Seguridad y VPN : Terminal Access Controller Access Control System (TACACS+)

Problemas comunes en hacer el debug del TACACS+, el PAP y la GRIETA

24 Agosto 2015 - Traducción Automática
Otras Versiones: PDFpdf | Inglés (23 Abril 2015) | Comentarios


Contenido


Introducción

Nota: La información en este documento se basa en los Software Release 11.2 y Posterior del � del Cisco IOS.

Este documento examina los problemas de debugging comunes para el TACACS+ cuando el protocolo password authentication (PAP) o se utiliza el Challenge Handshake Authentication Protocol (CHAP). Se proveen las configuraciones de PC comunes para Microsoft Windows 95, Windows NT, Windows 98 y Windows 2000, así como ejemplos de configuraciones y ejemplos de debugs buenos y malos.

prerrequisitos

Requisitos

No hay requisitos específicos para este documento.

Componentes Utilizados

Este documento no tiene restricciones específicas en cuanto a versiones de software y de hardware.

La información que contiene este documento se creó a partir de los dispositivos en un ambiente de laboratorio específico. Todos los dispositivos que se utilizan en este documento se pusieron en funcionamiento con una configuración verificada (predeterminada). Si la red está funcionando, asegúrese de haber comprendido el impacto que puede tener cualquier comando.

Convenciones

Consulte Convenciones de Consejos TécnicosCisco para obtener más información sobre las convenciones del documento.

Configuración común de PC

Windows 95

Complete estos pasos:

  1. En la ventana de interconexión de redes de marcación manual, elija el nombre de la conexión, entonces File (Archivo) > Properties (Propiedades).

  2. En la ficha de tipo de servidor, vea si el cuadro de contraseña encriptada del requerir debajo del tipo de servidor de marcado manual se marca.

    • Si se marca este cuadro, el PC valida solamente la autenticación CHAP.

    • Si este cuadro no se marca, el PC valida el PAP o la autenticación CHAP.

Windows NT

Complete estos pasos:

  1. En la ventana del dial-up networking, elija el nombre de la conexión, y después elija el File (Archivo) > Properties (Propiedades).

  2. Marque las configuraciones en la ficha de seguridad:

    • Si el Accept any authentication incluyendo el clear text box se marca, el PC valida el PAP o la GRIETA.

    • Si se marca el cuadro de la autenticación encriptada del validar solamente, el PC valida solamente la autenticación CHAP.

Windows 98

Complete estos pasos:

  1. En la ventana del dial-up networking, elija el nombre de la conexión, y después elija las propiedades.

  2. En los tipos de servidor tabule, marque las configuraciones en el área avanzada de las opciones:

    • Si el cuadro de contraseña encriptada del requerir no se marca, el PC valida el PAP o la autenticación CHAP.

    • Si se marca el cuadro de contraseña encriptada del requerir, el PC valida solamente la autenticación CHAP.

Windows 2000

Complete estos pasos:

  1. En la red y las conexiones por línea telefónica, elija el nombre de la conexión, y después elija las propiedades.

  2. En la ficha de seguridad, en el avanzado > las configuraciones > permiten éstos protocols area (Área de protocolo):

    • Si se marca el cuadro de la contraseña sin encripción (PAP), el PC valida el PAP.

    • Si se marca el cuadro del Challenge Handshake Authentication Protocol (CHAP), el PC valida la GRIETA por el RFC 1994.

    • Si se marca el cuadro del Microsoft CHAP (MS-CHAP), el PC valida la versión MS-CHAP 1 y no valida la GRIETA por el RFC 1994.

Ejemplos de configuraciones y depuración

Configuración - TACACS+ y PAP
Current configuration:

!
version 11.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname rtpkrb
!
aaa new-model
!

!--- The following four lines of the 
!--- configuration are specific to 
!--- Cisco IOS 11.2 and later, until 11.3.3.T. 
!--- See below this configuration 
!--- for commands for other Cisco IOS releases.

!
aaa authentication login default tacacs+ local
aaa authentication ppp default if-needed tacacs+ local
aaa authorization exec tacacs+ if-authenticated
aaa authorization network tacacs+ if-authenticated
enable secret 5 $1$pkX.$JdAySRE1SbdbDe7bj0wyt0
enable password ww
!
username john password 0 doe
username cse password 0 csecse
ip host rtpkrb 10.31.1.5
ip domain-name RTP.CISCO.COM
ip name-server 171.68.118.103
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0
ip address 10.31.1.5 255.255.0.0
no mop enabled
!
interface Serial0
no ip address
no ip mroute-cache
shutdown
!
interface Serial1
no ip address
shutdown
!
interface Async1
ip unnumbered Ethernet0
encapsulation ppp
async mode dedicated
peer default ip address pool async
no cdp enable
ppp authentication pap
!
ip local pool async 15.15.15.15
ip classless
ip route 0.0.0.0 0.0.0.0 10.31.1.1
!
tacacs-server host 171.68.118.101
tacacs-server key cisco
snmp-server community public RW
snmp-server host 171.68.118.100 traps public
!
line con 0
line 1
session-timeout 20 
exec-timeout 20 0
password ww
autoselect during-login
autoselect ppp
modem InOut
transport input all
stopbits 1
speed 38400
flowcontrol hardware
line 2
modem InOut
speed 38400
flowcontrol hardware
line 3 16
line aux 0
line vty 0 4
password ww
!
end

Comandos para otras versiones del software del IOS de Cisco

Nota: Para utilizar estos comandos, quite los comandos en intrépido de la configuración y la goma en estos comandos adentro, según lo dictado por su Cisco IOS Release.

