cycle = 15
member = ccie_study
password = chap "********"
service=ppp {
protocol=ip {
}
protocol=lcp {
set callback-dialstring=""
}
}

}

服务器设置- TACACS+免费软件

user = callback_user {
chap= cleartext "chapuser"
service = ppp protocol = lcp {
callback-dialstring=""
}
service = ppp protocol = ip {
}
}

/image/gif/paws/13859/pppcallback_tac3.gif

路由器配置

NAS 配置
AS5200

maui-nas-01#show run
Building configuration...

Current configuration : 2882 bytes
!
version 12.1
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname maui-nas-01
!
logging buffered 4096 debugging
no logging console guaranteed
no logging console

!--- Basic AAA configuration using TACACS+ as the primary method,
!--- local if the ERROR  is received during negotiation. 
!--- Disable AAA authentication and authorization on console port.

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login NO_AUTHEN none
aaa authentication ppp default if-needed group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization exec NO_AUTHOR none
aaa authorization network default group tacacs+ local
enable secret <snipped>
!
username admin password <snipped>
spe 1/0 1/23
firmware location feature_card_flash
spe 2/0 2/4
!
resource-pool disable
!
clock timezone CST -6
clock summer-time CST recurring
modem recovery action none
ip subnet-zero
no ip source-route
no ip finger
no ip domain-lookup
ip name-server 172.22.53.210
!
no ip bootp server
isdn switch-type primary-ni
! 

!--- Chat scripts "offhook" and "CALLBACK"
!--- used intuitively to go offhook and callback clients.

chat-script CALLBACK ABORT ERROR ABORT BUSY "" "AT" 
OK "ATDT \T" TIMEOUT 30 CONNECT \c
chat-script offhook "" "ATH1" OK \c
!
controller T1 0
framing esf
clock source line primary
linecode b8zs
pri-group timeslots 1-24
!
interface Ethernet0
ip address 172.22.53.101 255.255.255.0
no ip route-cache
no ip mroute-cache
no cdp enable
!
interface Serial0:23
no ip address
encapsulation ppp
no ip route-cache
isdn switch-type primary-ni
isdn incoming-voice modem
isdn bchan-number-order ascending
no cdp enable
!
interface Group-Async1
ip unnumbered Ethernet0
encapsulation ppp
no ip route-cache
ip tcp header-compression passive
no ip mroute-cache
async mode interactive
peer default ip address pool IP_POOL
no cdp enable

!--- Allows "group-async 1" to accept PPP callback requests from clients.
!--- Use Challenge Authentication Protocol (CHAP) for authentication
!--- on incoming calls.

ppp callback accept
ppp authentication chap callin
group-range 1 48
!
ip local pool IP_POOL 172.22.53.141 172.22.53.148
ip default-gateway 172.22.53.1
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 172.22.53.1
!
no cdp run
tacacs-server host 172.22.53.201 key <snipped>
!
line con 0
authorization exec NO_AUTHOR
login authentication NO_AUTHEN
transport input none
line 1 48

!--- Specifies chat scripts used during callback to clients.

script modem-off-hook offhook
script callback CALLBACK
modem InOut
transport preferred none
transport input all
transport output none
autoselect during-login
autoselect ppp
callback forced-wait 5
line aux 0
line vty 0 4
!
ntp server 172.22.53.1
end

验证

当前没有可用于此配置的验证过程。

故障排除

本部分提供的信息可用于对配置进行故障排除。

故障排除命令

注意: 在发出 debug 命令之前,请参阅有关 Debug 命令的重要信息

  • debug aaa authentication - 显示有关 AAA 身份验证的信息。

  • debug aaa authorization - 显示有关 AAA 授权的信息。

  • debug callback —,当路由器使用一个调制解调器和一个对话脚本呼叫在终端线路时的上一步显示回拨事件。

  • debug chat —显示字符发送在网络接入服务器(NAS)和PC之间。聊天脚本是定义数据终端设备 (DTE)-DTE 或 DTE-数据通信设备 (DCE) 设备之间的握手的一组期望发送的字符串对。

  • debug modem - 显示接入服务器上的调制解调器线路活动情况。

  • debug ppp negotiation — 显示在 PPP 启动期间传输的 PPP 数据包,在此启动期间将协商 PPP 选项。

  • debug ppp authentication —显示认证协议消息,包括质询验证协议(CHAP)信息包交换和密码认证协议交换。

  • debug tacacs+ -显示与TACACS+相关的详细调试信息。

调试输出示例

各自的阶段在此图表中对应于在此图表以后显示的实际debug输出。注意若干输出包裹在两条线路上由于间距注意事项。

/image/gif/paws/13859/pppcallback_tac2.gif

第 1 阶段

maui-nas-01#debug aaa authentication
maui-nas-01#debug aaa authorization

maui-nas-01#show debug
General OS:
AAA Authentication debugging is on
AAA Authorization debugging is on

!--- AAA negotiation begins, aborted because PPP is autoselected.

