セキュリティと VPN : リモート認証ダイヤルイン ユーザ サービス(RADIUS)

RADIUS 、PAP およびCHAP のデバッグのよくある問題

2015 年 11 月 25 日 - 機械翻訳について
その他のバージョン: PDFpdf | ライター翻訳版 (2006 年 1 月 19 日) | 英語版 (2015 年 8 月 22 日) | フィードバック


目次


概要

このドキュメントでは、Password Authentication Protocol(PAP; パスワード認証プロトコル)あるいは Challenge Handshake Authentication Protocol(CHAP; チャレンジ ハンドシェーク認証プロトコル)を使用している場合の、RADIUS の一般的なデバッグの問題について検証します。 Microsoft Windows 95、Windows NT、Windows 98、および Windows 2000 の一般的な PC の設定や、設定例、およびデバッグの正常な例と障害のある例について説明しています。

はじめに

表記法

ドキュメントの表記法の詳細は、『シスコ テクニカル ティップスの表記法』を参照してください。

前提条件

このドキュメントに関する固有の要件はありません。

使用するコンポーネント

この文書に記載されている情報は Cisco IOS に基づいていますか。 ソフトウェアリリース 11.2 およびそれ以降。

このドキュメントの情報は、特定のラボ環境にあるデバイスに基づいて作成されたものです。 このドキュメントで使用するすべてのデバイスは、クリアな(デフォルト)設定で作業を開始しています。 対象のネットワークが実稼働中である場合には、どのような作業についても、その潜在的な影響について確実に理解しておく必要があります。

PC の一般的な設定

Windows 95

次に示す手順に従ってください。

  1. ダイヤルアップネットワーキングウィンドウで、接続名を、そして File > Properties 選択して下さい。

  2. [Server Type] タブで、[Type of Dial-up Server] の下にある [Require Encrypted Password] ボックスがチェックされているかどうかを確認します。

    • このボックスがチェックされている場合、PC では、CHAP 認証だけが受け入れられていることを意味します。

    • このボックスがチェックされていない場合、PC では PAP 認証または CHAP 認証が受け入れられていることを意味します。

Windows NT

次に示す手順に従ってください。

  1. Dial-up Networking ウィンドウで、接続名を選択し、次に File > Properties の順に選択 して下さい。

  2. Security タブで、設定を確認します。

    • Accept any authentication including clear text ボックスがチェックされている場合、PC では PAP および CHAP が受け入れられていることを意味します。

    • [Accept only encrypted authentication] ボックスがチェックされている場合、PC では CHAP 認証だけが受け入れられます。

Windows 98

次に示す手順に従ってください。

  1. Dial-Up Networking ウィンドウで、接続名を選択してから、Properties を選択します。

  2. Server Types タブで、Advanced Options エリアの設定を確認します。

    • Require encrypted password ボックスがチェックされていない場合、PC では PAP 認証または CHAP 認証が受け入れられていることを意味します。

    • Require encrypted password ボックスがチェックされている場合、PC では CHAP 認証だけが受け入れられていることを意味します。

Windows 2000

次に示す手順に従ってください。

  1. Network and Dial-Up Connections で、接続名を選択してから、Properties を選択します。

  2. Security タブで、高度の設定を > 設定 > 許可しますこれらのプロトコル エリアをチェックして下さい:

    • [Unencrypted password (PAP)] ボックスがチェックされている場合、PC では PAP が受け入れられます。

    • Challenge Handshake Authentication Protocol (CHAP) ボックスがチェックされている場合、PC では、RFC 1994 の規定による CHAP が受け入れられています。

    • [Microsoft CHAP (MS-CHAP)] ボックスがチェックされている場合、PC では MS-CHAP バージョン 1 が受け入れられますが、RFC 1994 の規定による CHAP は受け入れられません。

設定およびデバッグ例

RADIUS およびPAP

設定 - RADIUS と PAP
Current configuration:
!
version 11.2
service timestamps debug uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname rtpkrb
!
aaa new-model
!

!--- The following four command lines are specific to 
!--- Cisco IOS 11.2 and later, up until 11.3.3.T. 
!--- See below this configuration for commands
!--- for other Cisco IOS releases.

!
aaa authentication login default radius local
aaa authentication ppp default if-needed radius local
aaa authorization exec radius if-authenticated
aaa authorization network radius if-authenticated
!
enable secret 5 $1$pkX.$JdAySRE1SbdbDe7bj0wyt0
enable password ww
!
username john password 0 doe
username cse password 0 csecse
ip host rtpkrb 10.31.1.5
ip domain-name RTP.CISCO.COM
ip name-server 171.68.118.103
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0
ip address 10.31.1.5 255.255.0.0
no mop enabled
!
interface Serial0
no ip address
no ip mroute-cache
shutdown
!
interface Serial1
no ip address
shutdown
!
interface Async1
ip unnumbered Ethernet0
encapsulation ppp
async mode dedicated
peer default ip address pool async
no cdp enable
ppp authentication pap
!
ip local pool async 15.15.15.15
ip classless
ip route 0.0.0.0 0.0.0.0 10.31.1.1
!
snmp-server community public RW
snmp-server host 171.68.118.100 traps public
radius-server host 171.68.118.101 auth-port 1645 acct-port 1646
radius-server key cisco
!
line con 0
line 1
session-timeout 20 
exec-timeout 20 0
password ww
autoselect during-login
autoselect ppp
modem InOut
transport input all
stopbits 1
speed 38400
flowcontrol hardware
line 2
modem InOut
speed 38400
flowcontrol hardware
line 3 16
line aux 0
line vty 0 4
exec-timeout 0 0
password ww
!
end