Cisco IOS 11.3.3.T hasta 12.0.5.T

aaa authen login default tacacs+ local
aaa authen ppp default if-needed tacacs+ local
aaa authorization exec default tacacs+ if-authenticated
aaa authorization network default tacacs+ if-authenticated

Cisco IOS 12.0.5.T y posterior

aaa authen login default group tacacs+ local
aaa authen ppp default if-needed group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization network default group tacacs+ if-authenticated

Depuraciones de ejemplo: TACACS+ y PAP

Nota: En la salida de los debugs, el texto en negrita resalta los problemas en el debug. El sólo texto indica un debug correcta.

rtpkrb#show debug
General OS:
TACACS access control debugging is on
AAA Authentication debugging is on
AAA Authorization debugging is on
PPP:
PPP authentication debugging is on
PPP protocol negotiation debugging is on
rtpkrb#
3d22h: %LINK-3-UPDOWN: Interface Async1, changed state to up
3d22h: As1 PPP: Treating connection as a dedicated line
3d22h: As1 PPP: Phase is ESTABLISHING, Active Open
3d22h: As1 LCP: O CONFREQ [Closed] id 14 len 24
3d22h: As1 LCP: ACCM 0x000A0000 (0x0206000A0000)
3d22h: As1 LCP: AuthProto PAP (0x0304C023)
3d22h: As1 LCP: MagicNumber 0xF45FB7A7 (0x0506F45FB7A7)
3d22h: As1 LCP: PFC (0x0702)
3d22h: As1 LCP: ACFC (0x0802)


!--- PC insists on doing CHAP 
!--- ("accept encrypted authentication only"), 
!--- but router is set up for PAP.

As1 LCP: I CONFNAK [REQsent] id 27 len 12
As1 LCP: AuthProto 0xC123 (0x0308C12301000001)
As1 PPP: Closing connection because remote won't authenticate

3d22h: As1 LCP: Interface transitioned, discarding packet
3d22h: As1 LCP: I CONFACK [REQsent] id 14 len 24
3d22h: As1 LCP: ACCM 0x000A0000 (0x0206000A0000)
3d22h: As1 LCP: AuthProto PAP (0x0304C023)
3d22h: As1 LCP: MagicNumber 0xF45FB7A7 (0x0506F45FB7A7)
3d22h: As1 LCP: PFC (0x0702)
3d22h: As1 LCP: ACFC (0x0802)
3d22h: As1 LCP: TIMEout: Time 0x14417CC4 State ACKrcvd
3d22h: As1 LCP: O CONFREQ [ACKrcvd] id 15 len 24
3d22h: As1 LCP: ACCM 0x000A0000 (0x0206000A0000)
3d22h: As1 LCP: AuthProto PAP (0x0304C023)
3d22h: As1 LCP: MagicNumber 0xF45FB7A7 (0x0506F45FB7A7)
3d22h: As1 LCP: PFC (0x0702)
3d22h: As1 LCP: ACFC (0x0802)
3d22h: As1 LCP: I CONFACK [REQsent] id 15 len 24
3d22h: As1 LCP: ACCM 0x000A0000 (0x0206000A0000)
3d22h: As1 LCP: AuthProto PAP (0x0304C023)
3d22h: As1 LCP: MagicNumber 0xF45FB7A7 (0x0506F45FB7A7)
3d22h: As1 LCP: PFC (0x0702)
3d22h: As1 LCP: ACFC (0x0802)
3d22h: As1 LCP: I CONFREQ [ACKrcvd] id 0 len 20
3d22h: As1 LCP: ACCM 0x00000000 (0x020600000000)
3d22h: As1 LCP: MagicNumber 0x000030A3 (0x0506000030A3)
3d22h: As1 LCP: PFC (0x0702)
3d22h: As1 LCP: ACFC (0x0802)
3d22h: As1 LCP: O CONFACK [ACKrcvd] id 0 len 20
3d22h: As1 LCP: ACCM 0x00000000 (0x020600000000)
3d22h: As1 LCP: MagicNumber 0x000030A3 (0x0506000030A3)
3d22h: As1 LCP: PFC (0x0702)
3d22h: As1 LCP: ACFC (0x0802)
3d22h: As1 LCP: State is Open
3d22h: As1 PPP: Phase is AUTHENTICATING, by this end
3d22h: As1 PAP: I AUTH-REQ id 4 len 20 from "papuser"
3d22h: As1 PAP: Authenticating peer papuser
3d22h: AAA/AUTHEN: create_user (0x16DAC0) user='papuser' 
ruser='' port='Async1' rem_addr='async' authen_type=PAP 
service=PPP priv=1
3d22h: AAA/AUTHEN/START (1190231344): port='Async1' list=''
 action=LOGIN service=PPP
3d22h: AAA/AUTHEN/START (1190231344): using "default" list
3d22h: AAA/AUTHEN (1190231344): status = UNKNOWN
3d22h: AAA/AUTHEN/START (1190231344): Method=TACACS+
3d22h: TAC+: send AUTHEN/START packet ver=193 id=1190231344
3d22h: TAC+: Using default tacacs server list.
3d22h: TAC+: Opening TCP/IP to 171.68.118.101/49 timeout=5


