セキュリティ : Cisco IOS ファイアウォール

認証プロキシのトラブルシューティング

2016 年 10 月 27 日 - 機械翻訳について
その他のバージョン: PDFpdf | ライター翻訳版 (2002 年 10 月 29 日) | 英語版 (2015 年 8 月 22 日) | フィードバック


目次


概要

この資料は利用可能 な Cisco IOS 内のメカニズムを解決すること定義し、示したものですか。 認証プロキシ(Auth-proxy)関連問題を解決するため。 このドキュメントでは、debug および show コマンドを定義し、これらのデバッグおよびコマンドの例を示します。

前提条件

要件

このドキュメントに関する固有の要件はありません。

使用するコンポーネント

このドキュメントは、特定のソフトウェアやハードウェアのバージョンに限定されるものではありません。

表記法

ドキュメント表記の詳細は、『シスコ テクニカル ティップスの表記法』を参照してください。

debug およびclear コマンド

debug コマンドを使用する前に、「debug コマンドに関する重要な情報」を参照してください。

  • debug tacacs | 半径- TACACS か RADIUS と関連付けられる情報を表示する。

  • debug aaa authentication - AAA/TACACS+ の認証に関する情報を表示します。 どんな認証方式が使用され、ものこれらのメソッドの結果がであるか見るのに使用しました。

  • debug aaa authorization:AAA/TACACS+ 許可に関する情報を表示します。 許可のどんなメソッドが使用され、ものこれらのメソッドの結果がであるか見るのに使用しました。

必要ならば、これらのコマンドを使用して下さい:

  • debug ip auth-proxy {function - trace} -認証プロキシ 機能を表示する。

  • debug ip auth-proxy {http} -認証プロキシに関する HTTP イベントを表示する。

セッションの間でクリアするために、このコマンドを使用して下さい:

  • clear ip auth-proxy cache {* | ホスト IP アドレス} -ユーザ プロファイルおよびダイナミック アクセス コントロール リスト(ACL)を含むすべての認証プロキシ エントリを、削除します。 IP アドレスが規定 される場合、特定のホストのための認証プロキシ エントリを削除します。

show ip access-lists コマンド - 発信

access-list コマンドの実行前:

sec-3640#show ip access-lists       
Extended IP access list 116
    permit tcp host 10.31.1.47 host 10.31.1.150 eq www
    deny tcp host 10.31.1.47 any (16 matches)
    deny udp host 10.31.1.47 any (26 matches)
    deny icmp host 10.31.1.47 any
    permit tcp 10.31.1.0 0.0.0.255 any (53 matches)
    permit udp 10.31.1.0 0.0.0.255 any (74 matches)
    permit icmp 10.31.1.0 0.0.0.255 any
    permit icmp 171.68.118.0 0.0.0.255 any
    permit tcp 171.68.118.0 0.0.0.255 any (242 matches)
    permit udp 171.68.118.0 0.0.0.255 any

access-list コマンドの実行後:

Extended IP access list 116
    permit udp host 10.31.1.47 any (3 matches) <  added by authproxy 
    permit tcp host 10.31.1.47 any <  added by authproxy 
    permit icmp host 10.31.1.47 any < added by authproxy 

    permit tcp host 10.31.1.47 host 10.31.1.150 eq www
    deny tcp host 10.31.1.47 any (18 matches)
    deny udp host 10.31.1.47 any (26 matches)
    deny icmp host 10.31.1.47 any
    permit tcp 10.31.1.0 0.0.0.255 any (53 matches)
    permit udp 10.31.1.0 0.0.0.255 any (74 matches)
    permit icmp 10.31.1.0 0.0.0.255 any
    permit icmp 171.68.118.0 0.0.0.255 any
    permit tcp 171.68.118.0 0.0.0.255 any (264 matches)
    permit udp 171.68.118.0 0.0.0.255 any

デバッグ

正常なルータのデバッグ - TACACS - 発信

00:32:30: AUTH-PROXY FUNC: auth_proxy_fast_path
00:32:30: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
00:32:30: AUTH-PROXY FUNC: auth_proxy_process_path
00:32:30:  F ack 1260991237 seq 410073(0)
00:32:30: dst_addr 185273100 src_addr 169804079 DST_port 80 src_port 4521
00:32:30: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
00:32:30: AUTH_PROXY: not a SYN packet
 
00:32:32: AUTH-PROXY FUNC: auth_proxy_fast_path
00:32:32: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
00:32:32: AUTH-PROXY FUNC: auth_proxy_process_path
00:32:32:  F ack 1260991237 seq 410073(0)
00:32:32: DST_addr 185273100 src_addr 169804079 DST_port 80 src_port 4521
00:32:32: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
00:32:32: AUTH_PROXY: not a SYN packet
 