他の Cisco IOS リリース用のコマンド

注: 注:これらのコマンドを使用する場合は、上記の設定から強調表示されているコマンドを削除し、使用している Cisco IOS リリースで規定されているように、該当コマンドをペーストしてください。

Cisco IOS 11.3.3.T から 12.0.5.Tよりも前まで

aaa authen login default radius local
aaa authen ppp default if-needed radius local
aaa authorization exec default radius if-authenticated
aaa authorization network default radius if-authenticated

Cisco IOS 12.0.5.T 以降

aaa authen login default group radius local
aaa authen ppp default if-needed group radius local
aaa authorization exec default group radius if-authenticated
aaa authorization network default group radius if-authenticated

デバッグの例- RADIUS およびPAP

注: 次のデバッグ出力では、デバッグの問題を太字で強調表示しています。 プレーンテキストは、正常なデバッグを示しています。

rtpkrb#
rtpkrb#sho deb
General OS:
AAA Authentication debugging is on
AAA Authorization debugging is on
PPP:
PPP authentication debugging is on
PPP protocol negotiation debugging is on
Radius protocol debugging is on
rtpkrb#
4d02h: As1 LCP: I CONFREQ [Closed] id 0 len 20
4d02h: As1 LCP: ACCM 0x00000000 (0x020600000000)
4d02h: As1 LCP: MagicNumber 0x00001F67 (0x050600001F67)
4d02h: As1 LCP: PFC (0x0702)
4d02h: As1 LCP: ACFC (0x0802)
4d02h: As1 LCP: Lower layer not up, discarding packet
%LINK-3-UPDOWN: Interface Async1, changed state to up
4d02h: As1 PPP: Treating connection as a dedicated line
4d02h: As1 PPP: Phase is ESTABLISHING, Active Open
4d02h: As1 LCP: O CONFREQ [Closed] id 85 len 24
4d02h: As1 LCP: ACCM 0x000A0000 (0x0206000A0000)
4d02h: As1 LCP: AuthProto PAP (0x0304C023)
4d02h: As1 LCP: MagicNumber 0xF54252D5 (0x0506F54252D5)
4d02h: As1 LCP: PFC (0x0702)
4d02h: As1 LCP: ACFC (0x0802)


PC insists on doing chap ('accept encrypted authentication only'), 
   but router is set up for pap:
As1 LCP: I CONFNAK [REQsent] id 98 len 12
As1 LCP: AuthProto 0xC123 (0x0308C12301000001)
As1 LCP: O CONFREQ [REQsent] id 99 len 24
As1 LCP: ACCM 0x000A0000 (0x0206000A0000)
As1 LCP: AuthProto PAP (0x0304C023)
As1 LCP: MagicNumber 0xF54D1AF8 (0x0506F54D1AF8)
As1 LCP: PFC (0x0702)
As1 LCP: ACFC (0x0802)
As1 LCP: I CONFREJ [REQsent] id 99 len 8
As1 LCP: AuthProto PAP (0x0304C023)
As1 PPP: Closing connection because remote won't authenticate