Aug 1 09:23:53.320 CST: AAA: parse name=tty6 idb type=10 tty=6
Aug 1 09:23:53.320 CST: AAA: name=tty6 flags=0x11 type=4 shelf=0 slot=0
  adapter=0 port=6 channel=0
Aug 1 09:23:53.324 CST: AAA: parse name=Serial0:4 idb type=12 tty=-1
Aug 1 09:23:53.328 CST: AAA: name=Serial0:4 flags=0x51 type=1 shelf=0 slot=0 
  adapter=0 port=0 channel=4
Aug 1 09:23:53.332 CST: AAA/MEMORY: create_user (0x2A0AA0) user='' ruser='' 
  port='tty6' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1
Aug 1 09:23:53.336 CST: AAA/AUTHEN/START (2776623843): port='tty6' list=''
  action=LOGIN service=LOGIN
Aug 1 09:23:53.340 CST: AAA/AUTHEN/START (2776623843): using "default" list
Aug 1 09:23:53.344 CST: AAA/AUTHEN/START (2776623843): Method=tacacs+ (tacacs+)
Aug 1 09:23:53.348 CST: TAC+: send AUTHEN/START packet ver=192 id=2776623843
Aug 1 09:23:53.572 CST: TAC+: ver=192 id=2776623843 received AUTHEN
  status = GETUSER
Aug 1 09:23:53.576 CST: AAA/AUTHEN (2776623843): status = GETUSER
Aug 1 09:23:55.548 CST: AAA/AUTHEN/ABORT: (2776623843) because Autoselected.
Aug 1 09:23:55.552 CST: TAC+: send abort reason=Autoselected
Aug 1 09:23:55.668 CST: AAA/MEMORY: free_user (0x2A0AA0) user='' ruser=''
  port='tty6'rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1
Aug 1 09:23:58.124 CST: %LINK-3-UPDOWN: Interface Async6, changed state to up
Aug 1 09:23:58.148 CST: As6 AAA/AUTHOR/FSM: (0): LCP succeeds trivially
Aug 1 09:23:58.912 CST: AAA: parse name=Async6 idb type=10 tty=6
Aug 1 09:23:58.916 CST: AAA: name=Async6 flags=0x11 type=4 shelf=0 slot=0
  adapter=0 port=6 channel=0
Aug 1 09:23:58.916 CST: AAA: parse name=Serial0:4 idb type=12 tty=-1
Aug 1 09:23:58.920 CST: AAA: name=Serial0:4 flags=0x51 type=1 shelf=0 slot=0 
  adapter=0 port=0 channel=4

!--- AAA Authentication start packet is sent to AAA server.

Aug 1 09:23:58.924 CST: AAA/MEMORY: create_user (0x2984EC)
  user='callback_user'ruser='' port='Async6' rem_addr='async/81560' 
  authen_type=CHAP service=PPP priv=1
Aug 1 09:23:58.932 CST: AAA/AUTHEN/START (3527356355): port='Async6' list=''
  action=LOGIN service=PPP
Aug 1 09:23:58.936 CST: AAA/AUTHEN/START (3527356355): using "default" list
Aug 1 09:23:58.936 CST: AAA/AUTHEN (3527356355): status = UNKNOWN
Aug 1 09:23:58.940 CST: AAA/AUTHEN/START (3527356355): Method=tacacs+ (tacacs+)

!--- Receive PASS from AAA server.

Aug 1 09:23:58.944 CST: TAC+: send AUTHEN/START packet ver=193 id=3527356355
Aug 1 09:23:59.172 CST: TAC+: ver=193 id=3527356355 received AUTHEN
  status = PASS
Aug 1 09:23:59.172 CST: AAA/AUTHEN (3527356355): status = PASS

!--- AAA Authorization request sent to AAA server for LCP.

Aug 1 09:23:59.180 CST: As6 AAA/AUTHOR/LCP: Authorize LCP
Aug 1 09:23:59.184 CST: As6 AAA/AUTHOR/LCP (1701401119): Port='Async6'
  list='' service=NET
Aug 1 09:23:59.188 CST: AAA/AUTHOR/LCP: As6 (1701401119) user='callback_user'
Aug 1 09:23:59.192 CST: As6 AAA/AUTHOR/LCP (1701401119): send AV service=ppp
Aug 1 09:23:59.196 CST: As6 AAA/AUTHOR/LCP (1701401119): send AV protocol=lcp
Aug 1 09:23:59.196 CST: As6 AAA/AUTHOR/LCP (1701401119): found list "default"
Aug 1 09:23:59.200 CST: As6 AAA/AUTHOR/LCP (1701401119):
  Method=tacacs+ (tacacs+)

!--- Receive PASS from AAA server, set the callback dialstring
!--- via the "callback-dialstring" Attribute Value Pair.