00:32:32: AUTH-PROXY FUNC: auth_proxy_fast_path
00:32:32: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
00:32:32: AUTH-PROXY FUNC: auth_proxy_if_marked_for_proxy
00:32:32: AUTH-PROXY FUNC: auth_proxy_get_idbsb
00:32:32: AUTH-PROXY FUNC: auth_proxy_find_aprt_of_aprc_by_protocol
00:32:32: AUTH-PROXY FUNC: auth_proxy_process_path
00:32:32:  S seq 410077(0)
00:32:32: DST_addr 185273100 src_addr 169804079 DST_port 80 src_port 4535
00:32:32: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
00:32:32: AUTH-PROXY FUNC: auth_proxy_if_marked_for_proxy
00:32:32: AUTH-PROXY FUNC: auth_proxy_get_idbsb
00:32:32: AUTH-PROXY FUNC: auth_proxy_find_aprt_of_aprc_by_protocol
00:32:32: AUTH-PROXY FUNC: auth_proxy_new_connection
00:32:32: AUTH-PROXY FUNC: auth_proxy_add_conn_info
00:32:32: AUTH-PROXY FUNC: auth_proxy_fast_path
00:32:32: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
00:32:32: AUTH-PROXY FUNC: auth_proxy_fast_path
00:32:32: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
00:32:32: AUTH-PROXY FUNC: auth_proxy_process_path
00:32:32:  ack 2957488078 seq 410078(0)
00:32:32: DST_addr 185273100 src_addr 169804079 DST_port 80 src_port 4535
00:32:32: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
00:32:32: clientport 4535 state 0
00:32:32: AUTH-PROXY FUNC: auth_proxy_process_path
00:32:32:  P ack 2957488078 seq 410078(290)
00:32:32: DST_addr 185273100 src_addr 169804079 DST_port 80 src_port 4535
00:32:32: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
00:32:32: clientport 4535 state 0
00:32:32: AUTH-PROXY FUNC: auth_proxy_find_cache
00:32:32: AUTH-PROXY : auth_proxy_find_cache
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
00:32:32: AUTH-PROXY FUNC: auth_proxy_wait_for_next_pwd
00:32:32: AUTH-PROXY FUNC: auth_proxy_received_get
00:32:32: AUTH-PROXY FUNC: auth_proxy_find_cache
00:32:32: AUTH-PROXY : auth_proxy_find_cache
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
00:32:32: AUTH-PROXY FUNC: auth_proxy_save_timestamp
00:32:32: AUTH-PROXY FUNC: auth_proxy_fast_path
00:32:32: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
00:32:32: AUTH-PROXY FUNC: auth_proxy_process_path
00:32:32:  ack 2957489275 seq 410368(0)
00:32:32: DST_addr 185273100 src_addr 169804079 DST_port 80 src_port 4535
00:32:32: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
00:32:32: clientport 4535 state 0
00:32:32: AUTH-PROXY FUNC: auth_proxy_fast_path
00:32:32: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
00:32:32: AUTH-PROXY FUNC: auth_proxy_process_path
00:32:32:  F ack 2957489275 seq 410368(0)
00:32:32: DST_addr 185273100 src_addr 169804079 DST_port 80 src_port 4535
00:32:32: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
00:32:32: clientport 4535 state 0
00:32:36: AUTH-PROXY FUNC: auth_proxy_fast_path
00:32:36: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
00:32:36: AUTH-PROXY FUNC: auth_proxy_process_path
00:32:36:  F ack 1260991237 seq 410073(0)
00:32:36: DST_addr 185273100 src_addr 169804079 DST_port 80 src_port 4521
00:32:36: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
00:32:36: clientport 4535 state 0
00:32:45: AUTH-PROXY FUNC: auth_proxy_fast_path
00:32:45: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
00:32:45: AUTH-PROXY FUNC: auth_proxy_process_path
00:32:45:  S seq 410193(0)
00:32:45: DST_addr 185273100 src_addr 169804079 DST_port 80 src_port 4542
00:32:45: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
00:32:45: clientport 4521 state 0
00:32:45: AUTH-PROXY FUNC: auth_proxy_fast_path