4d02h: As1 LCP: I CONFACK [REQsent] id 85 len 24
4d02h: As1 LCP: ACCM 0x000A0000 (0x0206000A0000)
4d02h: As1 LCP: AuthProto PAP (0x0304C023)
4d02h: As1 LCP: MagicNumber 0xF54252D5 (0x0506F54252D5)
4d02h: As1 LCP: PFC (0x0702)
4d02h: As1 LCP: ACFC (0x0802)
4d02h: As1 LCP: I CONFREQ [ACKrcvd] id 0 len 20
4d02h: As1 LCP: ACCM 0x00000000 (0x020600000000)
4d02h: As1 LCP: MagicNumber 0x00001F67 (0x050600001F67)
4d02h: As1 LCP: PFC (0x0702)
4d02h: As1 LCP: ACFC (0x0802)
4d02h: As1 LCP: O CONFACK [ACKrcvd] id 0 len 20
4d02h: As1 LCP: ACCM 0x00000000 (0x020600000000)
4d02h: As1 LCP: MagicNumber 0x00001F67 (0x050600001F67)
4d02h: As1 LCP: PFC (0x0702)
4d02h: As1 LCP: ACFC (0x0802)
4d02h: As1 LCP: State is Open
4d02h: As1 PPP: Phase is AUTHENTICATING, by this end
4d02h: As1 PAP: I AUTH-REQ id 14 len 19 from "ddunlap"
4d02h: As1 PAP: Authenticating peer ddunlap
4d02h: AAA/AUTHEN: create_user (0x15AD58) user='ddunlap' ruser='' 
   port='Async1' rem_addr='async' authen_type=PAP service=PPP priv=1
4d02h: AAA/AUTHEN/START (1953436918): port='Async1' list='' 
   action=LOGIN service=PPP
4d02h: AAA/AUTHEN/START (1953436918): using "default" list
4d02h: AAA/AUTHEN (1953436918): status = UNKNOWN
4d02h: AAA/AUTHEN/START (1953436918): Method=RADIUS
4d02h: RADIUS: Initial Transmit id 7 171.68.118.101:1645, 
   Access-Request, len 77
4d02h: Attribute 4 6 0A1F0105
4d02h: Attribute 5 6 00000001
4d02h: Attribute 61 6 00000000
4d02h: Attribute 1 9 6464756E
4d02h: Attribute 2 18 7882E0A5
4d02h: Attribute 6 6 00000002
4d02h: Attribute 7 6 00000001


Radius server is down - produces ERROR - since user is not 
   in local database, failover to local FAILs
As1 PAP: I AUTH-REQ id 16 len 19 from "ddunlap"
As1 AUTH: Duplicate authentication request id=16 already in progress
As1 PAP: I AUTH-REQ id 17 len 19 from "ddunlap"
As1 AUTH: Duplicate authentication request id=17 already in progress
RADIUS: Retransmit id 9
As1 PAP: I AUTH-REQ id 18 len 19 from "ddunlap"
As1 AUTH: Duplicate authentication request id=18 already in progress
As1 PAP: I AUTH-REQ id 19 len 19 from "ddunlap"
As1 AUTH: Duplicate authentication request id=19 already in progress
As1 PAP: I AUTH-REQ id 20 len 19 from "ddunlap"
As1 AUTH: Duplicate authentication request id=20 already in progress
RADIUS: Retransmit id 9
As1 PAP: I AUTH-REQ id 21 len 19 from "ddunlap"
As1 AUTH: Duplicate authentication request id=21 already in progress
As1 PAP: I AUTH-REQ id 22 len 19 from "ddunlap"
As1 AUTH: Duplicate authentication request id=22 already in progress
RADIUS: Retransmit id 9
As1 PAP: I AUTH-REQ id 23 len 19 from "ddunlap"
As1 AUTH: Duplicate authentication request id=23 already in progress
As1 LCP: I TERMREQ [Open] id 1 len 8 (0x000002CE)
As1 LCP: O TERMACK [Open] id 1 len 4
As1 PPP: Phase is TERMINATING
RADIUS: No response for id 9
%RADIUS-3-ALLDEADSERVER: No active radius servers found. Id 9.
RADIUS: No response from server
AAA/AUTHEN (3025998849): status = ERROR
AAA/AUTHEN/START (3025998849): Method=LOCAL
AAA/AUTHEN (3025998849): status = FAIL


Key in router does not match that of server:
RADIUS: Received from id 21 171.68.118.101:1645, Access-Reject, len 20
RADIUS: Reply for 21 fails decrypt


NT client sends 'DOMAIN\user' and Radius server expects 'user':
RADIUS: Received from id 11 171.68.118.101:1645, Access-Reject, len 20
AAA/AUTHEN (1406749115): status = FAIL
As1 PAP: O AUTH-NAK id 25 len 32 msg is "Password validation failure"
As1 PPP: Phase is TERMINATING
As1 LCP: O TERMREQ [Open] id 108 len 4
AAA/AUTHEN: free_user (0xDA520) user='CISCO\ddunlap' ruser='' 
   port='Async1' rem_addr='async' authen_type=PAP service=PPP priv=1


Radius server refuses user because user user enters bad password, 
   or both userid & password are bad:
RADIUS: Received from id 12 171.68.118.101:1645, Access-Reject, len 20
AAA/AUTHEN (733718529): status = FAIL
As1 PAP: O AUTH-NAK id 26 len 32 msg is "Password validation failure"
As1 PPP: Phase is TERMINATING
As1 LCP: O TERMREQ [Open] id 111 len 4
AAA/AUTHEN: free_user (0x15B030) user='ddunlap' ruser='' 
   ='Async1' rem_addr='async' authen_type=PAP service=PPP priv=1