!--- The TAC+ server is down, producing an error. 
!--- Since the user is not in the local database, 
!--- the failover to local fails.

TAC+: TCP/IP open to 171.68.118.101/49 failed -- 
Connection refused by remote host
AAA/AUTHEN (866823886): status = ERROR
AAA/AUTHEN/START (866823886): Method=LOCAL
AAA/AUTHEN (866823886): status = FAIL

3d22h: TAC+: Opened TCP/IP handle 0x16C1F8 to 171.68.118.101/49
3d22h: TAC+: 171.68.118.101 (1190231344) AUTHEN/START/LOGIN/PAP queued
3d22h: TAC+: (1190231344) AUTHEN/START/LOGIN/PAP processed


!--- The key in the router does not match that of the server.

TAC+: received bad AUTHEN packet: length = 68, expected 67857
TAC+: Invalid AUTHEN/START packet (check keys)
AAA/AUTHEN (1771887965): status = ERROR
 
3d22h: TAC+: ver=192 id=1190231344 received AUTHEN status = GETPASS
3d22h: TAC+: Closing TCP/IP 0x16C1F8 connection to 171.68.118.101/49
3d22h: TAC+: Opening TCP/IP to 171.68.118.101/49 timeout=5
3d22h: TAC+: Opened TCP/IP handle 0x16EF4C to 171.68.118.101/49
3d22h: TAC+: Opened 171.68.118.101 index=1
3d22h: AAA/AUTHEN: create_user (0x16C5EC) user='papuser' ruser='' 
port='Async1' rem_addr='async' authen_type=PAP service=PPP priv=1
3d22h: TAC+: rev0 inbound pap login for id=1190231344 using id=3112896669
3d22h: TAC+: 171.68.118.101 (3112896669) AUTHEN/START/LOGIN/PAP queued
3d22h: TAC+: (3112896669) AUTHEN/START/LOGIN/PAP processed
3d22h: TAC+: ver=192 id=3112896669 received AUTHEN status = GETPASS
3d22h: TAC+: send AUTHEN/CONT packet
3d22h: TAC+: 171.68.118.101 (3112896669) AUTHEN/CONT queued
3d22h: TAC+: (3112896669) AUTHEN/CONT processed


!--- The NT client sends the "DOMAIN\user" 
!--- and the TAC+ server expects "user".

TAC+: ver=192 id=260507389 received AUTHEN status = FAIL
TAC+: rev0 inbound pap completed for 1139034411 status=FAIL
AAA/AUTHEN: free_user (0x16CDD4) user='CISCO\papuser' ruser='' 
port='Async1' rem_addr='async' authen_type=PAP service=PPP priv=1


!--- The TAC+ server refuses the user  
!--- because the user is set up for PAP. 
!--- The user enters a bad password, 
!--- or both the username and password are bad.

TAC+: ver=192 id=691012958 received AUTHEN status = FAIL
TAC+: rev0 inbound pap completed for 3917384959 status=FAIL
AAA/AUTHEN: free_user (0x15AD58) user='idochap' ruser='' 
port='Async1' rem_addr='async' authen_type=PAP service=PPP priv=1

3d22h: TAC+: ver=192 id=3112896669 received AUTHEN status = PASS
3d22h: TAC+: rev0 inbound pap completed for 1190231344 status=PASS
3d22h: AAA/AUTHEN: free_user (0x16C5EC) user='papuser' ruser='' 
port='Async1' rem_addr='async' authen_type=PAP service=PPP priv=1
3d22h: TAC+: Closing TCP/IP 0x16EF4C connection to 171.68.118.101/49
3d22h: AAA/AUTHEN (1190231344): status = PASS
3d22h: AAA/AUTHOR/LCP As1: Authorize LCP
3d22h: AAA/AUTHOR/LCP: Async1: (1061976769): user='papuser'
3d22h: AAA/AUTHOR/LCP: Async1: (1061976769): send AV service=ppp
3d22h: AAA/AUTHOR/LCP: Async1: (1061976769): send AV protocol=lcp
3d22h: AAA/AUTHOR/LCP: Async1: (1061976769): Method=TACACS+
3d22h: AAA/AUTHOR/TAC+: (1061976769): user=papuser
3d22h: AAA/AUTHOR/TAC+: (1061976769): send AV service=ppp
3d22h: AAA/AUTHOR/TAC+: (1061976769): send AV protocol=lcp
3d22h: TAC+: Opening TCP/IP to 171.68.118.101/49 timeout=5
3d22h: TAC+: Opened TCP/IP handle 0x16C9E0 to 171.68.118.101/49
3d22h: TAC+: Opened 171.68.118.101 index=1
3d22h: TAC+: 171.68.118.101 (1061976769) AUTHOR/START queued
3d22h: TAC+: (1061976769) AUTHOR/START processed