00:32:45: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
00:32:45: AUTH-PROXY FUNC: auth_proxy_fast_path
00:32:45: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
00:32:45: AUTH-PROXY FUNC: auth_proxy_process_path
00:32:45:  ack 2970312961 seq 410194(0)
00:32:45: DST_addr 185273100 src_addr 169804079 DST_port 80 src_port 4542
00:32:45: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
00:32:45: clientport 4542 state 0
00:32:45: AUTH-PROXY FUNC: auth_proxy_process_path
00:32:45:  P ack 2970312961 seq 410194(449)
00:32:45: DST_addr 185273100 src_addr 169804079 DST_port 80 src_port 4542
00:32:45: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
00:32:45: clientport 4542 state 0
00:32:45: AUTH-PROXY FUNC: auth_proxy_find_cache
00:32:45: AUTH-PROXY : auth_proxy_find_cache
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
00:32:45: AUTH-PROXY FUNC: auth_proxy_required_reauth
00:32:45: AUTH-PROXY FUNC: auth_proxy_same_timestamp
00:32:45: AUTH-PROXY FUNC: auth_proxy_wait_for_next_pwd
00:32:45: AAA: parse name=a} idb type=-1 tty=-1
00:32:45: AAA/MEMORY: create_user (0x61C23FE4) user='' ruser='' 
port='a}' rem_addr='' authen_type=ASCII service=LOGIN priv=0
00:32:45: AAA/AUTHEN/START (3351494599): port='a}' list='default' 
action=LOGIN service=LOGIN
00:32:45: AAA/AUTHEN/START (3351494599): found list default
00:32:45: AAA/AUTHEN/START (3351494599): Method=RTP (tacacs+)
00:32:45: TAC+: send AUTHEN/START packet ver=192 id=3351494599
00:32:45: TAC+: Using default tacacs server-group "RTP" list.
00:32:45: TAC+: Opening TCP/IP to 171.68.118.84/49 timeout=5
00:32:45: AUTH-PROXY FUNC: auth_proxy_fast_path
00:32:45: TAC+: Opened TCP/IP handle 0x61CA39A0 to 171.68.118.84/49
00:32:45: TAC+: 171.68.118.84 (3351494599) AUTHEN/START/LOGIN/ASCII queued
00:32:45: AUTH-PROXY FUNC: auth_proxy_fast_path
00:32:45: TAC+: (3351494599) AUTHEN/START/LOGIN/ASCII processed
00:32:45: TAC+: ver=192 id=3351494599 received AUTHEN status = GETUSER
00:32:45: AAA/AUTHEN (3351494599): status = GETUSER
00:32:45: AAA/AUTHEN/CONT (3351494599): continue_login (user='(undef)')
00:32:45: AAA/AUTHEN (3351494599): status = GETUSER
00:32:45: AAA/AUTHEN (3351494599): Method=RTP (tacacs+)
00:32:45: TAC+: send AUTHEN/CONT packet id=3351494599
00:32:45: TAC+: 171.68.118.84 (3351494599) AUTHEN/CONT queued
00:32:45: AUTH-PROXY FUNC: auth_proxy_fast_path
00:32:45: TAC+: (3351494599) AUTHEN/CONT processed
00:32:45: TAC+: ver=192 id=3351494599 received AUTHEN status = GETPASS
00:32:45: AAA/AUTHEN (3351494599): status = GETPASS
00:32:45: AAA/AUTHEN/CONT (3351494599): continue_login (user='proxyonly')
00:32:45: AAA/AUTHEN (3351494599): status = GETPASS
00:32:45: AAA/AUTHEN (3351494599): Method=RTP (tacacs+)
00:32:45: TAC+: send AUTHEN/CONT packet id=3351494599
00:32:45: TAC+: 171.68.118.84 (3351494599) AUTHEN/CONT queued
00:32:45: AUTH-PROXY FUNC: auth_proxy_fast_path
00:32:45: TAC+: (3351494599) AUTHEN/CONT processed
00:32:45: TAC+: ver=192 id=3351494599 received AUTHEN status = PASS
00:32:45: AAA/AUTHEN (3351494599): status = PASS
00:32:45: TAC+: Closing TCP/IP 0x61CA39A0 connection to 171.68.118.84/49
00:32:45: a} AAA/AUTHOR/HTTP (4113551585): Port='a}' list='default'
 service=AUTH-PROXY
00:32:45: AAA/AUTHOR/HTTP: a} (4113551585) user='proxyonly'
00:32:45: a} AAA/AUTHOR/HTTP (4113551585): send AV service=auth-proxy
00:32:45: a} AAA/AUTHOR/HTTP (4113551585): send AV cmd*
00:32:45: a} AAA/AUTHOR/HTTP (4113551585): found list "default"
00:32:45: AUTH-PROXY FUNC: auth_proxy_fast_path