User passes authentication (i.e. username/password is good) 
   but fails authorization (profile not set up for Service-Type=Framed &
   Framed-Protocol=PPP):
RADIUS: Received from id 13 171.68.118.101:1645, Access-Accept, len 20
RADIUS: saved authorization data for user 15AD58 at 15ADF0
AAA/AUTHEN (56862281): status = PASS
AAA/AUTHOR/LCP As1: Authorize LCP
AAA/AUTHOR/LCP: Async1: (959162008): user='cse'
AAA/AUTHOR/LCP: Async1: (959162008): send AV service=ppp
AAA/AUTHOR/LCP: Async1: (959162008): send AV protocol=lcp
AAA/AUTHOR/LCP: Async1: (959162008): Method=RADIUS
RADIUS: no appropriate authorization type for user.
AAA/AUTHOR (959162008): Post authorization status = FAIL
AAA/AUTHOR/LCP As1: Denied
AAA/AUTHEN: free_user (0x15AD58) user='cse' ruser='' 
   port='Async1' rem_addr='async' authen_type=PAP service=PPP priv=1
As1 PAP: O AUTH-NAK id 27 len 25 msg is "Authorization failed"

4d02h: RADIUS: Received from id 7 171.68.118.101:1645, Access-Accept, len 32
4d02h: Attribute 6 6 00000002
4d02h: Attribute 7 6 00000001
4d02h: RADIUS: saved authorization data for user 15AD58 at 16C7F4
4d02h: AAA/AUTHEN (1953436918): status = PASS
4d02h: AAA/AUTHOR/LCP As1: Authorize LCP
4d02h: AAA/AUTHOR/LCP: Async1: (2587233868): user='ddunlap'
4d02h: AAA/AUTHOR/LCP: Async1: (2587233868): send AV service=ppp
4d02h: AAA/AUTHOR/LCP: Async1: (2587233868): send AV protocol=lcp
4d02h: AAA/AUTHOR/LCP: Async1: (2587233868): Method=RADIUS
4d02h: AAA/AUTHOR (2587233868): Post authorization status = PASS_REPL
4d02h: AAA/AUTHOR/LCP As1: Processing AV service=ppp
4d02h: As1 PAP: O AUTH-ACK id 14 len 5
4d02h: As1 PPP: Phase is UP
4d02h: AAA/AUTHOR/FSM As1: (0): Can we start IPCP?
4d02h: AAA/AUTHOR/FSM: Async1: (423372862): user='ddunlap'
4d02h: AAA/AUTHOR/FSM: Async1: (423372862): send AV service=ppp
4d02h: AAA/AUTHOR/FSM: Async1: (423372862): send AV protocol=ip
4d02h: AAA/AUTHOR/FSM: Async1: (423372862): Method=RADIUS
4d02h: AAA/AUTHOR (423372862): Post authorization status = PASS_REPL
4d02h: AAA/AUTHOR/FSM As1: We can start IPCP
4d02h: As1 IPCP: O CONFREQ [Closed] id 17 len 10
4d02h: As1 IPCP: Address 10.31.1.5 (0x03060A1F0105)
4d02h: As1 IPCP: I CONFREQ [REQsent] id 1 len 34
4d02h: As1 IPCP: Address 0.0.0.0 (0x030600000000)
4d02h: As1 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
4d02h: As1 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
4d02h: As1 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
4d02h: As1 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
4d02h: AAA/AUTHOR/IPCP As1: Start. Her address 0.0.0.0, we want 0.0.0.0
4d02h: AAA/AUTHOR/IPCP As1: Processing AV service=ppp
4d02h: AAA/AUTHOR/IPCP As1: Authorization succeeded
4d02h: AAA/AUTHOR/IPCP As1: Done. Her address 0.0.0.0, we want 0.0.0.0
4d02h: As1 IPCP: Using pool 'async'
4d02h: As1 IPCP: Pool returned 15.15.15.15
4d02h: As1 IPCP: O CONFREJ [REQsent] id 1 len 22
4d02h: As1 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
4d02h: As1 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
4d02h: As1 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
4d02h: As1 IPCP: I CONFACK [REQsent] id 17 len 10
4d02h: As1 IPCP: Address 10.31.1.5 (0x03060A1F0105)
%LINEPROTO-5-UPDOWN: Line protocol on Interface Async1, changed state to up
4d02h: As1 IPCP: I CONFREQ [ACKrcvd] id 2 len 16
4d02h: As1 IPCP: Address 0.0.0.0 (0x030600000000)
4d02h: As1 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
4d02h: AAA/AUTHOR/IPCP As1: Start. Her address 0.0.0.0, we want 15.15.15.15
4d02h: AAA/AUTHOR/IPCP As1: Processing AV service=ppp
4d02h: AAA/AUTHOR/IPCP As1: Authorization succeeded
4d02h: AAA/AUTHOR/IPCP As1: Done. Her address 0.0.0.0, we want 15.15.15.15
4d02h: As1 IPCP: O CONFNAK [ACKrcvd] id 2 len 16
4d02h: As1 IPCP: Address 15.15.15.15 (0x03060F0F0F0F)
4d02h: As1 IPCP: PrimaryDNS 171.68.118.103 (0x8106AB447667)
4d02h: As1 IPCP: I CONFREQ [ACKrcvd] id 3 len 16
4d02h: As1 IPCP: Address 15.15.15.15 (0x03060F0F0F0F)
4d02h: As1 IPCP: PrimaryDNS 171.68.118.103 (0x8106AB447667)
4d02h: AAA/AUTHOR/IPCP As1: Start. Her address 15.15.15.15, we want 15.15.15.15
4d02h: AAA/AUTHOR/IPCP: Async1: (4204275250): user='ddunlap'
4d02h: AAA/AUTHOR/IPCP: Async1: (4204275250): send AV service=ppp
4d02h: AAA/AUTHOR/IPCP: Async1: (4204275250): send AV protocol=ip
4d02h: AAA/AUTHOR/IPCP: Async1: (4204275250): send AV addr*15.15.15.15
4d02h: AAA/AUTHOR/IPCP: Async1: (4204275250): Method=RADIUS
4d02h: AAA/AUTHOR (4204275250): Post authorization status = PASS_REPL
4d02h: AAA/AUTHOR/IPCP As1: Reject 15.15.15.15, using 15.15.15.15
4d02h: AAA/AUTHOR/IPCP As1: Processing AV service=ppp
4d02h: AAA/AUTHOR/IPCP As1: Processing AV addr*15.15.15.15
4d02h: AAA/AUTHOR/IPCP As1: Authorization succeeded
4d02h: AAA/AUTHOR/IPCP As1: Done. Her address 15.15.15.15, we want 15.15.15.15
4d02h: As1 IPCP: O CONFACK [ACKrcvd] id 3 len 16
4d02h: As1 IPCP: Address 15.15.15.15 (0x03060F0F0F0F)
4d02h: As1 IPCP: PrimaryDNS 171.68.118.103 (0x8106AB447667)
4d02h: As1 IPCP: State is Open
4d02h: As1 IPCP: Install route to 15.15.15.15
rtpkrb#