!--- The user passes authentication 
!--- (the username/password is good)
!--- but fails authorization 
!--- (the profile is not set up to authorize PPP).

TAC+: (1793875816): received author response status = FAIL
TAC+: Closing TCP/IP 0x17054C connection to 171.68.118.101/49
AAA/AUTHOR (1793875816): Post authorization status = FAIL
AAA/AUTHOR/LCP As1: Denied

3d22h: TAC+: (1061976769): received author response status = PASS_ADD
3d22h: TAC+: Closing TCP/IP 0x16C9E0 connection to 171.68.118.101/49
3d22h: AAA/AUTHOR (1061976769): Post authorization status = PASS_ADD
3d22h: As1 PAP: O AUTH-ACK id 4 len 5
3d22h: As1 PPP: Phase is UP
3d22h: AAA/AUTHOR/FSM As1: (0): Can we start IPCP?
3d22h: AAA/AUTHOR/FSM: Async1: (3602788894): user='papuser'
3d22h: AAA/AUTHOR/FSM: Async1: (3602788894): send AV service=ppp
3d22h: AAA/AUTHOR/FSM: Async1: (3602788894): send AV protocol=ip
3d22h: AAA/AUTHOR/FSM: Async1: (3602788894): Method=TACACS+
3d22h: AAA/AUTHOR/TAC+: (3602788894): user=papuser
3d22h: AAA/AUTHOR/TAC+: (3602788894): send AV service=ppp
3d22h: AAA/AUTHOR/TAC+: (3602788894): send AV protocol=ip
3d22h: TAC+: Opening TCP/IP to 171.68.118.101/49 timeout=5
3d22h: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async1, 
changed state to up
3d22h: TAC+: Opened TCP/IP handle 0x17054C to 171.68.118.101/49
3d22h: TAC+: Opened 171.68.118.101 index=1
3d22h: TAC+: 171.68.118.101 (3602788894) AUTHOR/START queued
3d22h: As1 IPCP: I CONFREQ [Closed] id 1 len 34
3d22h: As1 IPCP: Address 0.0.0.0 (0x030600000000)
3d22h: As1 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
3d22h: As1 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
3d22h: As1 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
3d22h: As1 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
3d22h: TAC+: (3602788894) AUTHOR/START processed
3d22h: TAC+: (3602788894): received author response status = PASS_ADD
3d22h: TAC+: Closing TCP/IP 0x17054C connection to 171.68.118.101/49
3d22h: AAA/AUTHOR (3602788894): Post authorization status = PASS_ADD
3d22h: AAA/AUTHOR/FSM As1: We can start IPCP
3d22h: As1 IPCP: O CONFREQ [Closed] id 10 len 10
3d22h: As1 IPCP: Address 10.31.1.5 (0x03060A1F0105)
3d22h: As1 IPCP: I CONFACK [REQsent] id 10 len 10
3d22h: As1 IPCP: Address 10.31.1.5 (0x03060A1F0105)
3d22h: As1 IPCP: I CONFREQ [ACKrcvd] id 1 len 34
3d22h: As1 IPCP: Address 0.0.0.0 (0x030600000000)
3d22h: As1 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
3d22h: As1 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
3d22h: As1 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
3d22h: As1 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
3d22h: AAA/AUTHOR/IPCP As1: Start. Her address 0.0.0.0, 
we want 0.0.0.0
3d22h: AAA/AUTHOR/IPCP As1: Processing AV service=ppp
3d22h: AAA/AUTHOR/IPCP As1: Processing AV protocol=ip
3d22h: AAA/AUTHOR/IPCP As1: Authorization succeeded
3d22h: AAA/AUTHOR/IPCP As1: Done. Her address 0.0.0.0, 
we want 0.0.0.0
3d22h: As1 IPCP: Using pool 'async'
3d22h: As1 IPCP: Pool returned 15.15.15.15
3d22h: As1 IPCP: O CONFREJ [ACKrcvd] id 1 len 22
3d22h: As1 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
3d22h: As1 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
3d22h: As1 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
3d22h: As1 IPCP: I CONFREQ [ACKrcvd] id 2 len 16
3d22h: As1 IPCP: Address 0.0.0.0 (0x030600000000)
3d22h: As1 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
3d22h: AAA/AUTHOR/IPCP As1: Start. Her address 0.0.0.0, 
we want 15.15.15.15
3d22h: AAA/AUTHOR/IPCP As1: Processing AV service=ppp
3d22h: AAA/AUTHOR/IPCP As1: Processing AV protocol=ip
3d22h: AAA/AUTHOR/IPCP As1: Authorization succeeded