Aug 1 09:23:59.204 CST: AAA/AUTHOR/TAC+: (1701401119): user=callback_user
Aug 1 09:23:59.208 CST: AAA/AUTHOR/TAC+: (1701401119): send AV service=ppp
Aug 1 09:23:59.212 CST: AAA/AUTHOR/TAC+: (1701401119): send AV protocol=lcp
Aug 1 09:23:59.440 CST: TAC+: (1701401119): received author response status 
  = PASS_ADD
Aug 1 09:23:59.448 CST: As6 AAA/AUTHOR (1701401119): Post authorization status 
  = PASS_ADD
Aug 1 09:23:59.452 CST: As6 AAA/AUTHOR/LCP: Processing AV service=ppp
Aug 1 09:23:59.456 CST: As6 AAA/AUTHOR/LCP: Processing AV protocol=lcp
Aug 1 09:23:59.456 CST: As6 AAA/AUTHOR/LCP: Processing AV
  callback-dialstring=81550

第 2 阶段

maui-nas-01#debug aaa authentication
maui-nas-01#debug aaa authorization

maui-nas-01#show debug
General OS:
AAA Authentication debugging is on
AAA Authorization debugging is on

!--- AAA negotiation begins, aborted because PPP is autoselected.

Aug 1 09:23:53.320 CST: AAA: parse name=tty6 idb type=10 tty=6
Aug 1 09:23:53.320 CST: AAA: name=tty6 flags=0x11 type=4 shelf=0 slot=0
  adapter=0 port=6 channel=0
Aug 1 09:23:53.324 CST: AAA: parse name=Serial0:4 idb type=12 tty=-1
Aug 1 09:23:53.328 CST: AAA: name=Serial0:4 flags=0x51 type=1 shelf=0 slot=0 
  adapter=0 port=0 channel=4
Aug 1 09:23:53.332 CST: AAA/MEMORY: create_user (0x2A0AA0) user='' ruser='' 
  port='tty6' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1
Aug 1 09:23:53.336 CST: AAA/AUTHEN/START (2776623843): port='tty6' list=''
  action=LOGIN service=LOGIN
Aug 1 09:23:53.340 CST: AAA/AUTHEN/START (2776623843): using "default" list
Aug 1 09:23:53.344 CST: AAA/AUTHEN/START (2776623843): Method=tacacs+ (tacacs+)
Aug 1 09:23:53.348 CST: TAC+: send AUTHEN/START packet ver=192 id=2776623843
Aug 1 09:23:53.572 CST: TAC+: ver=192 id=2776623843 received AUTHEN
  status = GETUSER
Aug 1 09:23:53.576 CST: AAA/AUTHEN (2776623843): status = GETUSER
Aug 1 09:23:55.548 CST: AAA/AUTHEN/ABORT: (2776623843) because Autoselected.
Aug 1 09:23:55.552 CST: TAC+: send abort reason=Autoselected
Aug 1 09:23:55.668 CST: AAA/MEMORY: free_user (0x2A0AA0) user='' ruser=''
  port='tty6'rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1
Aug 1 09:23:58.124 CST: %LINK-3-UPDOWN: Interface Async6, changed state to up
Aug 1 09:23:58.148 CST: As6 AAA/AUTHOR/FSM: (0): LCP succeeds trivially
Aug 1 09:23:58.912 CST: AAA: parse name=Async6 idb type=10 tty=6
Aug 1 09:23:58.916 CST: AAA: name=Async6 flags=0x11 type=4 shelf=0 slot=0
  adapter=0 port=6 channel=0
Aug 1 09:23:58.916 CST: AAA: parse name=Serial0:4 idb type=12 tty=-1
Aug 1 09:23:58.920 CST: AAA: name=Serial0:4 flags=0x51 type=1 shelf=0 slot=0 
  adapter=0 port=0 channel=4

!--- AAA Authentication start packet is sent to AAA server.

Aug 1 09:23:58.924 CST: AAA/MEMORY: create_user (0x2984EC)
  user='callback_user'ruser='' port='Async6' rem_addr='async/81560' 
  authen_type=CHAP service=PPP priv=1
Aug 1 09:23:58.932 CST: AAA/AUTHEN/START (3527356355): port='Async6' list=''
  action=LOGIN service=PPP
Aug 1 09:23:58.936 CST: AAA/AUTHEN/START (3527356355): using "default" list
Aug 1 09:23:58.936 CST: AAA/AUTHEN (3527356355): status = UNKNOWN
Aug 1 09:23:58.940 CST: AAA/AUTHEN/START (3527356355): Method=tacacs+ (tacacs+)

!--- Receive PASS from AAA Server.

Aug 1 09:23:58.944 CST: TAC+: send AUTHEN/START packet ver=193 id=3527356355
Aug 1 09:23:59.172 CST: TAC+: ver=193 id=3527356355 received AUTHEN
  status = PASS
Aug 1 09:23:59.172 CST: AAA/AUTHEN (3527356355): status = PASS

!--- AAA Authorization request sent to AAA server for LCP.