RADIUS およびCHAP

設定 - RADIUS と CHAP
Current configuration:
!
version 11.2
service timestamps debug uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname rtpkrb
!
aaa new-model
!

!--- The following four command lines are specific to 
!--- Cisco IOS 11.2 and later, up until 11.3.3.T. 
!--- See below this configuration for commands
!--- for other Cisco IOS releases.

!
aaa authentication login default radius local
aaa authentication ppp default if-needed radius local
aaa authorization exec radius if-authenticated
aaa authorization network radius if-authenticated
!
enable secret 5 $1$pkX.$JdAySRE1SbdbDe7bj0wyt0
enable password ww
!
username john password 0 doe
username cse password 0 csecse
ip host rtpkrb 10.31.1.5
ip name-server 171.68.118.103
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0
ip address 10.31.1.5 255.255.0.0
no mop enabled
!
interface Serial0
no ip address
no ip mroute-cache
shutdown
!
interface Serial1
no ip address
shutdown
!
interface Async1
ip unnumbered Ethernet0
encapsulation ppp
async mode dedicated
peer default ip address pool async
no cdp enable
ppp authentication chap
!
ip local pool async 15.15.15.15
ip classless
ip route 0.0.0.0 0.0.0.0 10.31.1.1
!
snmp-server community public RW
snmp-server host 171.68.118.100 traps public
radius-server host 171.68.118.101 auth-port 1645 acct-port 1646
radius-server key cisco
!
line con 0
line 1
session-timeout 20 
exec-timeout 20 0
password ww
autoselect during-login
autoselect ppp
modem InOut
transport input all
stopbits 1
speed 38400
flowcontrol hardware
line 2
modem InOut
speed 38400
flowcontrol hardware
line 3 16
line aux 0
line vty 0 4
exec-timeout 0 0
password ww
!
end

他の Cisco IOS リリース用のコマンド

注: 注:これらのコマンドを使用する場合は、上記の設定から強調表示されているコマンドを削除し、使用している Cisco IOS リリースで規定されているように、該当コマンドをペーストしてください。

Cisco IOS 11.3.3.T から 12.0.5.T よりも前まで

aaa authen login default radius local
aaa authen ppp default if-needed radius local
aaa authorization exec default radius if-authenticated
aaa authorization network default radius if-authenticated

Cisco IOS 12.0.5.T 以降

aaa authen login default group radius local 
aaa authen ppp default if-needed group radius local 
aaa authorization exec default group radius if-authenticated 
aaa authorization network default group radius if-authenticated