00:32:45: AUTH-PROXY FUNC: auth_proxy_fast_path
00:32:45: a} AAA/AUTHOR/HTTP (4113551585): Method=RTP (tacacs+)
00:32:45: AAA/AUTHOR/TAC+: (4113551585): user=proxyonly
00:32:45: AAA/AUTHOR/TAC+: (4113551585): send AV service=auth-proxy
00:32:45: AAA/AUTHOR/TAC+: (4113551585): send AV cmd*
00:32:45: TAC+: using previously set server 171.68.118.84 from group RTP
00:32:45: TAC+: Opening TCP/IP to 171.68.118.84/49 timeout=5
00:32:45: AUTH-PROXY FUNC: auth_proxy_fast_path
00:32:45: TAC+: Opened TCP/IP handle 0x61CA3E1C to 171.68.118.84/49
00:32:45: TAC+: Opened 171.68.118.84 index=1
00:32:45: TAC+: 171.68.118.84 (4113551585) AUTHOR/START queued
00:32:46: AUTH-PROXY FUNC: auth_proxy_fast_path
00:32:46: TAC+: (4113551585) AUTHOR/START processed
00:32:46: TAC+: (4113551585): received author response status = PASS_ADD
00:32:46: TAC+: Closing TCP/IP 0x61CA3E1C connection to 171.68.118.84/49
00:32:46: AAA/AUTHOR (4113551585): Post authorization status = PASS_ADD
00:32:46: AUTH-PROXY FUNC: auth_proxy_copy_attrs
00:32:46: AUTH-PROXY FUNC: auth_proxy_find_cache
00:32:46: AUTH-PROXY : auth_proxy_find_cache
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
00:32:46: AUTH-PROXY FUNC: auth_proxy_fast_path
00:32:46: AUTH-PROXY FUNC: auth_proxy_fast_path
00:32:46: AUTH-PROXY FUNC: auth_proxy_find_cache
00:32:46: AUTH-PROXY : auth_proxy_find_cache
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
00:32:46: AUTH-PROXY FUNC: auth_proxy_http_accept
00:32:46: AUTH-PROXY FUNC: auth_proxy_proc_profile
00:32:46: AUTH-PROXY FUNC: auth_proxy_add_acl_item
00:32:46: AUTH-PROXY FUNC: auth_proxy_add_acl_item
00:32:46: AUTH-PROXY FUNC: auth_proxy_add_acl_item
00:32:46: AUTH-PROXY FUNC: auth_proxy_add_acl_item
00:32:46: AUTH-PROXY FUNC: auth_proxy_add_acl_item
00:32:46: AUTH-PROXY FUNC: auth_proxy_add_acl_item
00:32:46: AAA/MEMORY: free_user (0x61C23FE4) user='proxyonly' 
ruser='' port='a}' rem_addr='' authen_type=ASCII service=LOGIN priv=0
00:32:46: AUTH-PROXY FUNC: auth_proxy_fast_path
00:32:46: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
00:32:46: AUTH-PROXY FUNC: auth_proxy_fast_path
00:32:46: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
00:32:46: AUTH-PROXY FUNC: auth_proxy_process_path
00:32:46:  ack 2970313958 seq 410643(0)
00:32:46: DST_addr 185273100 src_addr 169804079 DST_port 80 src_port 4542
00:32:46: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
00:32:46: clientport 4542 state 2
00:32:46: AUTH-PROXY FUNC: auth_proxy_process_path
00:32:46:  F ack 2970313958 seq 410643(0)
00:32:46: DST_addr 185273100 src_addr 169804079 DST_port 80 src_port 4542
00:32:46: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
00:32:46: clientport 4542 state 2
00:32:49: AUTH-PROXY FUNC: auth_proxy_timers
00:32:49: AUTH-PROXY FUNC: auth_proxy_handle_finwait_timeout
00:32:51: AUTH-PROXY FUNC: auth_proxy_fast_path
00:32:51: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
00:32:51: AUTH-PROXY FUNC: auth_proxy_set_hit
00:32:51: AUTH-PROXY FUNC: auth_proxy_fast_path
00:32:51: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
00:32:51: AUTH-PROXY FUNC: auth_proxy_set_hit
00:32:51: AUTH-PROXY FUNC: auth_proxy_fast_path
00:32:51: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
00:32:51: AUTH-PROXY FUNC: auth_proxy_set_hit
00:32:51: AUTH-PROXY FUNC: auth_proxy_fast_path
00:32:51: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
00:32:51: AUTH-PROXY FUNC: auth_proxy_set_hit
00:32:54: AUTH-PROXY FUNC: auth_proxy_fast_path

