Seguridad y VPN : Remote Authentication Dial-In User Service (RADIUS)

Cómo configurar la autenticación de RADIUS para los VPDN

17 Octubre 2016 - Traducción Automática
Otras Versiones: PDFpdf | Inglés (22 Agosto 2015) | Comentarios


Contenido


Introducción

Una red virtual de marcación privada (VPDN) permite que un servicio de marcación de red privada se extienda a servidores de acceso remoto (que se definen como concentrador de acceso [LAC]) L2TP. Cuando un cliente de Point-to-Point Protocol (PPP) se comunica con un LAC, el LAC determina que debería reenviar la sesión PPP a un L2TP Network Server (LNS) para ese cliente, el cual luego autentica al usuario y comienza la negociación PPP. Una vez que finaliza la configuración de PPP, todas las tramas se envían mediante el LAC al cliente y al LNS.

Esta configuración de muestra permite que usted utilice la autenticación de RADIUS con los VPDN. El LAC pregunta al servidor de RADIUS, determina que el LNS para remitir al usuario, y establece el túnel apropiado.

Para más información sobre los VPDN refiera comprensión del VPDN.

prerrequisitos

Requisitos

No hay requisitos específicos para este documento.

Componentes Utilizados

La información que contiene este documento se basa en las siguientes versiones de software y hardware.

  • Versión de UNIX 2.x.x del Cisco Secure ACS y posterior o Merit RADIUS

  • Software Release 11.2 y Posterior del ½ del ¿Â de Cisco IOSïÂ

La información que contiene este documento se creó a partir de los dispositivos en un ambiente de laboratorio específico. Todos los dispositivos que se utilizan en este documento se pusieron en funcionamiento con una configuración verificada (predeterminada). Si la red está funcionando, asegúrese de haber comprendido el impacto que puede tener cualquier comando.

Convenciones

Para obtener más información sobre las convenciones del documento, consulte Convenciones de Consejos Técnicos de Cisco.

Antecedentes

En este ejemplo, el usuario es “jsmith@hp.com” con la contraseña “prueba”. Cuando “jsmith@hp.com” marca en el router del ISP, el router del ISP envía el “hp.com” userid al servidor de RADIUS ISP. El servidor ISP encuentra el userid "hp.com" y envía su tunnel-id ("isp"), la dirección IP del router gateway (HGW) (10.31.1.50), la contraseña (“hello”) del servidor de acceso a la red (NAS) y la contraseña del gateway ("there") de regreso al router ISP.

El router del ISP inicia un túnel y conecta con 10.31.1.50 al router HGW, que autentica al usuario “HP-GW” localmente y adelante la contraseña para la identificación del usuario “ISP” (“hola”) al servidor de RADIUS HGW. Una vez que se establecen los túneles, autentican al router del ISP adelante al router HGW, y el userid (“jsmith@hp.com ") y la contraseña (“prueba”) del usuario que marca en este usuario en el servidor HGW. En este ejemplo, llaman el router del ISP “koala” y llaman el router HGW los “sneetches”.

Configurar

En esta sección encontrará la información para configurar las funciones descritas en este documento.

Diagrama de la red

Este documento utiliza la configuración de red que se muestra en el siguiente diagrama.

/image/gif/paws/4675/vpdn_rad.gif

Configuración del servidor

Configuración de Merit RADIUS


!--- The RADIUS Server must support Cisco av-pairs.
!--- This user is on the ISP RADIUS server.

hp.com Password = "cisco"
Service-Type = Outbound-User,
cisco-avpair = "vpdn:tunnel-id=isp",
cisco-avpair = "vpdn:ip-addresses=10.31.1.50",
cisco-avpair = "vpdn:nas-password=hello",
cisco-avpair = "vpdn:gw-password=there"

!--- The next two users are on the HGW Server.

isp Password = "hello",
Service-Type = Framed,
Framed-Protocol = PPP

jsmith@hp.com Password = "test",
Service-Type = Framed,
Framed-Protocol = PPP

Configuración de Secure ACS UNIX 2.x.x de Cisco


!--- This user is on the ISP server.

# ./ViewProfile -p 9900 -u hp.com
User Profile Information
user = hp.com{
profile_id = 86
profile_cycle = 1
RADIUS=Cisco {
check_items= {
2="cisco"
}
reply_attributes= {
9,1="vpdn:tunnel-id=isp"
9,1="vpdn:ip-addresses=10.31.1.50"
9,1="vpdn:NAS-password=hello"
9,1="vpdn:gw-password=there"
}
}

}

!--- The next two users are on the HGW Server.