デバッグの例- RADIUS およびCHAP

注: 次のデバッグ出力では、このデバッグの問題を太字で強調表示しています。 プレーンテキストは、正常なデバッグを示しています。

rtpkrb#show debug
General OS:
AAA Authentication debugging is on
AAA Authorization debugging is on
PPP:
PPP authentication debugging is on
PPP protocol negotiation debugging is on
Radius protocol debugging is on
rtpkrb#
4d02h: As1 LCP: I CONFREQ [Closed] id 0 len 20
4d02h: As1 LCP: ACCM 0x00000000 (0x020600000000)
4d02h: As1 LCP: MagicNumber 0x0000405F (0x05060000405F)
4d02h: As1 LCP: PFC (0x0702)
4d02h: As1 LCP: ACFC (0x0802)
4d02h: As1 LCP: Lower layer not up, discarding packet
%LINK-3-UPDOWN: Interface Async1, changed state to up
4d02h: As1 PPP: Treating connection as a dedicated line
4d02h: As1 PPP: Phase is ESTABLISHING, Active Open
4d02h: As1 LCP: O CONFREQ [Closed] id 87 len 25
4d02h: As1 LCP: ACCM 0x000A0000 (0x0206000A0000)
4d02h: As1 LCP: AuthProto CHAP (0x0305C22305)
4d02h: As1 LCP: MagicNumber 0xF5445B55 (0x0506F5445B55)
4d02h: As1 LCP: PFC (0x0702)
4d02h: As1 LCP: ACFC (0x0802)
4d02h: As1 LCP: I CONFACK [REQsent] id 87 len 25
4d02h: As1 LCP: ACCM 0x000A0000 (0x0206000A0000)
4d02h: As1 LCP: AuthProto CHAP (0x0305C22305)
4d02h: As1 LCP: MagicNumber 0xF5445B55 (0x0506F5445B55)
4d02h: As1 LCP: PFC (0x0702)
4d02h: As1 LCP: ACFC (0x0802)
4d02h: As1 LCP: I CONFREQ [ACKrcvd] id 0 len 20
4d02h: As1 LCP: ACCM 0x00000000 (0x020600000000)
4d02h: As1 LCP: MagicNumber 0x0000405F (0x05060000405F)
4d02h: As1 LCP: PFC (0x0702)
4d02h: As1 LCP: ACFC (0x0802)
4d02h: As1 LCP: O CONFACK [ACKrcvd] id 0 len 20
4d02h: As1 LCP: ACCM 0x00000000 (0x020600000000)
4d02h: As1 LCP: MagicNumber 0x0000405F (0x05060000405F)
4d02h: As1 LCP: PFC (0x0702)
4d02h: As1 LCP: ACFC (0x0802)
4d02h: As1 LCP: State is Open
4d02h: As1 PPP: Phase is AUTHENTICATING, by this end
4d02h: As1 CHAP: O CHALLENGE id 11 len 27 from "rtpkrb"
4d02h: As1 CHAP: I RESPONSE id 11 len 28 from "chapadd"
4d02h: AAA/AUTHEN: create_user (0x15AD58) user='chapadd' ruser='' 
   port='Async1' rem_addr='async' authen_type=CHAP service=PPP priv=1
4d02h: AAA/AUTHEN/START (575703226): port='Async1' list='' 
   action=LOGIN service=PPP
4d02h: AAA/AUTHEN/START (575703226): using "default" list
4d02h: AAA/AUTHEN (575703226): status = UNKNOWN
4d02h: AAA/AUTHEN/START (575703226): Method=RADIUS
4d02h: RADIUS: Initial Transmit id 8 171.68.118.101:1645, 
   Access-Request, len 78
4d02h: Attribute 4 6 0A1F0105
4d02h: Attribute 5 6 00000001
4d02h: Attribute 61 6 00000000
4d02h: Attribute 1 9 63686170
4d02h: Attribute 3 19 0B895D57
4d02h: Attribute 6 6 00000002
4d02h: Attribute 7 6 00000001


Radius server is down - produces ERROR - since user is not 
   in local database, failover to local FAILs:
As1 CHAP: I RESPONSE id 12 len 28 from "chapadd"
As1 AUTH: Duplicate authentication request id=12 already in progress
As1 CHAP: I RESPONSE id 12 len 28 from "chapadd"
As1 AUTH: Duplicate authentication request id=12 already in progress
RADIUS: Retransmit id 15
As1 CHAP: I RESPONSE id 12 len 28 from "chapadd"
As1 AUTH: Duplicate authentication request id=12 already in progress
As1 CHAP: I RESPONSE id 12 len 28 from "chapadd"
As1 AUTH: Duplicate authentication request id=12 already in progress
As1 CHAP: I RESPONSE id 12 len 28 from "chapadd"
As1 AUTH: Duplicate authentication request id=12 already in progress
RADIUS: Retransmit id 15
As1 CHAP: I RESPONSE id 12 len 28 from "chapadd"
As1 AUTH: Duplicate authentication request id=12 already in progress
As1 CHAP: I RESPONSE id 12 len 28 from "chapadd"
As1 AUTH: Duplicate authentication request id=12 already in progress
RADIUS: Retransmit id 15
As1 CHAP: I RESPONSE id 12 len 28 from "chapadd"
As1 AUTH: Duplicate authentication request id=12 already in progress
As1 LCP: I TERMREQ [Open] id 1 len 8 (0x000002CE)
As1 LCP: O TERMACK [Open] id 1 len 4
As1 PPP: Phase is TERMINATING
RADIUS: id 15, requester hung up.
RADIUS: No response for id 15
RADIUS: No response from server
AAA/AUTHEN (1866705040): status = ERROR
AAA/AUTHEN/START (1866705040): Method=LOCAL
AAA/AUTHEN (1866705040): status = FAIL
As1 CHAP: Unable to validate Response. Username chapadd: Authentication failure
As1 CHAP: O FAILURE id 12 len 26 msg is "Authentication failure"
AAA/AUTHEN: free_user (0x1716B8) user='chapadd' ruser='' 
   port='Async1' rem_addr='async' authen_type=CHAP service=PPP priv=1