3d22h: AAA/AUTHOR/IPCP As1: Done. Her address 0.0.0.0, 
we want 15.15.15.15
3d22h: As1 IPCP: O CONFNAK [ACKrcvd] id 2 len 16
3d22h: As1 IPCP: Address 15.15.15.15 (0x03060F0F0F0F)
3d22h: As1 IPCP: PrimaryDNS 171.68.118.103 (0x8106AB447667)
3d22h: As1 IPCP: I CONFREQ [ACKrcvd] id 3 len 16
3d22h: As1 IPCP: Address 15.15.15.15 (0x03060F0F0F0F)
3d22h: As1 IPCP: PrimaryDNS 171.68.118.103 (0x8106AB447667)
3d22h: AAA/AUTHOR/IPCP As1: Start. Her address 15.15.15.15, 
we want 15.15.15.15
3d22h: AAA/AUTHOR/IPCP: Async1: (3654974050): user='papuser'
3d22h: AAA/AUTHOR/IPCP: Async1: (3654974050): send AV service=ppp
3d22h: AAA/AUTHOR/IPCP: Async1: (3654974050): send AV protocol=ip
3d22h: AAA/AUTHOR/IPCP: Async1: (3654974050): send AV addr*15.15.15.15
3d22h: AAA/AUTHOR/IPCP: Async1: (3654974050): Method=TACACS+
3d22h: AAA/AUTHOR/TAC+: (3654974050): user=papuser
3d22h: AAA/AUTHOR/TAC+: (3654974050): send AV service=ppp
3d22h: AAA/AUTHOR/TAC+: (3654974050): send AV protocol=ip
3d22h: AAA/AUTHOR/TAC+: (3654974050): send AV addr*15.15.15.15
3d22h: TAC+: Opening TCP/IP to 171.68.118.101/49 timeout=5
3d22h: TAC+: Opened TCP/IP handle 0x16EF4C to 171.68.118.101/49
3d22h: TAC+: Opened 171.68.118.101 index=1
3d22h: TAC+: 171.68.118.101 (3654974050) AUTHOR/START queued
3d22h: TAC+: (3654974050) AUTHOR/START processed
3d22h: TAC+: (3654974050): received author response status = PASS_ADD
3d22h: TAC+: Closing TCP/IP 0x16EF4C connection to 171.68.118.101/49
3d22h: AAA/AUTHOR (3654974050): Post authorization status = PASS_ADD
3d22h: AAA/AUTHOR/IPCP As1: Processing AV service=ppp
3d22h: AAA/AUTHOR/IPCP As1: Processing AV protocol=ip
3d22h: AAA/AUTHOR/IPCP As1: Processing AV addr*15.15.15.15
3d22h: AAA/AUTHOR/IPCP As1: Authorization succeeded
3d22h: AAA/AUTHOR/IPCP As1: Done. Her address 15.15.15.15, 
we want 15.15.15.15
3d22h: As1 IPCP: O CONFACK [ACKrcvd] id 3 len 16
3d22h: As1 IPCP: Address 15.15.15.15 (0x03060F0F0F0F)
3d22h: As1 IPCP: PrimaryDNS 171.68.118.103 (0x8106AB447667)
3d22h: As1 IPCP: State is Open
3d22h: As1 IPCP: Install route to 15.15.15.15
rtpkrb#
Configuración - TACACS+ y GRIETA
Current configuration:
!
version 11.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname rtpkrb
!
aaa new-model
!

!--- The following four lines of the configuration 
!--- are specific to Cisco IOS 11.2 and later, until 11.3.3.T. 
!--- See below this configuration 
!--- for commands for other Cisco IOS releases.

!
aaa authentication login default tacacs+ local
aaa authentication ppp default if-needed tacacs+ local
aaa authorization exec tacacs+ if-authenticated
aaa authorization network tacacs+ if-authenticated
enable secret 5 $1$pkX.$JdAySRE1SbdbDe7bj0wyt0
enable password ww
!
username john password 0 doe
username cse password 0 csecse
ip host rtpkrb 10.31.1.5
ip name-server 171.68.118.103
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0
ip address 10.31.1.5 255.255.0.0
no mop enabled
!
interface Serial0
no ip address
no ip mroute-cache
shutdown
!
interface Serial1
no ip address
shutdown
!
interface Async1
ip unnumbered Ethernet0
encapsulation ppp
async mode dedicated
peer default ip address pool async
no cdp enable
ppp authentication chap
!
ip local pool async 15.15.15.15
ip classless
ip route 0.0.0.0 0.0.0.0 10.31.1.1
!
tacacs-server host 171.68.118.101
tacacs-server key cisco
snmp-server community public RW
snmp-server host 171.68.118.100 traps public
!
line con 0
line 1
session-timeout 20 
exec-timeout 20 0
password ww
autoselect during-login
autoselect ppp
modem InOut
transport input all
stopbits 1
speed 38400
flowcontrol hardware
line 2
modem InOut
speed 38400
flowcontrol hardware
line 3 16
line aux 0
line vty 0 4
password ww
!
end