# ./ViewProfile -p 9900 -u isp
User Profile Information
user = isp{
profile_id = 70
profile_cycle = 1
RADIUS=Cisco {
check_items= {
2="hello"
}
reply_attributes= {
6=2
7=1
}
}

}

# ./ViewProfile -p 9900 -u jsmith@hp.com
User Profile Information
user = jsmith@hp.com{
profile_id = 84
profile_cycle = 1
RADIUS=Cisco {
check_items= {
2="test"
}
reply_attributes= {
6=2
7=1
}
}

}

Configuración del router

Configuración del router del ISP
koala#show running config

Building configuration...


Current configuration:
!
version 11.3
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname koala
!
aaa new-model
aaa authentication ppp default if-needed RADIUS
aaa authorization network default RADIUS
aaa accounting network default start-stop RADIUS
enable password ww
!
vpdn enable

!--- VPDN is enabled.

!
interface Ethernet0
ip address 10.31.1.5 255.255.255.0
!
interface Serial0
shutdown
!
interface Serial1
shutdown
!
interface Async1
ip unnumbered Ethernet0
encapsulation ppp
async mode dedicated
no peer default ip address
no cdp enable
ppp authentication chap
!
ip default-gateway 10.31.1.1
no ip classless
ip route 0.0.0.0 0.0.0.0 10.31.1.1
logging trap debugging
logging 171.68.118.101
snmp-server community public RW
snmp-server enable traps config
snmp-server host 171.68.118.105 traps public
RADIUS-server host 171.68.120.194 auth-port 1645 acct-port 1646
RADIUS-server key cisco

!--- Specify RADIUS server information on the NAS.

!
line con 0
password WW
line 1
password WW
autoselect ppp
modem InOut
transport input all
stopbits 1
speed 115200
flowcontrol hardware
line 2 16
autoselect during-login
line aux 0
line vty 0 4
exec-timeout 0 0
password WW
!
end

Configuración del router HGW
Sneetches#show running config
Building configuration...

Current configuration:
!
version 11.3
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname Sneetches
!
aaa new-model
aaa authentication ppp default RADIUS local
aaa authorization network default RADIUS local
aaa accounting network default start-stop RADIUS
!
username hp-gw password 0 there
username isp password 0 hello
vpdn enable

!--- Enable VPDN.

vpdn incoming isp hp-gw virtual-template 1

!--- Specify the remote host (the network access server)
!--- the local name (the home gateway) to use for authenticating
!--- and the virtual template to use.

!
interface Ethernet0
ip address 10.31.1.50 255.255.255.0
!
interface Ethernet1
no ip address
shutdown
!


interface Virtual-Template1

!--- Create a virtual template interface.

ip unnumbered Ethernet0

!--- Un-number the Virtual interface to an available LAN interface.

peer default ip address pool async

!--- Use the pool "async" to assign the IP address for incoming connections.

ppp authentication chap

!--- Use CHAP authentication for the incoming connection.

!
interface Serial0
shutdown
!
interface Serial1
shutdown
!
ip local pool async 1.1.1.1 1.1.1.6
ip default-gateway 10.31.1.1
no ip classless
ip route 0.0.0.0 0.0.0.0 10.31.1.1
RADIUS-server host 171.68.118.101 auth-port 1645 acct-port 1646
RADIUS-server timeout 20
RADIUS-server key cisco

!--- Specify RADIUS server information on the NAS.

!
line con 0
exec-timeout 3600 0
line aux 0
line vty 0 4
password WW
!
end

Verificación

Actualmente, no hay un procedimiento de verificación disponible para esta configuración.

Troubleshooting

En esta sección encontrará información que puede utilizar para solucionar problemas de configuración.

Comandos para resolución de problemas

La herramienta del Output Interpreter soportan a los ciertos comandos show, que permite que usted vea una análisis de la salida del comando show.

Nota: Antes de ejecutar un comando debug, consulte Información Importante sobre Comandos Debug.

  • haga el debug de la autenticación aaa — Visualiza la información sobre el Terminal Access Controller Access Control System AAA/más la autenticación (TACACS+).