正常なルータのデバッグ - RADIUS - 発信

01:23:18: AUTH-PROXY FUNC: auth_proxy_destroy_all_conn_info
01:23:18: AUTH-PROXY FUNC: auth_proxy_remove_conn_info
01:23:18: AUTH-PROXY FUNC: auth_proxy_delete_conn_info
01:23:18: AUTH-PROXY FUNC: auth_proxy_remove_all_acl
01:23:21: AUTH-PROXY FUNC: auth_proxy_fast_path
01:23:21: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
01:23:21: AUTH-PROXY FUNC: auth_proxy_process_path
01:23:21:  F ack 3679167246 seq 413771(0)
01:23:21: DST_addr 185273100 src_addr 169804079 DST_port 80 src_port 4851
01:23:21: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
01:23:21: AUTH_PROXY: not a SYN packet
 
01:23:23: AUTH-PROXY FUNC: auth_proxy_fast_path
01:23:23: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
01:23:23: AUTH-PROXY FUNC: auth_proxy_if_marked_for_proxy
01:23:23: AUTH-PROXY FUNC: auth_proxy_get_idbsb
01:23:23: AUTH-PROXY FUNC: auth_proxy_find_aprt_of_aprc_by_protocol
01:23:23: AUTH-PROXY FUNC: auth_proxy_process_path
01:23:23:  S seq 414827(0)
01:23:23: DST_addr 185273100 src_addr 169804079 DST_port 80 src_port 4943
01:23:23: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
01:23:23: AUTH-PROXY FUNC: auth_proxy_if_marked_for_proxy
01:23:23: AUTH-PROXY FUNC: auth_proxy_get_idbsb
01:23:23: AUTH-PROXY FUNC: auth_proxy_find_aprt_of_aprc_by_protocol
01:23:23: AUTH-PROXY FUNC: auth_proxy_new_connection
01:23:23: AUTH-PROXY FUNC: auth_proxy_add_conn_info
01:23:23: AUTH-PROXY FUNC: auth_proxy_fast_path
01:23:23: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
01:23:23: AUTH-PROXY FUNC: auth_proxy_fast_path
01:23:23: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
01:23:23: AUTH-PROXY FUNC: auth_proxy_process_path
01:23:23:  ack 1713887638 seq 414828(0)
01:23:23: DST_addr 185273100 src_addr 169804079 DST_port 80 src_port 4943
01:23:23: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
01:23:23: clientport 4943 state 0
01:23:23: AUTH-PROXY FUNC: auth_proxy_process_path
01:23:23:  P ack 1713887638 seq 414828(290)
01:23:23: DST_addr 185273100 src_addr 169804079 DST_port 80 src_port 4943
01:23:23: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
01:23:23: clientport 4943 state 0
01:23:23: AUTH-PROXY FUNC: auth_proxy_find_cache
01:23:23: AUTH-PROXY : auth_proxy_find_cache
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
01:23:23: AUTH-PROXY FUNC: auth_proxy_wait_for_next_pwd
01:23:23: AUTH-PROXY FUNC: auth_proxy_received_get
01:23:23: AUTH-PROXY FUNC: auth_proxy_find_cache
01:23:23: AUTH-PROXY : auth_proxy_find_cache
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
01:23:23: AUTH-PROXY FUNC: auth_proxy_save_timestamp
01:23:23: AUTH-PROXY FUNC: auth_proxy_fast_path
01:23:23: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
01:23:23: AUTH-PROXY FUNC: auth_proxy_process_path
01:23:23:  ack 1713888835 seq 415118(0)
01:23:23: DST_addr 185273100 src_addr 169804079 DST_port 80 src_port 4943
01:23:23: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
01:23:23: clientport 4943 state 0
01:23:23: AUTH-PROXY FUNC: auth_proxy_fast_path
01:23:23: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
01:23:23: AUTH-PROXY FUNC: auth_proxy_process_path
01:23:23:  F ack 1713888835 seq 415118(0)
01:23:23: DST_addr 185273100 src_addr 169804079 DST_port 80 src_port 4943
01:23:23: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
01:23:23: clientport 4943 state 0
01:23:24: AUTH-PROXY FUNC: auth_proxy_fast_path
01:23:24: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
01:23:24: AUTH-PROXY FUNC: auth_proxy_process_path
01:23:24:  F ack 3679167246 seq 413771(0)
01:23:24: DST_addr 185273100 src_addr 169804079 DST_port 80 src_port 4851
01:23:24: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
01:23:24: clientport 4943 state 0
01:23:36: AUTH-PROXY FUNC: auth_proxy_fast_path
01:23:36: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
01:23:36: AUTH-PROXY FUNC: auth_proxy_process_path
01:23:36:  S seq 414841(0)
01:23:36: DST_addr 185273100 src_addr 169804079 DST_port 80 src_port 4944
01:23:36: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
01:23:36: clientport 4851 state 0
01:23:36: AUTH-PROXY FUNC: auth_proxy_fast_path
01:23:36: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
01:23:36: AUTH-PROXY FUNC: auth_proxy_process_path
01:23:36:  ack 1726143121 seq 414842(0)
01:23:36: DST_addr 185273100 src_addr 169804079 DST_port 80 src_port 4944
01:23:36: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
01:23:36: clientport 4944 state 0
01:23:36: AUTH-PROXY FUNC: auth_proxy_fast_path
01:23:36: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
01:23:36: AUTH-PROXY FUNC: auth_proxy_process_path
01:23:36:  P ack 1726143121 seq 414842(449)
01:23:36: DST_addr 185273100 src_addr 169804079 DST_port 80 src_port 4944
01:23:36: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
01:23:36: clientport 4944 state 0
01:23:36: AUTH-PROXY FUNC: auth_proxy_find_cache
01:23:36: AUTH-PROXY : auth_proxy_find_cache
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
01:23:36: AUTH-PROXY FUNC: auth_proxy_required_reauth
01:23:36: AUTH-PROXY FUNC: auth_proxy_same_timestamp
01:23:36: AUTH-PROXY FUNC: auth_proxy_wait_for_next_pwd