Aug 1 09:23:59.180 CST: As6 AAA/AUTHOR/LCP: Authorize LCP
Aug 1 09:23:59.184 CST: As6 AAA/AUTHOR/LCP (1701401119): Port='Async6'
  list='' service=NET
Aug 1 09:23:59.188 CST: AAA/AUTHOR/LCP: As6 (1701401119) user='callback_user'
Aug 1 09:23:59.192 CST: As6 AAA/AUTHOR/LCP (1701401119): send AV service=ppp
Aug 1 09:23:59.196 CST: As6 AAA/AUTHOR/LCP (1701401119): send AV protocol=lcp
Aug 1 09:23:59.196 CST: As6 AAA/AUTHOR/LCP (1701401119): found list "default"
Aug 1 09:23:59.200 CST: As6 AAA/AUTHOR/LCP (1701401119):
  Method=tacacs+ (tacacs+)

!--- Receive PASS from AAA Server, set the callback dialstring
!--- via the "callback-dialstring" Attribute Value Pair.

Aug 1 09:23:59.204 CST: AAA/AUTHOR/TAC+: (1701401119): user=callback_user
Aug 1 09:23:59.208 CST: AAA/AUTHOR/TAC+: (1701401119): send AV service=ppp
Aug 1 09:23:59.212 CST: AAA/AUTHOR/TAC+: (1701401119): send AV protocol=lcp
Aug 1 09:23:59.440 CST: TAC+: (1701401119): received author response status 
  = PASS_ADD
Aug 1 09:23:59.448 CST: As6 AAA/AUTHOR (1701401119): Post authorization status 
  = PASS_ADD
Aug 1 09:23:59.452 CST: As6 AAA/AUTHOR/LCP: Processing AV service=ppp
Aug 1 09:23:59.456 CST: As6 AAA/AUTHOR/LCP: Processing AV protocol=lcp
Aug 1 09:23:59.456 CST: As6 AAA/AUTHOR/LCP: Processing AV
  callback-dialstring=81550

第 3 阶段

maui-nas-01#show debug
General OS:
Modem control/process activation debugging is on
PPP:
PPP protocol negotiation debugging is on
Chat Scripts:
Chat scripts activity debugging is on
Callback:
Callback activity debugging is on

Aug 1 09:33:38.862 CST: As7 MCB: User callback_user Callback Number
  - Server 81550
Aug 1 09:33:38.870 CST: Async7 PPP: O MCB Request(1) id 1 len 7
Aug 1 09:33:38.874 CST: Async7 MCB: O 1 1 0 7 3 3 0 
Aug 1 09:33:38.874 CST: As7 MCB: O Request Id 1 Callback Type
  Server-Num delay 0
Aug 1 09:33:38.878 CST: As7 PPP: Phase is CBCP
Aug 1 09:33:39.018 CST: Async7 PPP: I MCB Response(2) id 1 len 7
Aug 1 09:33:39.022 CST: Async7 MCB: I 2 1 0 7 3 3 C 
Aug 1 09:33:39.026 CST: As7 MCB: Received response
Aug 1 09:33:39.026 CST: As7 MCB: Response CBK-Server-Num 3 3 12
Aug 1 09:33:39.034 CST: Async7 PPP: O MCB Ack(3) id 2 len 7
Aug 1 09:33:39.034 CST: Async7 MCB: O 3 2 0 7 3 3 C 
Aug 1 09:33:39.038 CST: As7 MCB: O Ack Id 2 Callback Type Server-Num delay 12
Aug 1 09:33:39.042 CST: As7 MCB: Negotiated MCB with peer

!--- NAS sends LCP Terminate Request from client.

Aug 1 09:33:39.182 CST: As7 LCP: I TERMREQ [Open] id 6 len 16
  (0x566260A7003CCD7400000000)

!--- NAS receives Terminate Acknowledge from client.

Aug 1 09:33:39.186 CST: As7 LCP: O TERMACK [Open] id 6 len 4
Aug 1 09:33:39.190 CST: As7 MCB: Peer terminating the link
Aug 1 09:33:39.194 CST: As7 MCB: Link terminated by peer, Callback Needed
Aug 1 09:33:39.198 CST: As7 MCB: Initiate Callback for callback_user
  at 81550 using Async
Aug 1 09:33:39.202 CST: As7 MCB: Async-callback in progress
Aug 1 09:33:39.206 CST: As7 PPP: Phase is TERMINATING

!--- NAS disconnects and initiates offhook and CALLBACK chat scripts.