  • debug aaa authorization — Visualiza la información sobre la autorización AAA/TACACS+.

  • debug ppp negotiation — Muestra los paquetes PPP transmitidos durante el inicio PPP, durante el cual se negocian las opciones PPP.

  • debug RADIUS — Visualiza la información de debugging detallada asociada al RADIUS.

  • debug vpdn errors — Visualiza los errores que evitan que un túnel PPP sea establecido o los errores que hacen un túnel establecido ser cerrados.

  • debug vpdn events — Muestra mensajes relativos a eventos que forman parte del establecimiento o cierre normal del túnel PPP.

  • debug vpdn l2f-errors — Visualiza los errores del protocolo de la capa 2 que previenen el establecimiento de la capa 2 o previenen su funcionamiento normal.

  • debug vpdn l2f-events — Visualiza los mensajes sobre los eventos que son establecimiento del túnel normal de la parte de PPP o apagan para la capa 2.

  • debug vpdn l2f-packets — Mensajes de las visualizaciones sobre las encabezados y el estatus del Layer 2 Forwarding Protocol.

  • debug vpdn packets — Las visualizaciones acodan 2 errores y eventos del Tunnel Protocol que sean una parte del establecimiento normal de túneles o apagan para los VPDN.

  • debug vtemplate - Muestra información de clonación para una interfaz de acceso virtual desde el momento en que se clona desde una plantilla virtual hasta el momento en que la interfaz de acceso virtual se cae al finalizar la llamada.

‘Resultado de debug’

Depuración adecuada del router del ISP

koala#show debug
General OS:
AAA Authentication debugging is on
AAA Authorization debugging is on
AAA Accounting debugging is on
VPN:
VPN events debugging is on
VPN errors debugging is on
RADIUS protocol debugging is on
koala#
%LINK-3-UPDOWN: Interface Async1, changed state to up
17:28:19: VPDN: Looking for tunnel -- hp.com --
17:28:19: AAA/AUTHEN: create_user (0x15D28C) user='hp.com' ruser='' port='Async1' 
 rem_addr='' authen_type=NONE service=LOGIN priv=0
17:28:19: AAA/AUTHOR/VPDN (982041598): Port='Async1' list='default' service=NET
17:28:19: AAA/AUTHOR/VPDN: (982041598) user='hp.com'
17:28:19: AAA/AUTHOR/VPDN: (982041598) send AV service=ppp
17:28:19: AAA/AUTHOR/VPDN: (982041598) send AV protocol=vpdn
17:28:19: AAA/AUTHOR/VPDN (982041598) found list "default"
17:28:19: AAA/AUTHOR/VPDN: (982041598) Method=RADIUS
17:28:19: RADIUS: authenticating to get author data
17:28:19: RADIUS: Computed extended port value 0:1:
17:28:19: RADIUS: Initial Transmit id 62 171.68.120.194:1645, Access-Request, len 70
17:28:19: Attribute 4 6 0A1F0105
17:28:19: Attribute 5 6 00000001
17:28:19: Attribute 61 6 00000000
17:28:19: Attribute 1 8 68702E63
17:28:19: Attribute 2 18 8070079C
17:28:19: Attribute 6 6 00000005
17:28:19: RADIUS: Received from id 62 171.68.120.194:1645, Access-Accept, len 143
17:28:19: Attribute 26 26 0000000901147670
17:28:19: Attribute 26 36 00000009011E7670
17:28:19: Attribute 26 31 0000000901197670
17:28:19: Attribute 26 30 0000000901187670

!--- These messages can be decrypted using the OI tool.
!--- As of  Cisco IOS Software Release 12.2(11)T,
!--- the output was changed to be readable.

17:28:19: RADIUS: saved authorization data for user 15D28C at 10EE74
17:28:19: RADIUS: cisco AVPair "vpdn:tunnel-id=isp"
17:28:19: RADIUS: cisco AVPair "vpdn:ip-addresses=10.31.1.50"
17:28:19: RADIUS: cisco AVPair "vpdn:nas-password=hello"
17:28:19: RADIUS: cisco AVPair "vpdn:gw-password=there"
17:28:19: AAA/AUTHOR (982041598): Post authorization status = PASS_ADD
17:28:19: AAA/AUTHOR/VPDN: Processing AV service=ppp
17:28:19: AAA/AUTHOR/VPDN: Processing AV protocol=vpdn
17:28:19: AAA/AUTHOR/VPDN: Processing AV tunnel-id=isp
17:28:19: AAA/AUTHOR/VPDN: Processing AV ip-addresses=10.31.1.50
17:28:19: AAA/AUTHOR/VPDN: Processing AV nas-password=hello
17:28:19: AAA/AUTHOR/VPDN: Processing AV gw-password=there
17:28:19: VPDN: Get tunnel info with NAS isp GW hp.com, IP 10.31.1.50