01:23:36: AAA: parse name=a} idb type=-1 TTY=-1
01:23:36: AAA/MEMORY: create_user (0x61C52DD8) user='' ruser='' port='a}' 
rem_addr='' authen_type=ASCII service=LOGIN priv=0
01:23:36: AAA/AUTHEN/START (1504053479): port='a}' list='default' 
action=LOGIN service=LOGIN
01:23:36: AAA/AUTHEN/START (1504053479): found list default
01:23:36: AAA/AUTHEN/START (1504053479): Method=LOCAL
01:23:36: AAA/AUTHEN (1504053479): status = GETUSER
01:23:36: AAA/AUTHEN/CONT (1504053479): continue_login (user='(undef)')
01:23:36: AAA/AUTHEN (1504053479): status = GETUSER
01:23:36: AAA/AUTHEN/CONT (1504053479): Method=LOCAL
01:23:36: AAA/AUTHEN (1504053479): User not found, emulating local-override
01:23:36: AAA/AUTHEN (1504053479): status = ERROR
01:23:36: AAA/AUTHEN/START (58099628): port='a}' list='' action=LOGIN service=LOGIN
01:23:36: AAA/AUTHEN/START (58099628): Restart
01:23:36: AAA/AUTHEN/START (58099628): Method=RTP (radius)
01:23:36: AAA/AUTHEN (58099628): status = GETPASS
01:23:36: AAA/AUTHEN/CONT (58099628): continue_login (user='proxyonly')
01:23:36: AAA/AUTHEN (58099628): status = GETPASS
01:23:36: AAA/AUTHEN (58099628): Method=RTP (radius)
01:23:36: RADIUS: ustruct sharecount=1
01:23:36: RADIUS: Initial Transmit a} id 2 171.68.118.84:1645, 
Access-Request, len 67
01:23:36:         Attribute 4 6 0A1F0196
01:23:36:         Attribute 61 6 00000000
01:23:36:         Attribute 1 11 70726F78
01:23:36:         Attribute 2 18 7CC79416
01:23:36:         Attribute 6 6 00000005
01:23:36: AUTH-PROXY FUNC: auth_proxy_fast_path
01:23:36: RADIUS: Received from id 2 171.68.118.84:1645, Access-Accept, Len 207
01:23:36:         Attribute 6 6 00000005
01:23:36:         Attribute 26 30 0000000901186175
01:23:36:         Attribute 26 49 00000009012B6175
01:23:36:         Attribute 26 48 00000009012A6175
01:23:36:         Attribute 26 48 00000009012A6175
01:23:36:         Attribute 8 6 FFFFFFFF
01:23:36: RADIUS: saved authorization data for user 61C52DD8 at 619E0D8C
01:23:36: AAA/AUTHEN (58099628): status = PASS
01:23:36: a} AAA/AUTHOR/HTTP (147390869): Port='a}' list='default' 
service=AUTH-PROXY
01:23:36: AAA/AUTHOR/HTTP: a} (147390869) user='proxyonly'
01:23:36: a} AAA/AUTHOR/HTTP (147390869): send AV service=auth-proxy
01:23:36: a} AAA/AUTHOR/HTTP (147390869): send AV cmd*
01:23:36: a} AAA/AUTHOR/HTTP (147390869): found list "default"
01:23:36: a} AAA/AUTHOR/HTTP (147390869): Method=RTP (radius)
01:23:36: RADIUS: cisco AVPair "auth-proxy:priv-lvl=15"
01:23:36: RADIUS: cisco AVPair "auth-proxy:proxyacl#1=permit icmp any any"
01:23:36: RADIUS: cisco AVPair "auth-proxy:proxyacl#2=permit tcp any any"
01:23:36: RADIUS: cisco AVPair "auth-proxy:proxyacl#3=permit udp any any"
01:23:36: AAA/AUTHOR (147390869): Post authorization status = PASS_ADD
01:23:36: AUTH-PROXY FUNC: auth_proxy_copy_attrs
01:23:36: AUTH-PROXY FUNC: auth_proxy_find_cache
01:23:36: AUTH-PROXY : auth_proxy_find_cache
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
01:23:36: AUTH-PROXY FUNC: auth_proxy_find_cache
01:23:36: AUTH-PROXY : auth_proxy_find_cache
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
01:23:36: AUTH-PROXY FUNC: auth_proxy_http_accept
01:23:36: AUTH-PROXY FUNC: auth_proxy_proc_profile
01:23:36: AUTH-PROXY FUNC: auth_proxy_add_acl_item
01:23:36: AUTH-PROXY FUNC: auth_proxy_add_acl_item
01:23:36: AUTH-PROXY FUNC: auth_proxy_add_acl_item
01:23:36: AUTH-PROXY FUNC: auth_proxy_add_acl_item
01:23:36: AUTH-PROXY FUNC: auth_proxy_add_acl_item
01:23:36: AUTH-PROXY FUNC: auth_proxy_add_acl_item
01:23:36: AAA/MEMORY: free_user (0x61C52DD8) user='proxyonly' 
ruser='' port='a}' rem_addr='' authen_type=ASCII service=LOGIN priv=0
01:23:36: AUTH-PROXY FUNC: auth_proxy_fast_path
01:23:36: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
01:23:36: AUTH-PROXY FUNC: auth_proxy_process_path
01:23:36:  ack 1726144118 seq 415291(0)
01:23:36: AUTH-PROXY FUNC: auth_proxy_fast_path
01:23:36: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
01:23:36: DST_addr 185273100 src_addr 169804079 DST_port 80 src_port 4944
01:23:36: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
01:23:36: clientport 4944 state 2
01:23:36: AUTH-PROXY FUNC: auth_proxy_process_path
01:23:36:  F ack 1726144118 seq 415291(0)
01:23:36: DST_addr 185273100 src_addr 169804079 DST_port 80 src_port 4944
01:23:36: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
01:23:36: clientport 4944 state 2
01:23:39: AUTH-PROXY FUNC: auth_proxy_timers
01:23:39: AUTH-PROXY FUNC: auth_proxy_handle_finwait_timeout
01:23:41: AUTH-PROXY FUNC: auth_proxy_fast_path
01:23:41: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
01:23:41: AUTH-PROXY FUNC: auth_proxy_set_hit
01:23:41: AUTH-PROXY FUNC: auth_proxy_fast_path
01:23:41: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
01:23:41: AUTH-PROXY FUNC: auth_proxy_set_hit
01:23:41: AUTH-PROXY FUNC: auth_proxy_fast_path
01:23:41: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
01:23:41: AUTH-PROXY FUNC: auth_proxy_set_hit
01:23:41: AUTH-PROXY FUNC: auth_proxy_fast_path
01:23:41: AUTH-PROXY auth_proxy_find_conn_info : 
         find srcaddr - 10.31.1.47, dstaddr - 11.11.11.12
                 ip-srcaddr 10.31.1.47
                 pak-srcaddr 0.0.0.0
 