Aug 1 09:33:39.210 CST: TTY7 Callback PPP process creation
Aug 1 09:33:39.218 CST: TTY7 Callback process initiated, user: dialstring 81550
Aug 1 09:33:40.110 CST: %ISDN-6-DISCONNECT: Interface Serial0:5 disconnected 
  from unknown , call lasted 19 seconds
Aug 1 09:33:40.294 CST: TTY7: Async Int reset: Dropping DTR
Aug 1 09:33:41.210 CST: As7 LCP: TIMEout: State TERMsent
Aug 1 09:33:41.210 CST: As7 LCP: State is Closed
Aug 1 09:33:41.214 CST: As7 PPP: Phase is DOWN
Aug 1 09:33:41.218 CST: As7 PPP: Phase is ESTABLISHING, Passive Open
Aug 1 09:33:41.226 CST: As7 LCP: State is Listen
Aug 1 09:33:42.298 CST: %LINK-5-CHANGED: Interface Async7,
  changed state to reset
Aug 1 09:33:42.318 CST: As7 LCP: State is Closed
Aug 1 09:33:42.318 CST: As7 PPP: Phase is DOWN
Aug 1 09:33:45.302 CST: As7 IPCP: Remove route to 172.22.53.147
Aug 1 09:33:45.306 CST: TTY7 Callback forced wait = 5 seconds
Aug 1 09:33:47.302 CST: %LINK-3-UPDOWN: Interface Async7, changed state to down
Aug 1 09:33:47.322 CST: As7 LCP: State is Closed
Aug 1 09:33:50.310 CST: CHAT7: Matched chat script offhook to string offhook
Aug 1 09:33:50.314 CST: CHAT7: Asserting DTR
Aug 1 09:33:50.318 CST: CHAT7: Chat script offhook started
Aug 1 09:33:50.322 CST: CHAT7: Sending string: ATH1
Aug 1 09:33:50.322 CST: CHAT7: Expecting string: OK
Aug 1 09:33:50.634 CST: CHAT7: Completed match for expect: OK
Aug 1 09:33:50.638 CST: CHAT7: Sending string: \c
Aug 1 09:33:50.638 CST: CHAT7: Chat script offhook finished, status = Success
Aug 1 09:33:50.642 CST: CHAT7: Matched chat script CALLBACK to string CALLBACK
Aug 1 09:33:50.650 CST: CHAT7: Asserting DTR
Aug 1 09:33:50.650 CST: CHAT7: Chat script CALLBACK started
Aug 1 09:33:50.654 CST: CHAT7: Sending string: AT
Aug 1 09:33:50.658 CST: CHAT7: Expecting string: OK
Aug 1 09:33:50.686 CST: CHAT7: Completed match for expect: OK
Aug 1 09:33:50.686 CST: CHAT7: Sending string: ATDT \T<81550>
Aug 1 09:33:50.694 CST: CHAT7: Expecting string: CONNECT
Aug 1 09:34:04.051 CST: %ISDN-6-CONNECT: Interface Serial0:0 is now
  connected to 81550 
Aug 1 09:34:17.543 CST: CHAT7: Completed match for expect: CONNECT
Aug 1 09:34:17.547 CST: CHAT7: Sending string: \c
Aug 1 09:34:17.547 CST: CHAT7: Chat script CALLBACK finished, status = Success

阶段4

maui-nas-01#debug aaa authentication
maui-nas-01#debug aaa authorization
maui-nas-01#debug ppp authentication

maui-nas-01#show debug
General OS:
AAA Authentication debugging is on
AAA Authorization debugging is on
PPP:
PPP authentication debugging is on
PPP protocol negotiation debugging is on

!--- AAA/ PPP negotiation begins.