!--- The RADIUS server returns the attributes the 
!--- NAS should use for the tunnel.
!--- Tunnel-id is "ISP" and the IP address of HGW is 10.31.1.50.

17:28:19: AAA/AUTHEN: free_user (0x15D28C) user='hp.com' ruser='' port='Async1' 
 rem_addr='' authen_type=NONE service=LOGIN priv=0
17:28:19: VPDN: Forward to address 10.31.1.50
17:28:19: As1 VPDN: Forwarding...
17:28:19: AAA/AUTHEN: create_user (0x15D334) user='jsmith@hp.com' ruser=''
 port='Async1' rem_addr='async' authen_type=CHAP service=PPP priv=1
17:28:19: As1 VPDN: Bind interface direction=1
17:28:19: As1 VPDN: jsmith@hp.com is forwarded
17:28:19: AAA/ACCT/NET/START User jsmith@hp.com, Port Async1, List ""
17:28:19: AAA/ACCT/NET: Found list "default"
17:28:19: RADIUS: Computed extended port value 0:1:
17:28:19: RADIUS: Initial Transmit id 63 171.68.120.194:1646, Accounting-Request,
 len 93
17:28:19: Attribute 4 6 0A1F0105
17:28:19: Attribute 5 6 00000001
17:28:19: Attribute 61 6 00000000
17:28:19: Attribute 1 15 6A736D69
17:28:19: Attribute 40 6 00000001
17:28:19: Attribute 45 6 00000002
17:28:19: Attribute 6 6 00000002
17:28:19: Attribute 44 10 30303030
17:28:19: Attribute 7 6 7670646E
17:28:19: Attribute 41 6 00000000
17:28:19: RADIUS: Received from id 63 171.68.120.194:1646, Accounting-response,
 len 20
%LINEPROTO-5-UPDOWN: Line protocol on Interface Async1, changed state to up
koala#

!--- The user finishes and disconnects.

%LINEPROTO-5-UPDOWN: Line protocol on Interface Async1, changed state to down
%LINK-5-CHANGED: Interface Async1, changed state to reset
17:28:48: As1 VPDN: Cleanup
17:28:48: As1 VPDN: Reset
17:28:48: As1 VPDN: Reset
17:28:48: As1 VPDN: Unbind interface
17:28:48: AAA/ACCT/NET/STOP User jsmith@hp.com, Port Async1:
task_id=20 start_time=900759730 timezone=UTC service=vpdn disc-cause=2 
disc-cause-ext=1011 pre-bytes-in=-226131998 pre-bytes-out=-1034130241
pre-paks-in=-63570 pre-paks-out=-64410 bytes_in=1999 bytes_out=364 paks_in=29 
paks_out=12 pre-session-time=5 elapsed_time=29 data-rate=0
xmit-rate=0 
17:28:48: RADIUS: Computed extended port value 0:1:
17:28:48: RADIUS: Initial Transmit id 64 171.68.120.194:1646, Accounting-Request,
 len 129
17:28:48: Attribute 4 6 0A1F0105
17:28:48: Attribute 5 6 00000001
17:28:48: Attribute 61 6 00000000
17:28:48: Attribute 1 15 6A736D69
17:28:48: Attribute 40 6 00000002
17:28:48: Attribute 45 6 00000002
17:28:48: Attribute 6 6 00000002
17:28:48: Attribute 44 10 30303030
17:28:48: Attribute 7 6 7670646E
17:28:48: Attribute 49 6 00000002
17:28:48: Attribute 42 6 000007CF
17:28:48: Attribute 43 6 0000016C
17:28:48: Attribute 47 6 0000001D
17:28:48: Attribute 48 6 0000000C
17:28:48: Attribute 46 6 0000001D
17:28:48: Attribute 41 6 00000000
17:28:48: RADIUS: Received from id 64 171.68.120.194:1646, Accounting-response,
 len 20
%LINK-3-UPDOWN: Interface Async1, changed state to down
17:28:51: AAA/AUTHEN: free_user (0x15D334) user='jsmith@hp.com' ruser=''
 port='Async1' rem_addr='async' authen_type=CHAP service=PPP priv=1
koala#