01:23:41: AUTH-PROXY FUNC: auth_proxy_set_hit

潜在的な問題

RADIUS サーバに到達不可能

デバッグは次のように表示されます。

01:30:39: RADIUS: Initial Transmit  id 6 171.68.118.115:1645, 
Access-Request, Len 67
01:30:39:         Attribute 4 6 0A1F0196
01:30:39:         Attribute 61 6 00000000
01:30:39:         Attribute 1 11 70726F78
01:30:39:         Attribute 2 18 E552A3E5
01:30:39:         Attribute 6 6 00000005
01:30:44: RADIUS: Retransmit id 6
01:30:49: RADIUS: Retransmit id 6
01:30:59: RADIUS: Marking server 171.68.118.115 dead
01:30:59: RADIUS: Tried all servers.
01:30:59: RADIUS: No valid server found. Trying any viable server
01:30:59: RADIUS: Tried all servers.
01:30:59: RADIUS: No response for id 6
01:30:59: RADIUS: No response from server
01:30:59: AAA/AUTHEN (1597176845): status = ERROR

最終的に、ユーザには「500 Internal Server Error」と表示されます。

TACACS サーバに到達不可能

デバッグは次のように表示されます。

02:13:41: AAA/AUTHEN/START (3727404152): Method=RTP (tacacs+)
02:13:41: TAC+: send AUTHEN/START packet ver=192 id=3727404152
02:13:41: TAC+: Using default tacacs server-group "RTP" list.
02:13:41: TAC+: Opening TCP/IP to 171.68.118.115/49 timeout=5
02:13:41: TAC+: TCP/IP open to 171.68.118.115/49 failed 
-- Connection refused by remote host
02:13:41: AAA/AUTHEN (3727404152): status = ERROR