Key in router does not match that of server:
RADIUS: Received from id 21 171.68.118.101:1645, Access-Reject, len 20
RADIUS: Reply for 21 fails decrypt

NT client sends 'DOMAIN\user' and Radius server expects 'user':
RADIUS: Received from id 16 171.68.118.101:1645, Access-Reject, len 20
AAA/AUTHEN (2974782384): status = FAIL
As1 CHAP: Unable to validate Response. Username CISCO\chapadd: 
   Authentication failure
As1 CHAP: O FAILURE id 13 len 26 msg is "Authentication failure"
As1 PPP: Phase is TERMINATING
As1 LCP: O TERMREQ [Open] id 131 len 4
AAA/AUTHEN: free_user (0x171700) user='CISCO\chapadd' ruser='' 
   port='Async1' rem_addr='async' authen_type=CHAP service=PPP priv=1


Radius server refuses user because user is set up for pap, 
   user enters bad password, or both userid & password are bad:
RADIUS: Received from id 17 171.68.118.101:1645, Access-Reject, len 20
AAA/AUTHEN (3898168391): status = FAIL
As1 CHAP: Unable to validate Response. Username ddunlap: Authentication failure
As1 CHAP: O FAILURE id 14 len 26 msg is "Authentication failure"
As1 PPP: Phase is TERMINATING
As1 LCP: O TERMREQ [Open] id 134 len 4
AAA/AUTHEN: free_user (0x1716B8) user='ddunlap' ruser='' 
   port='Async1' rem_addr='async' authen_type=CHAP service=PPP priv=1

User PASSes authentication (i.e. username/password is good) 
   but FAILs authorization (profile not set up for Service-Type=Framed &
Framed-Protocol=PPP):
RADIUS: Received from id 19 171.68.118.101:1645, Access-Accept, len 20
AAA/AUTHEN (2006894701): status = PASS
AAA/AUTHOR/LCP As1: Authorize LCP
AAA/AUTHOR/LCP: Async1: (2370106832): user='noauth'
AAA/AUTHOR/LCP: Async1: (2370106832): send AV service=ppp
AAA/AUTHOR/LCP: Async1: (2370106832): send AV protocol=lcp
AAA/AUTHOR/LCP: Async1: (2370106832): Method=RADIUS
RADIUS: no appropriate authorization type for user.
AAA/AUTHOR (2370106832): Post authorization status = FAIL
AAA/AUTHOR/LCP As1: Denied