‘Depuración adecuada del router HGW’

Sneetches#show debug
General OS:
AAA Authentication debugging is on
AAA Authorization debugging is on
AAA Accounting debugging is on
VPN:
VPN events debugging is on
VPN errors debugging is on
RADIUS protocol debugging is on
Sneetches#
17:28:21: AAA/AUTHEN: create_user (0x14A914) user='hp-gw' ruser='' port='' 
rem_addr='' authen_type=CHAP service=PPP priv=1
17:28:21: AAA/AUTHEN/START (496523999): port='' list='default' 
action=SENDAUTH service=PPP
17:28:21: AAA/AUTHEN/START (496523999): found list default
17:28:21: AAA/AUTHEN/START (496523999): Method=RADIUS
17:28:21: RADIUS: SENDPASS not supported (action=4)
17:28:21: AAA/AUTHEN (496523999): status = ERROR
17:28:21: AAA/AUTHEN/START (496523999): Method=LOCAL
17:28:21: AAA/AUTHEN (496523999): status = PASS
17:28:21: AAA/AUTHEN: free_user (0x14A914) user='hp-gw' ruser='' port='' 
rem_addr='' authen_type=CHAP service=PPP priv=1
17:28:21: AAA/AUTHEN: create_user (0x14A914) user='isp' ruser='' port='' 
rem_addr='' authen_type=CHAP service=PPP priv=1
17:28:21: AAA/AUTHEN/START (3095573082): port='' list='default' 
action=SENDAUTH service=PPP
17:28:21: AAA/AUTHEN/START (3095573082): found list default
17:28:21: AAA/AUTHEN/START (3095573082): Method=RADIUS
17:28:21: RADIUS: SENDPASS not supported (action=4)
17:28:21: AAA/AUTHEN (3095573082): status = ERROR
17:28:21: AAA/AUTHEN/START (3095573082): Method=LOCAL
17:28:21: AAA/AUTHEN (3095573082): status = PASS
17:28:21: AAA/AUTHEN: free_user (0x14A914) user='isp' ruser='' port='' 
rem_addr='' authen_type=CHAP service=PPP priv=1
17:28:21: AAA/AUTHEN: create_user (0x14ADB4) user='isp' ruser='' port='' 
rem_addr='' authen_type=CHAP service=PPP priv=1
17:28:21: AAA/AUTHEN/START (3506257139): port='' list='default'
action=LOGIN service=PPP
17:28:21: AAA/AUTHEN/START (3506257139): found list default
17:28:21: AAA/AUTHEN/START (3506257139): Method=RADIUS
17:28:21: RADIUS: Initial Transmit id 53 171.68.118.101:1645, Access-Request, len 68
17:28:21: Attribute 4 6 0A1F0132
17:28:21: Attribute 61 6 00000000
17:28:21: Attribute 1 5 69737003
17:28:21: Attribute 3 19 10C82B7A
17:28:21: Attribute 6 6 00000002
17:28:21: Attribute 7 6 00000001
17:28:21: RADIUS: Received from id 53 171.68.118.101:1645, Access-Accept, len 32
17:28:21: Attribute 6 6 00000002
17:28:21: Attribute 7 6 00000001
17:28:21: AAA/AUTHEN (3506257139): status = PASS
17:28:21: VPDN: Chap authentication succeeded for isp
17:28:21: AAA/AUTHEN: free_user (0x14ADB4) user='isp' ruser='' port='' rem_addr='' 
authen_type=CHAP service=PPP priv=1
17:28:21: Vi1 VPDN: Virtual interface created for jsmith@hp.com
17:28:21: Vi1 VPDN: Set to Async interface
17:28:21: Vi1 VPDN: Clone from Vtemplate 1 filterPPP=0 blocking
%LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
17:28:23: Vi1 VPDN: Bind interface direction=2
17:28:23: Vi1 VPDN: PPP LCP accepted sent & rcv CONFACK
17:28:23: AAA/AUTHEN: create_user (0x143368) user='jsmith@hp.com' ruser=''
 port='Virtual-Access1' rem_addr='async' authen_type=CHAP service=PPP priv=1
17:28:23: AAA/AUTHEN/START (637397616): port='Virtual-Access1' list=''
 action=LOGIN service=PPP
17:28:23: AAA/AUTHEN/START (637397616): using "default" list
17:28:23: AAA/AUTHEN/START (637397616): Method=RADIUS
17:28:23: RADIUS: Computed extended port value 0:60100:
17:28:23: RADIUS: Initial Transmit id 54 171.68.118.101:1645, Access-Request, len 78
17:28:23: Attribute 4 6 0A1F0132
17:28:23: Attribute 5 6 0000EAC4
17:28:23: Attribute 1 15 6A736D69
17:28:23: Attribute 3 19 186C2AC9