最終的に、ユーザには「500 Internal Server Error」と表示されます。

RADIUS ユーザが誤ったユーザ名またはパスワードを入力

デバッグは次のように表示されます。

01:37:42: RADIUS: Received from id 10 171.68.118.115:1645, Access-Reject, Len 20
01:37:42: AAA/AUTHEN (3558550985): status = FAIL
01:37:42: AAA/MEMORY: free_user (0x61C549F0) user='junk' ruser='' 
          port='' rem_addr='' authen_type=ASCII service=LOGIN priv=0

ユーザには「Authentication Failed!」と表示されます。

TACACS ユーザが誤ったユーザ名またはパスワードを入力

デバッグは次のように表示されます。

02:15:03: AAA/AUTHEN/START (1400571814): Method=RTP (tacacs+)
02:15:03: TAC+: send AUTHEN/START packet ver=192 id=1400571814
02:15:03: TAC+: Using default tacacs server-group "RTP" list.
02:15:03: TAC+: Opening TCP/IP to 171.68.118.115/49 timeout=5
02:15:03: TAC+: Opened TCP/IP handle 0x61CAFEA8 to 171.68.118.115/49
02:15:03: TAC+: 171.68.118.115 (1400571814) AUTHEN/START/LOGIN/ASCII queued
02:15:04: TAC+: (1400571814) AUTHEN/START/LOGIN/ASCII processed
02:15:04: TAC+: ver=192 id=1400571814 received AUTHEN status = GETPASS
02:15:04: AAA/AUTHEN (1400571814): status = GETPASS
02:15:04: AAA/AUTHEN/CONT (1400571814): continue_login (user='junkuser')
02:15:04: AAA/AUTHEN (1400571814): status = GETPASS
02:15:04: AAA/AUTHEN (1400571814): Method=RTP (tacacs+)
02:15:04: TAC+: send AUTHEN/CONT packet id=1400571814
02:15:04: TAC+: 171.68.118.115 (1400571814) AUTHEN/CONT queued
02:15:04: TAC+: (1400571814) AUTHEN/CONT processed
02:15:04: TAC+: ver=192 id=1400571814 received AUTHEN status = FAIL
02:15:04: AAA/AUTHEN (1400571814): status = FAIL

ユーザには「Authentication Failed!」と表示されます。

TACACS ユーザが正しいユーザ名またはパスワードを入力したが、許可に失敗

デバッグは次のように表示されます。

02:17:01: TAC+: ver=192 id=945629484 received AUTHEN status = PASS
02:17:02: TAC+: (1368282367): received author response status = FAIL
02:17:02: TAC+: Closing TCP/IP 0x61CAFFC8 connection to 171.68.118.115/49
02:17:02: AAA/AUTHOR (1368282367): Post authorization status = FAIL

ユーザには「Authentication Failed!」と表示されます。

RADIUS ユーザが正しいユーザ名またはパスワードを入力したが、ACL が正しくない形式で返される

ACL が設定されていても、それが正しく適用されないためにユーザがファイアウォールを通過できないことが、デバッグで示されます。

ユーザには、「Authentication Successful!」と表示されます。

TACACS ユーザが正しいユーザ名またはパスワードを入力したが、ACL が正しくない形式で返される

デバッグには、認証に成功した場合との違いがありませんが、ACL は適用されず、ユーザはファイアウォールを通過することができません。

ユーザには、「Authentication Successful!」と表示されます。

RADIUS ユーザが正しいユーザ名またはパスワードを入力したが、Priv-lvl 15 が返されない

デバッグは次のように表示されます。

02:00:54: RADIUS: saved authorization data for user 61CA670C at 61C5585C
02:00:54: AAA/AUTHEN (706562375): status = PASS
02:00:54:  AAA/AUTHOR/HTTP (4224202114): Port='' list='default' service=AUTH-PROXY
02:00:54: AAA/AUTHOR/HTTP:  (4224202114) user='baduser'
02:00:54:  AAA/AUTHOR/HTTP (4224202114): send AV service=auth-proxy
02:00:54:  AAA/AUTHOR/HTTP (4224202114): send AV cmd*
02:00:54:  AAA/AUTHOR/HTTP (4224202114): found list "default"
02:00:54:  AAA/AUTHOR/HTTP (4224202114): Method=RTP (radius)
02:00:54: RADIUS: cisco AVPair "auth-proxy:priv-lvl=1"

ルータのデバッグには、特権レベルが誤っていることの他には異常は示されていませんが、ユーザには「Authentication Failed」と表示されます。 ACL は適用されません。

TACACS ユーザが正しいユーザ名またはパスワードを入力したが、Priv-lvl 15 が返されない

デバッグには、認証に成功した場合との違いはありません。

ユーザには「Authentication Failed!」と表示されます。


関連情報


Document ID: 13896