Comandos para otras versiones del software del IOS de Cisco

Nota: Nota: Para utilizar estos comandos, quite los comandos en intrépido de la configuración y pegue estos comandos adentro, según lo dictado por su Cisco IOS Release.

Cisco IOS 11.3.3.T hasta 12.0.5.T

aaa authen login default tacacs+ local
aaa authen ppp default if-needed tacacs+ local
aaa authorization exec default tacacs+ if-authenticated
aaa authorization network default tacacs+ if-authenticated

Cisco IOS 12.0.5.T y posterior

aaa authen login default group tacacs+ local
aaa authen ppp default if-needed group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization network default group tacacs+ if-authenticated

Depuración de ejemplo - TACACS+ y CHAP

Nota: En la salida de los debugs, el texto en negrita resalta los problemas en el debug. El sólo texto indica un debug correcta.

General OS:
TACACS access control debugging is on
AAA Authentication debugging is on
AAA Authorization debugging is on
PPP:
PPP authentication debugging is on
PPP protocol negotiation debugging is on
rtpkrb#
3d22h: As1 LCP: I CONFREQ [Closed] id 0 len 20
3d22h: As1 LCP: ACCM 0x00000000 (0x020600000000)
3d22h: As1 LCP: MagicNumber 0x000042C5 (0x0506000042C5)
3d22h: As1 LCP: PFC (0x0702)
3d22h: As1 LCP: ACFC (0x0802)
3d22h: As1 LCP: Lower layer not up, discarding packet
3d22h: %LINK-3-UPDOWN: Interface Async1, changed state to up
3d22h: As1 PPP: Treating connection as a dedicated line
3d22h: As1 PPP: Phase is ESTABLISHING, Active Open
3d22h: As1 LCP: O CONFREQ [Closed] id 12 len 25
3d22h: As1 LCP: ACCM 0x000A0000 (0x0206000A0000)
3d22h: As1 LCP: AuthProto CHAP (0x0305C22305)
3d22h: As1 LCP: MagicNumber 0xF45D776F (0x0506F45D776F)
3d22h: As1 LCP: PFC (0x0702)
3d22h: As1 LCP: ACFC (0x0802)
3d22h: As1 LCP: I CONFACK [REQsent] id 12 len 25
3d22h: As1 LCP: ACCM 0x000A0000 (0x0206000A0000)
3d22h: As1 LCP: AuthProto CHAP (0x0305C22305)
3d22h: As1 LCP: MagicNumber 0xF45D776F (0x0506F45D776F)
3d22h: As1 LCP: PFC (0x0702)
3d22h: As1 LCP: ACFC (0x0802)
3d22h: As1 LCP: I CONFREQ [ACKrcvd] id 0 len 20
3d22h: As1 LCP: ACCM 0x00000000 (0x020600000000)
3d22h: As1 LCP: MagicNumber 0x000042C5 (0x0506000042C5)
3d22h: As1 LCP: PFC (0x0702)
3d22h: As1 LCP: ACFC (0x0802)
3d22h: As1 LCP: O CONFACK [ACKrcvd] id 0 len 20
3d22h: As1 LCP: ACCM 0x00000000 (0x020600000000)
3d22h: As1 LCP: MagicNumber 0x000042C5 (0x0506000042C5)
3d22h: As1 LCP: PFC (0x0702)
3d22h: As1 LCP: ACFC (0x0802)
3d22h: As1 LCP: State is Open
3d22h: As1 PPP: Phase is AUTHENTICATING, by this end
3d22h: As1 CHAP: O CHALLENGE id 3 len 27 from "rtpkrb"
3d22h: As1 CHAP: I RESPONSE id 3 len 29 from "chapuser"
3d22h: AAA/AUTHEN: create_user (0x15B394) user='chapuser' 
ruser='' port='Async1' rem_addr='async' authen_type=CHAP 
service=PPP priv=1
3d22h: AAA/AUTHEN/START (2183639772): port='Async1' list='' 
action=LOGIN service=PPP
3d22h: AAA/AUTHEN/START (2183639772): using "default" list
3d22h: AAA/AUTHEN (2183639772): status = UNKNOWN
3d22h: AAA/AUTHEN/START (2183639772): Method=TACACS+
3d22h: TAC+: send AUTHEN/START packet ver=193 id=2183639772
3d22h: TAC+: Using default tacacs server list.
3d22h: TAC+: Opening TCP/IP to 171.68.118.101/49 timeout=5


!--- The TAC+ server is down, producing an error. 
!--- Since the user is not in the local database, 
!--- the failover to local fails.