17:28:23: Attribute 6 6 00000002
17:28:23: Attribute 7 6 00000001
17:28:23: RADIUS: Received from id 54 171.68.118.101:1645, Access-Accept, len 32
17:28:23: Attribute 6 6 00000002
17:28:23: Attribute 7 6 00000001
17:28:23: AAA/AUTHEN (637397616): status = PASS
17:28:23: AAA/AUTHOR/LCP Vi1: Authorize LCP
17:28:23: AAA/AUTHOR/LCP Vi1 (1528831370): Port='Virtual-Access1' list=''
 service=NET
17:28:23: AAA/AUTHOR/LCP: Vi1 (1528831370) user='jsmith@hp.com'
17:28:23: AAA/AUTHOR/LCP: Vi1 (1528831370) send AV service=ppp
17:28:23: AAA/AUTHOR/LCP: Vi1 (1528831370) send AV protocol=lcp
17:28:23: AAA/AUTHOR/LCP (1528831370) found list "default"
17:28:23: AAA/AUTHOR/LCP: Vi1 (1528831370) Method=RADIUS
17:28:23: AAA/AUTHOR (1528831370): Post authorization status = PASS_REPL
17:28:23: AAA/AUTHOR/LCP Vi1: Processing AV service=ppp
17:28:23: AAA/ACCT/NET/START User jsmith@hp.com, Port Virtual-Access1, List ""
17:28:23: AAA/ACCT/NET: Found list "default"
17:28:23: AAA/AUTHOR/FSM Vi1: (0): Can we start IPCP?
17:28:23: AAA/AUTHOR/FSM Vi1 (4249637449): Port='Virtual-Access1' list=''
 service=NET
17:28:23: AAA/AUTHOR/FSM: Vi1 (4249637449) user='jsmith@hp.com'
17:28:23: AAA/AUTHOR/FSM: Vi1 (4249637449) send AV service=ppp
17:28:23: AAA/AUTHOR/FSM: Vi1 (4249637449) send AV protocol=ip
17:28:23: AAA/AUTHOR/FSM (4249637449) found list "default"
17:28:23: AAA/AUTHOR/FSM: Vi1 (4249637449) Method=RADIUS
17:28:23: AAA/AUTHOR (4249637449): Post authorization status = PASS_REPL
17:28:23: AAA/AUTHOR/FSM Vi1: We can start IPCP
17:28:23: RADIUS: Computed extended port value 0:60100:
17:28:23: RADIUS: Initial Transmit id 55 171.68.118.101:1646, Accounting-Request,
 len 87
17:28:23: Attribute 4 6 0A1F0132
17:28:23: Attribute 5 6 0000EAC4
17:28:23: Attribute 1 15 6A736D69
17:28:23: Attribute 40 6 00000001
17:28:23: Attribute 45 6 00000001
17:28:23: Attribute 6 6 00000002
17:28:23: Attribute 44 10 30303030
17:28:23: Attribute 7 6 00000001
17:28:23: Attribute 41 6 00000000
17:28:23: RADIUS: Received from id 55 171.68.118.101:1646, Accounting-response,
 len 20
17:28:23: AAA/AUTHOR/IPCP Vi1: Start. Her address 0.0.0.0, we want 0.0.0.0
17:28:23: AAA/AUTHOR/IPCP Vi1: Processing AV service=ppp
17:28:23: AAA/AUTHOR/IPCP Vi1: Authorization succeeded
17:28:23: AAA/AUTHOR/IPCP Vi1: Done. Her address 0.0.0.0, we want 0.0.0.0
17:28:23: AAA/AUTHOR/IPCP Vi1: Start. Her address 0.0.0.0, we want 1.1.1.1
17:28:23: AAA/AUTHOR/IPCP Vi1: Processing AV service=ppp
17:28:23: AAA/AUTHOR/IPCP Vi1: Authorization succeeded
17:28:23: AAA/AUTHOR/IPCP Vi1: Done. Her address 0.0.0.0, we want 1.1.1.1
17:28:24: AAA/AUTHOR/IPCP Vi1: Start. Her address 1.1.1.1, we want 1.1.1.1
17:28:24: AAA/AUTHOR/IPCP Vi1 (923857566): Port='Virtual-Access1' list=''
 service=NET
17:28:24: AAA/AUTHOR/IPCP: Vi1 (923857566) user='jsmith@hp.com'
17:28:24: AAA/AUTHOR/IPCP: Vi1 (923857566) send AV service=ppp
17:28:24: AAA/AUTHOR/IPCP: Vi1 (923857566) send AV protocol=ip
17:28:24: AAA/AUTHOR/IPCP: Vi1 (923857566) send AV addr*1.1.1.1
17:28:24: AAA/AUTHOR/IPCP (923857566) found list "default"
17:28:24: AAA/AUTHOR/IPCP: Vi1 (923857566) Method=RADIUS
17:28:24: AAA/AUTHOR (923857566): Post authorization status = PASS_REPL
17:28:24: AAA/AUTHOR/IPCP Vi1: Reject 1.1.1.1, using 1.1.1.1
17:28:24: AAA/AUTHOR/IPCP Vi1: Processing AV service=ppp
17:28:24: AAA/AUTHOR/IPCP Vi1: Processing AV addr*1.1.1.1
17:28:24: AAA/AUTHOR/IPCP Vi1: Authorization succeeded
17:28:24: AAA/AUTHOR/IPCP Vi1: Done. Her address 1.1.1.1, we want 1.1.1.1
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
Sneetches#