4d02h: RADIUS: Received from id 8 171.68.118.101:1645, Access-Accept, len 32
4d02h: Attribute 6 6 00000002
4d02h: Attribute 7 6 00000001
4d02h: AAA/AUTHEN (575703226): status = PASS
4d02h: AAA/AUTHOR/LCP As1: Authorize LCP
4d02h: AAA/AUTHOR/LCP: Async1: (4143416222): user='chapadd'
4d02h: AAA/AUTHOR/LCP: Async1: (4143416222): send AV service=ppp
4d02h: AAA/AUTHOR/LCP: Async1: (4143416222): send AV protocol=lcp
4d02h: AAA/AUTHOR/LCP: Async1: (4143416222): Method=RADIUS
4d02h: AAA/AUTHOR (4143416222): Post authorization status = PASS_REPL
4d02h: AAA/AUTHOR/LCP As1: Processing AV service=ppp
4d02h: As1 CHAP: O SUCCESS id 11 len 4
4d02h: As1 PPP: Phase is UP
4d02h: AAA/AUTHOR/FSM As1: (0): Can we start IPCP?
4d02h: AAA/AUTHOR/FSM: Async1: (1916451991): user='chapadd'
4d02h: AAA/AUTHOR/FSM: Async1: (1916451991): send AV service=ppp
4d02h: AAA/AUTHOR/FSM: Async1: (1916451991): send AV protocol=ip
4d02h: AAA/AUTHOR/FSM: Async1: (1916451991): Method=RADIUS
4d02h: AAA/AUTHOR (1916451991): Post authorization status = PASS_REPL
4d02h: AAA/AUTHOR/FSM As1: We can start IPCP
4d02h: As1 IPCP: O CONFREQ [Closed] id 19 len 10
4d02h: As1 IPCP: Address 10.31.1.5 (0x03060A1F0105)
4d02h: As1 IPCP: I CONFREQ [REQsent] id 1 len 34
4d02h: As1 IPCP: Address 0.0.0.0 (0x030600000000)
4d02h: As1 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
4d02h: As1 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
4d02h: As1 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
4d02h: As1 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
4d02h: AAA/AUTHOR/IPCP As1: Start. Her address 0.0.0.0, we want 0.0.0.0
4d02h: AAA/AUTHOR/IPCP As1: Processing AV service=ppp
4d02h: AAA/AUTHOR/IPCP As1: Authorization succeeded
4d02h: AAA/AUTHOR/IPCP As1: Done. Her address 0.0.0.0, we want 0.0.0.0
4d02h: As1 IPCP: Using pool 'async'
4d02h: As1 IPCP: Pool returned 15.15.15.15
4d02h: As1 IPCP: O CONFREJ [REQsent] id 1 len 22
4d02h: As1 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
4d02h: As1 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
4d02h: As1 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
4d02h: As1 IPCP: I CONFACK [REQsent] id 19 len 10
4d02h: As1 IPCP: Address 10.31.1.5 (0x03060A1F0105)
4d02h: As1 IPCP: I CONFREQ [ACKrcvd] id 2 len 16
4d02h: As1 IPCP: Address 0.0.0.0 (0x030600000000)
4d02h: As1 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
4d02h: AAA/AUTHOR/IPCP As1: Start. Her address 0.0.0.0, we want 15.15.15.15
4d02h: AAA/AUTHOR/IPCP As1: Processing AV service=ppp
4d02h: AAA/AUTHOR/IPCP As1: Authorization succeeded
4d02h: AAA/AUTHOR/IPCP As1: Done. Her address 0.0.0.0, we want 15.15.15.15
4d02h: As1 IPCP: O CONFNAK [ACKrcvd] id 2 len 16
4d02h: As1 IPCP: Address 15.15.15.15 (0x03060F0F0F0F)
4d02h: As1 IPCP: PrimaryDNS 171.68.118.103 (0x8106AB447667)
4d02h: As1 IPCP: I CONFREQ [ACKrcvd] id 3 len 16
4d02h: As1 IPCP: Address 15.15.15.15 (0x03060F0F0F0F)
4d02h: As1 IPCP: PrimaryDNS 171.68.118.103 (0x8106AB447667)
4d02h: AAA/AUTHOR/IPCP As1: Start. Her address 15.15.15.15, we want 15.15.15.15
4d02h: AAA/AUTHOR/IPCP: Async1: (1096193147): user='chapadd'
4d02h: AAA/AUTHOR/IPCP: Async1: (1096193147): send AV service=ppp
4d02h: AAA/AUTHOR/IPCP: Async1: (1096193147): send AV protocol=ip
4d02h: AAA/AUTHOR/IPCP: Async1: (1096193147): send AV addr*15.15.15.15
4d02h: AAA/AUTHOR/IPCP: Async1: (1096193147): Method=RADIUS
4d02h: AAA/AUTHOR (1096193147): Post authorization status = PASS_REPL
4d02h: AAA/AUTHOR/IPCP As1: Reject 15.15.15.15, using 15.15.15.15
4d02h: AAA/AUTHOR/IPCP As1: Processing AV service=ppp
4d02h: AAA/AUTHOR/IPCP As1: Processing AV addr*15.15.15.15
4d02h: AAA/AUTHOR/IPCP As1: Authorization succeeded
4d02h: AAA/AUTHOR/IPCP As1: Done. Her address 15.15.15.15, we want 15.15.15.15
4d02h: As1 IPCP: O CONFACK [ACKrcvd] id 3 len 16
4d02h: As1 IPCP: Address 15.15.15.15 (0x03060F0F0F0F)
4d02h: As1 IPCP: PrimaryDNS 171.68.118.103 (0x8106AB447667)
4d02h: As1 IPCP: State is Open
%LINEPROTO-5-UPDOWN: Line protocol on Interface Async1, changed state to up
4d02h: As1 IPCP: Install route to 15.15.15.15
rtpkrb#

debug コマンド

このドキュメントで使用したデバッグ出力例の作成には、次の debug コマンドを使用しました。

注: debug コマンドを使用する前に、『debug コマンドに関する重要な情報』を参照してください。

  • debug aaa authentication - AAA 認証に関する情報を表示します。

  • debug aaa authorization - AAA 許可に関する情報を表示します。

  • debug radius - Remote Authentication Dial-In User Server(RADIUS)に関連付けられた詳細なデバッグ情報を表示します。

  • debug ppp negotiation - PPP の開始時に送信される PPP パケットを表示します。PPP の開始時には PPP オプションがネゴシエートされます。

関連するシスコ サポート コミュニティ ディスカッション

シスコ サポート コミュニティは、どなたでも投稿や回答ができる情報交換スペースです。


関連情報


Document ID: 13862