Aug 1 09:42:15.096 CST: TTY8: Callback starting PPP directly with
  valid auth info
Aug 1 09:42:15.104 CST: TTY8: destroy timer type 1
Aug 1 09:42:15.104 CST: TTY8: destroy timer type 0
Aug 1 09:42:15.160 CST: As8 LCP: I CONFREQ [Closed] id 0 len 47
Aug 1 09:42:15.164 CST: As8 LCP: ACCM 0x00000000 (0x020600000000)
Aug 1 09:42:15.168 CST: As8 LCP: MagicNumber 0x5FA259DE (0x05065FA259DE)
Aug 1 09:42:15.172 CST: As8 LCP: PFC (0x0702)
Aug 1 09:42:15.172 CST: As8 LCP: ACFC (0x0802)
Aug 1 09:42:15.176 CST: As8 LCP: MRRU 1614 (0x1104064E)
Aug 1 09:42:15.180 CST: As8 LCP: EndpointDisc 1 Local
Aug 1 09:42:15.184 CST: As8 LCP: (0x131701DC57FC8B1CEA4CCEA064C0D958)
Aug 1 09:42:15.188 CST: As8 LCP: (0x82667300000000)
Aug 1 09:42:15.192 CST: As8 LCP: Lower layer not up, Fast Starting
Aug 1 09:42:15.196 CST: As8 PPP: Treating connection as a callout
Aug 1 09:42:15.200 CST: As8 PPP: Phase is ESTABLISHING, Active Open
Aug 1 09:42:15.204 CST: AAA/MEMORY: dup_user (0x4DDDF8) user='callback_user' 
  ruser='' port='Async8' rem_addr='async/81560' authen_type=CHAP service=PPP
  priv=1 source='AAA dup lcp_reset'
Aug 1 09:42:15.212 CST: AAA/MEMORY: free_user (0x2F5418) user='callback_user'
  ruser='' port='Async8' rem_addr='async/81560' authen_type=CHAP service=PPP 
  priv=1
Aug 1 09:42:15.216 CST: As8 AAA/AUTHEN: Method=IF-NEEDED: no authentication 
  needed. user='callback_user' port='Async8' rem_addr='async/81560'
Aug 1 09:42:15.224 CST: As8 AAA/AUTHOR/FSM: (0): LCP succeeds trivially
Aug 1 09:42:15.228 CST: As8 LCP: O CONFREQ [Closed] id 2 len 20
Aug 1 09:42:15.232 CST: As8 LCP: ACCM 0x000A0000 (0x0206000A0000)
Aug 1 09:42:15.236 CST: As8 LCP: MagicNumber 0x6530AEA5 (0x05066530AEA5)
Aug 1 09:42:15.240 CST: As8 LCP: PFC (0x0702)
Aug 1 09:42:15.240 CST: As8 LCP: ACFC (0x0802)
Aug 1 09:42:15.248 CST: As8 LCP: O CONFREJ [REQsent] id 0 len 8
Aug 1 09:42:15.252 CST: As8 LCP: MRRU 1614 (0x1104064E)
Aug 1 09:42:15.260 CST: %LINK-3-UPDOWN: Interface Async8, changed state to up
Aug 1 09:42:15.368 CST: As8 LCP: I CONFACK [REQsent] id 2 len 20
Aug 1 09:42:15.372 CST: As8 LCP: ACCM 0x000A0000 (0x0206000A0000)
Aug 1 09:42:15.376 CST: As8 LCP: MagicNumber 0x6530AEA5 (0x05066530AEA5)
Aug 1 09:42:15.380 CST: As8 LCP: PFC (0x0702)
Aug 1 09:42:15.384 CST: As8 LCP: ACFC (0x0802)
Aug 1 09:42:15.404 CST: As8 LCP: I CONFREQ [ACKrcvd] id 1 len 43
Aug 1 09:42:15.408 CST: As8 LCP: ACCM 0x00000000 (0x020600000000)
Aug 1 09:42:15.412 CST: As8 LCP: MagicNumber 0x5FA259DE (0x05065FA259DE)
Aug 1 09:42:15.412 CST: As8 LCP: PFC (0x0702)
Aug 1 09:42:15.416 CST: As8 LCP: ACFC (0x0802)
Aug 1 09:42:15.420 CST: As8 LCP: EndpointDisc 1 Local
Aug 1 09:42:15.424 CST: As8 LCP: (0x131701DC57FC8B1CEA4CCEA064C0D958)
Aug 1 09:42:15.428 CST: As8 LCP: (0x82667300000000)
Aug 1 09:42:15.432 CST: As8 LCP: O CONFACK [ACKrcvd] id 1 len 43
Aug 1 09:42:15.436 CST: As8 LCP: ACCM 0x00000000 (0x020600000000)
Aug 1 09:42:15.440 CST: As8 LCP: MagicNumber 0x5FA259DE (0x05065FA259DE)
Aug 1 09:42:15.444 CST: As8 LCP: PFC (0x0702)
Aug 1 09:42:15.448 CST: As8 LCP: ACFC (0x0802)
Aug 1 09:42:15.452 CST: As8 LCP: EndpointDisc 1 Local
Aug 1 09:42:15.456 CST: As8 LCP: (0x131701DC57FC8B1CEA4CCEA064C0D958)
Aug 1 09:42:15.460 CST: As8 LCP: (0x82667300000000)
Aug 1 09:42:15.460 CST: As8 LCP: State is Open
Aug 1 09:42:15.468 CST: As8 AAA/AUTHOR/LCP: Authorize LCP
Aug 1 09:42:15.468 CST: As8 AAA/AUTHOR/LCP (2679858087): Port='Async8' list='' 
  service=NET
Aug 1 09:42:15.472 CST: AAA/AUTHOR/LCP: As8 (2679858087) user='callback_user'
Aug 1 09:42:15.476 CST: As8 AAA/AUTHOR/LCP (2679858087): send AV service=ppp
Aug 1 09:42:15.480 CST: As8 AAA/AUTHOR/LCP (2679858087): send AV protocol=lcp
Aug 1 09:42:15.484 CST: As8 AAA/AUTHOR/LCP (2679858087): found list "default"