!--- The user finishes and disconnects.

Sneetches#
17:28:50: Vi1 VPDN: Reset
17:28:50: Vi1 VPDN: Reset
%LINK-3-UPDOWN: Interface Virtual-Access1, changed state to down
17:28:50: Vi1 VPDN: Cleanup
17:28:50: Vi1 VPDN: Reset
17:28:50: Vi1 VPDN: Reset
17:28:50: Vi1 VPDN: Unbind interface
17:28:50: Vi1 VPDN: Reset
17:28:50: Vi1 VPDN: Reset
17:28:50: AAA/ACCT/NET/STOP User jsmith@hp.com, Port Virtual-Access1:
task_id=14 start_time=900759731 timezone=UTC service=ppp protocol=ip addr=1.1.1.1 
disc-cause=2 disc-cause-ext=1011 pre-bytes-in=0 pre-bytes-out=42
pre-paks-in=0 pre-paks-out=2 bytes_in=882 bytes_out=356 paks_in=17 paks_out=11 
pre-session-time=0 elapsed_time=27 data-rate=0 xmit-rate=0 
17:28:50: RADIUS: Computed extended port value 0:60100:
17:28:50: RADIUS: Initial Transmit id 56 171.68.118.101:1646, Accounting-Request,
 len 129
17:28:50: Attribute 4 6 0A1F0132
17:28:50: Attribute 5 6 0000EAC4
17:28:50: Attribute 1 15 6A736D69
17:28:50: Attribute 40 6 00000002
17:28:50: Attribute 45 6 00000001
17:28:50: Attribute 6 6 00000002
17:28:50: Attribute 44 10 30303030
17:28:50: Attribute 7 6 00000001
17:28:50: Attribute 8 6 01010101
17:28:50: Attribute 49 6 00000002
17:28:50: Attribute 42 6 00000372
17:28:50: Attribute 43 6 00000164
17:28:50: Attribute 47 6 00000011
17:28:50: Attribute 48 6 0000000B
17:28:50: Attribute 46 6 0000001B
17:28:50: Attribute 41 6 00000000
17:28:50: RADIUS: Received from id 56 171.68.118.101:1646, Accounting-response,
 len 20
17:28:50: AAA/AUTHEN: free_user (0x143368) user='jsmith@hp.com' ruser=''
 port='Virtual-Access1' rem_addr='async' authen_type=CHAP service=PPP
priv=1
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1,
  changed state to down
Sneetches#

Debugs para la falla de conexión en el router del ISP

koala#show debug
General OS:
AAA Authentication debugging is on
AAA Authorization debugging is on
AAA Accounting debugging is on
VPN:
VPN events debugging is on
VPN errors debugging is on
RADIUS protocol debugging is on
koala#

!--- Problem 1:
!--- User hp.com is not in the ISP server:
!--- There is no output on HGW router because the call has not gone that far.