TAC+: TCP/IP open to 171.68.118.101/49 failed -- 
Connection refused by remote host
AAA/AUTHEN (2546660185): status = ERROR
AAA/AUTHEN/START (2546660185): Method=LOCAL
AAA/AUTHEN (2546660185): status = FAIL
As1 CHAP: Unable to validate Response. Username chapuser: Authentication failure

3d22h: TAC+: Opened TCP/IP handle 0x17054C to 171.68.118.101/49
3d22h: TAC+: 171.68.118.101 (2183639772) AUTHEN/START/LOGIN/CHAP queued
3d22h: TAC+: (2183639772) AUTHEN/START/LOGIN/CHAP processed


!--- The key in the router does not match that of the server.

TAC+: received bad AUTHEN packet: length = 68, expected 67857
TAC+: Invalid AUTHEN/START packet (check keys)
AAA/AUTHEN (1771887965): status = ERROR

3d22h: TAC+: ver=192 id=2183639772 received AUTHEN status = GETPASS
3d22h: TAC+: Closing TCP/IP 0x17054C connection to 171.68.118.101/49
3d22h: TAC+: Opening TCP/IP to 171.68.118.101/49 timeout=5
3d22h: TAC+: Opened TCP/IP handle 0x16EF4C to 171.68.118.101/49
3d22h: TAC+: Opened 171.68.118.101 index=1
3d22h: AAA/AUTHEN: create_user (0x170940) user='chapuser' ruser='' 
port='Async1' rem_addr='async' authen_type=CHAP service=PPP priv=1
3d22h: TAC+: rev0 inbound chap for id=2183639772 using id=166703029
3d22h: TAC+: 171.68.118.101 (166703029) AUTHEN/START/SENDPASS/CHAP queued
3d22h: TAC+: (166703029) AUTHEN/START/SENDPASS/CHAP processed


!--- The NT client sends the "DOMAIN\user" 
!--- and the TAC+ server expects "user".

TAC+: ver=192 id=3373385106 received AUTHEN status = FAIL
TAC+: rev0 inbound chap FAIL for id=2082151566
AAA/AUTHEN: free_user (0x170940) user='CISCO\chapuser' ruser='' 
port='Async1' rem_addr='async' authen_type=CHAP service=PPP priv=1


!--- The TAC+ server refuses the user  
!--- because the user is set up for PAP.
!--- The user enters a bad password, 
!--- or both the username and password are bad.

TAC+: ver=192 id=1989464562 received AUTHEN status = PASS
TAC+: rev0 inbound chap SENDPASS status=PASS for id=3657266965
TAC+: rev0 inbound chap MD5 compare FAILED
AAA/AUTHEN: free_user (0x170940) user='chapuser' ruser='' 
port='Async1' rem_addr='async' authen_type=CHAP service=PPP priv=1
TAC+: Closing TCP/IP 0x16EF4C connection to 171.68.118.101/49
AAA/AUTHEN (2082151566): status = FAIL
As1 CHAP: Unable to validate Response. Username papuser: Authentication failure

3d22h: TAC+: ver=192 id=166703029 received AUTHEN status = PASS
3d22h: TAC+: rev0 inbound chap SENDPASS status=PASS for id=2183639772
3d22h: TAC+: rev0 inbound chap MD5 compare OK
3d22h: AAA/AUTHEN: free_user (0x170940) user='chapuser' ruser='' 
port='Async1' rem_addr='async' authen_type=CHAP service=PPP priv=1
3d22h: TAC+: Closing TCP/IP 0x16EF4C connection to 171.68.118.101/49
3d22h: AAA/AUTHEN (2183639772): status = PASS
3d22h: AAA/AUTHOR/LCP As1: Authorize LCP
3d22h: AAA/AUTHOR/LCP: Async1: (683360936): user='chapuser'
3d22h: AAA/AUTHOR/LCP: Async1: (683360936): send AV service=ppp
3d22h: AAA/AUTHOR/LCP: Async1: (683360936): send AV protocol=lcp
3d22h: AAA/AUTHOR/LCP: Async1: (683360936): Method=TACACS+
3d22h: AAA/AUTHOR/TAC+: (683360936): user=chapuser
3d22h: AAA/AUTHOR/TAC+: (683360936): send AV service=ppp
3d22h: AAA/AUTHOR/TAC+: (683360936): send AV protocol=lcp
3d22h: TAC+: Opening TCP/IP to 171.68.118.101/49 timeout=5
3d22h: TAC+: Opened TCP/IP handle 0x16C1F8 to 171.68.118.101/49
3d22h: TAC+: Opened 171.68.118.101 index=1
3d22h: TAC+: 171.68.118.101 (683360936) AUTHOR/START queued
3d22h: TAC+: (683360936) AUTHOR/START processed


!--- The user passes authentication 
!--- (the username/password is good) 
!--- but fails authorization 
!--- (the profile is not set up to authorize PPP).