Aug 1 09:42:15.488 CST: As8 AAA/AUTHOR/LCP (2679858087): Method=tacacs+ (tacacs+)
Aug 1 09:42:15.492 CST: AAA/AUTHOR/TAC+: (2679858087): user=callback_user
Aug 1 09:42:15.492 CST: AAA/AUTHOR/TAC+: (2679858087): send AV service=ppp
Aug 1 09:42:15.496 CST: AAA/AUTHOR/TAC+: (2679858087): send AV protocol=lcp
Aug 1 09:42:15.724 CST: TAC+: (2679858087): received author response status 
  = PASS_ADD
Aug 1 09:42:15.732 CST: As8 AAA/AUTHOR (2679858087): Post authorization status 
  = PASS_ADD
Aug 1 09:42:15.736 CST: As8 AAA/AUTHOR/LCP: Processing AV service=ppp
Aug 1 09:42:15.740 CST: As8 AAA/AUTHOR/LCP: Processing AV protocol=lcp
Aug 1 09:42:15.740 CST: As8 AAA/AUTHOR/LCP: Processing AV
  callback-dialstring=81550
Aug 1 09:42:15.748 CST: As8 PPP: Phase is UP
Aug 1 09:42:15.752 CST: As8 AAA/AUTHOR/FSM: (0): Can we start IPCP?
Aug 1 09:42:15.756 CST: As8 AAA/AUTHOR/FSM (3644410406): Port='Async8' list='' 
  service=NET
Aug 1 09:42:15.760 CST: AAA/AUTHOR/FSM: As8 (3644410406) user='callback_user'
Aug 1 09:42:15.764 CST: As8 AAA/AUTHOR/FSM (3644410406): send AV service=ppp
Aug 1 09:42:15.768 CST: As8 AAA/AUTHOR/FSM (3644410406): send AV protocol=ip
Aug 1 09:42:15.768 CST: As8 AAA/AUTHOR/FSM (3644410406): found list "default"
Aug 1 09:42:15.772 CST: As8 AAA/AUTHOR/FSM (3644410406): Method=tacacs+ (tacacs+)
Aug 1 09:42:15.776 CST: AAA/AUTHOR/TAC+: (3644410406): user=callback_user
Aug 1 09:42:15.780 CST: AAA/AUTHOR/TAC+: (3644410406): send AV service=ppp
Aug 1 09:42:15.784 CST: AAA/AUTHOR/TAC+: (3644410406): send AV protocol=ip
Aug 1 09:42:16.016 CST: TAC+: (3644410406): received author response status 
  = PASS_ADD
Aug 1 09:42:16.020 CST: As8 AAA/AUTHOR (3644410406): Post authorization status 
  = PASS_ADD
Aug 1 09:42:16.028 CST: As8 AAA/AUTHOR/FSM: We can start IPCP
Aug 1 09:42:16.032 CST: As8 IPCP: O CONFREQ [Closed] id 1 len 16
Aug 1 09:42:16.036 CST: As8 IPCP: CompressType VJ 15 slots (0x0206002D0F00)
Aug 1 09:42:16.040 CST: As8 IPCP: Address 172.22.53.101 (0x0306AC163565)
Aug 1 09:42:16.048 CST: As8 LCP: I IDENTIFY [Open] id 2 len 18 magic 
  0x5FA259DEMSRASV5.00
Aug 1 09:42:16.052 CST: As8 LCP: I IDENTIFY [Open] id 3 len 29 magic 
  0x5FA259DEMSRAS-1-RBROWN-LAPTOP
Aug 1 09:42:16.056 CST: As8 CCP: I CONFREQ [Not negotiated] id 4 len 10
Aug 1 09:42:16.060 CST: As8 CCP: MS-PPC supported bits 0x00000001
  (0x120600000001)
Aug 1 09:42:16.068 CST: As8 LCP: O PROTREJ [Open] id 3 len 16 protocol CCP
  (0x80FD0104000A120600000001)
Aug 1 09:42:16.080 CST: As8 IPCP: I CONFREQ [REQsent] id 5 len 40
Aug 1 09:42:16.084 CST: As8 IPCP: CompressType VJ 15 slots CompressSlotID
  (0x0206002D0F01)
Aug 1 09:42:16.088 CST: As8 IPCP: Address 0.0.0.0 (0x030600000000)
Aug 1 09:42:16.092 CST: As8 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
Aug 1 09:42:16.096 CST: As8 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
Aug 1 09:42:16.100 CST: As8 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
Aug 1 09:42:16.104 CST: As8 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
Aug 1 09:42:16.108 CST: As8 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we 
  want 172.22.53.148
Aug 1 09:42:16.112 CST: As8 AAA/AUTHOR/IPCP: Processing AV service=ppp
Aug 1 09:42:16.116 CST: As8 AAA/AUTHOR/IPCP: Processing AV protocol=ip
Aug 1 09:42:16.120 CST: As8 AAA/AUTHOR/IPCP: Authorization succeeded
Aug 1 09:42:16.120 CST: As8 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.0, we want 
  172.22.53.148
Aug 1 09:42:16.128 CST: As8 IPCP: O CONFREJ [REQsent] id 5 len 22
Aug 1 09:42:16.132 CST: As8 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
Aug 1 09:42:16.136 CST: As8 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
Aug 1 09:42:16.144 CST: As8 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