RADIUS: Received from id 83 171.68.120.194:1645, Access-Reject, len 20 18:43:18: 
AAA/AUTHEN (4063976505): status = FAIL

!--- Problem 2:
!--- User hp.com is not in the ISP server.
!--- There is no output on HGW router because 
!--- the call has not gone that far.

RADIUS: Received from id 83 171.68.120.194:1645, Access-Reject, len 20 18:43:18: 
AAA/AUTHEN (4063976505): status = FAIL

!--- Problem 3:
!--- Problem in tunnel definition on HGW router; in HGW configuration 
!--- vpdn incoming hp-gw isp virtual-template 1 is inserted
!--- instead of vpdn incoming isp hp-gw virtual-template 1.

%VPDN-5-UNREACH: L2F HGW 10.31.1.50 is unreachable
VPDN: Timeout opening tunnel to 10.31.1.50
VPDN: Free busy address 10.31.1.50

!--- Problem 4:
!--- User "isp" or "hp-gw" is removed from HGW router.

%VPDN-6-AUTHENFAIL: L2F NAS koala, authentication failure for tunnel hp-gw; 
 Invalid key

!--- Problem 5:
!--- User "isp" is not in the HGW server.

%VPDN-6-AUTHENFAIL: L2F HGW , AAA authentication failure for tunnel hp-gw

!--- Problem 6:
!--- User jsmith@hp.com is not in the HGW server.

%VPDN-6-AUTHENFAIL: L2F HGW hp-gw, AAA authentication failure for As1 
user jsmith@hp.com; Authentication failure

Debugs para las fallas de conexión en el router HGW

Sneetches#show debug
General OS:
AAA Authentication debugging is on
AAA Authorization debugging is on
AAA Accounting debugging is on
VPN:
VPN events debugging is on
VPN errors debugging is on
RADIUS protocol debugging is on
Sneetches#

!--- Problem 1:
!--- Problem in tunnel definition on the HGW router; in HGW configuration
!--- vpdn incoming hp-gw isp virtual-template 1 is inserted
!--- instead of vpdn incoming isp hp-gw virtual-template 1
!--- debug vpdn l2f-errors display.

19:25:27: L2F: Couldn't find tunnel named isp
19:25:30: L2F: Couldn't find tunnel named isp

!--- Problem 2:
!--- User "isp" is removed from the HGW router.

AAA/AUTHEN (3372073334): SENDAUTH no password for isp
AAA/AUTHEN (3372073334): status = ERROR
AAA/AUTHEN/START (3372073334): no methods left to try
AAA/AUTHEN (3372073334): status = ERROR
AAA/AUTHEN/START (3372073334): failed to authenticate

!--- Problem 3:
!--- User "hp-gw" is removed from the HGW router.

AAA/AUTHEN (3999868118): SENDAUTH no password for hp-gw
AAA/AUTHEN (3999868118): status = ERROR
AAA/AUTHEN/START (3999868118): no methods left to try
AAA/AUTHEN (3999868118): status = ERROR
AAA/AUTHEN/START (3999868118): failed to authenticate

!--- Problem 4:
!--- User "isp" is removed from HGW RADIUS server.

RADIUS: Received from id 107 171.68.118.101:1645, Access-Reject, len 46
Attribute 18 26 41757468
AAA/AUTHEN (2759462034): status = FAIL
VPDN: Chap authentication failed for isp
%VPDN-6-AUTHENFAIL: L2F HGW , AAA authentication failure for tunnel isp

!--- Problem 5:
!--- User "jsmith@hp.com" is not in the HGW server.

RADIUS: Received from id 109 171.68.118.101:1645, Access-Reject, len 46
Attribute 18 26 41757468
AAA/AUTHEN (2765235576): status = FAIL
%VPDN-6-AUTHENFAIL: L2F HGW hp-gw, AAA authentication failure for Vi1
 user jsmith@hp.com; Authentication failure

Información Relacionada


Document ID: 4675