Aug 1 09:42:16.184 CST: As8 IPCP: I CONFACK [REQsent] id 1 len 16
Aug 1 09:42:16.188 CST: As8 IPCP: CompressType VJ 15 slots (0x0206002D0F00)
Aug 1 09:42:16.192 CST: As8 IPCP: Address 172.22.53.101 (0x0306AC163565)
Aug 1 09:42:16.680 CST: As8 IPCP: I CONFREQ [ACKrcvd] id 6 len 22
Aug 1 09:42:16.684 CST: As8 IPCP: CompressType VJ 15 slots CompressSlotID
  (0x0206002D0F01)
Aug 1 09:42:16.688 CST: As8 IPCP: Address 0.0.0.0 (0x030600000000)
Aug 1 09:42:16.692 CST: As8 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
Aug 1 09:42:16.696 CST: As8 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we 
  want 172.22.53.148
Aug 1 09:42:16.700 CST: As8 AAA/AUTHOR/IPCP: Processing AV service=ppp
Aug 1 09:42:16.704 CST: As8 AAA/AUTHOR/IPCP: Processing AV protocol=ip
Aug 1 09:42:16.708 CST: As8 AAA/AUTHOR/IPCP: Authorization succeeded
Aug 1 09:42:16.708 CST: As8 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.0, we 
  want 172.22.53.148
Aug 1 09:42:16.716 CST: As8 IPCP: O CONFNAK [ACKrcvd] id 6 len 16
Aug 1 09:42:16.720 CST: As8 IPCP: Address 172.22.53.148 (0x0306AC163594)
Aug 1 09:42:16.724 CST: As8 IPCP: PrimaryDNS 172.22.53.210 (0x8106AC1635D2)
Aug 1 09:42:16.748 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async8,
  changed state to up
Aug 1 09:42:16.852 CST: As8 IPCP: I CONFREQ [ACKrcvd] id 7 len 22
Aug 1 09:42:16.856 CST: As8 IPCP: CompressType VJ 15 slots CompressSlotID
  (0x0206002D0F01)
Aug 1 09:42:16.860 CST: As8 IPCP: Address 172.22.53.148 (0x0306AC163594)
Aug 1 09:42:16.864 CST: As8 IPCP: PrimaryDNS 172.22.53.210 (0x8106AC1635D2)
Aug 1 09:42:16.868 CST: As8 AAA/AUTHOR/IPCP: Start. Her address 172.22.53.148,
  we want 172.22.53.148
Aug 1 09:42:16.876 CST: As8 AAA/AUTHOR/IPCP (4022385425): Port='Async8'
  list=''service=NET
Aug 1 09:42:16.880 CST: AAA/AUTHOR/IPCP: As8 (4022385425) user='callback_user'
Aug 1 09:42:16.884 CST: As8 AAA/AUTHOR/IPCP (4022385425): send AV service=ppp
Aug 1 09:42:16.888 CST: As8 AAA/AUTHOR/IPCP (4022385425): send AV protocol=ip
Aug 1 09:42:16.892 CST: As8 AAA/AUTHOR/IPCP (4022385425):
  send AV addr*172.22.53.148
Aug 1 09:42:16.892 CST: As8 AAA/AUTHOR/IPCP (4022385425): found list "default"
Aug 1 09:42:16.896 CST: As8 AAA/AUTHOR/IPCP (4022385425): Method=tacacs+ (tacacs+)
Aug 1 09:42:16.900 CST: AAA/AUTHOR/TAC+: (4022385425): user=callback_user
Aug 1 09:42:16.904 CST: AAA/AUTHOR/TAC+: (4022385425): send AV service=ppp
Aug 1 09:42:16.908 CST: AAA/AUTHOR/TAC+: (4022385425): send AV protocol=ip
Aug 1 09:42:16.912 CST: AAA/AUTHOR/TAC+: (4022385425): 
  send AV addr*172.22.53.148
Aug 1 09:42:17.140 CST: TAC+: (4022385425): received author response status 
  = PASS_REPL
Aug 1 09:42:17.148 CST: As8 AAA/AUTHOR (4022385425): Post authorization status 
  = PASS_REPL
Aug 1 09:42:17.156 CST: As8 AAA/AUTHOR/IPCP: Reject 172.22.53.148,
  using 172.22.53.148
Aug 1 09:42:17.164 CST: As8 AAA/AUTHOR/IPCP: Processing AV service=ppp
Aug 1 09:42:17.164 CST: As8 AAA/AUTHOR/IPCP: Processing AV protocol=ip
Aug 1 09:42:17.168 CST: As8 AAA/AUTHOR/IPCP: Processing AV addr*172.22.53.148
Aug 1 09:42:17.172 CST: As8 AAA/AUTHOR/IPCP: Authorization succeeded
Aug 1 09:42:17.176 CST: As8 AAA/AUTHOR/IPCP: Done. Her address 172.22.53.148, 
  we want 172.22.53.148
Aug 1 09:42:17.180 CST: As8 IPCP: O CONFACK [ACKrcvd] id 7 len 22
Aug 1 09:42:17.184 CST: As8 IPCP: CompressType VJ 15 slots CompressSlotID
  (0x0206002D0F01)
Aug 1 09:42:17.192 CST: As8 IPCP: Address 172.22.53.148 (0x0306AC163594)
Aug 1 09:42:17.196 CST: As8 IPCP: PrimaryDNS 172.22.53.210 (0x8106AC1635D2)
Aug 1 09:42:17.200 CST: As8 IPCP: State is Open
Aug 1 09:42:17.220 CST: As8 IPCP: Install route to 172.22.53.148

相关的思科支持社区讨论

思科支持社区是您提问、解答问题、分享建议以及与工作伙伴协作的论坛。


相关信息


Document ID: 13859