TAC+: (3803447096): received author response status = FAIL
TAC+: Closing TCP/IP 0x16C2A4 connection to 171.68.118.101/49
AAA/AUTHOR (3803447096): Post authorization status = FAIL
AAA/AUTHOR/LCP As1: Denied
AAA/AUTHEN: free_user (0x15B2E8) user='noauth' ruser='' port='Async1' 
rem_addr='async' authen_type=CHAP service=PPP priv=1
As1 CHAP: O FAILURE id 9 len 24 msg is "Authorization failed"

3d22h: TAC+: (683360936): received author response status = PASS_ADD
3d22h: TAC+: Closing TCP/IP 0x16C1F8 connection to 171.68.118.101/49
3d22h: AAA/AUTHOR (683360936): Post authorization status = PASS_ADD
3d22h: As1 CHAP: O SUCCESS id 3 len 4
3d22h: As1 PPP: Phase is UP
3d22h: AAA/AUTHOR/FSM As1: (0): Can we start IPCP?
3d22h: AAA/AUTHOR/FSM: Async1: (977509495): user='chapuser'
3d22h: AAA/AUTHOR/FSM: Async1: (977509495): send AV service=ppp
3d22h: AAA/AUTHOR/FSM: Async1: (977509495): send AV protocol=ip
3d22h: AAA/AUTHOR/FSM: Async1: (977509495): Method=TACACS+
3d22h: AAA/AUTHOR/TAC+: (977509495): user=chapuser
3d22h: AAA/AUTHOR/TAC+: (977509495): send AV service=ppp
3d22h: AAA/AUTHOR/TAC+: (977509495): send AV protocol=ip
3d22h: TAC+: Opening TCP/IP to 171.68.118.101/49 timeout=5
3d22h: TAC+: Opened TCP/IP handle 0x16EF4C to 171.68.118.101/49
3d22h: TAC+: Opened 171.68.118.101 index=1
3d22h: TAC+: 171.68.118.101 (977509495) AUTHOR/START queued
3d22h: As1 IPCP: I CONFREQ [Closed] id 1 len 34
3d22h: As1 IPCP: Address 0.0.0.0 (0x030600000000)
3d22h: As1 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
3d22h: As1 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
3d22h: As1 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
3d22h: As1 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
3d22h: TAC+: (977509495) AUTHOR/START processed
3d22h: TAC+: (977509495): received author response status = PASS_ADD
3d22h: TAC+: Closing TCP/IP 0x16EF4C connection to 171.68.118.101/49
3d22h: AAA/AUTHOR (977509495): Post authorization status = PASS_ADD
3d22h: AAA/AUTHOR/FSM As1: We can start IPCP
3d22h: As1 IPCP: O CONFREQ [Closed] id 8 len 10
3d22h: As1 IPCP: Address 10.31.1.5 (0x03060A1F0105)
3d22h: As1 IPCP: I CONFACK [REQsent] id 8 len 10
3d22h: As1 IPCP: Address 10.31.1.5 (0x03060A1F0105)
3d22h: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async1, 
changed state to up
3d22h: As1 IPCP: I CONFREQ [ACKrcvd] id 1 len 34
3d22h: As1 IPCP: Address 0.0.0.0 (0x030600000000)
3d22h: As1 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
3d22h: As1 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
3d22h: As1 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
3d22h: As1 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
3d22h: AAA/AUTHOR/IPCP As1: Start. Her address 0.0.0.0, 
we want 0.0.0.0
3d22h: AAA/AUTHOR/IPCP As1: Processing AV service=ppp
3d22h: AAA/AUTHOR/IPCP As1: Processing AV protocol=ip
3d22h: AAA/AUTHOR/IPCP As1: Authorization succeeded
3d22h: AAA/AUTHOR/IPCP As1: Done. Her address 0.0.0.0, 
we want 0.0.0.0
3d22h: As1 IPCP: Using pool 'async'
3d22h: As1 IPCP: Pool returned 15.15.15.15
3d22h: As1 IPCP: O CONFREJ [ACKrcvd] id 1 len 22
3d22h: As1 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
3d22h: As1 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
3d22h: As1 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
3d22h: As1 IPCP: I CONFREQ [ACKrcvd] id 2 len 16
3d22h: As1 IPCP: Address 0.0.0.0 (0x030600000000)
3d22h: As1 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
3d22h: AAA/AUTHOR/IPCP As1: Start. Her address 0.0.0.0, 
we want 15.15.15.15
3d22h: AAA/AUTHOR/IPCP As1: Processing AV service=ppp
3d22h: AAA/AUTHOR/IPCP As1: Processing AV protocol=ip
3d22h: AAA/AUTHOR/IPCP As1: Authorization succeeded
3d22h: AAA/AUTHOR/IPCP As1: Done. Her address 0.0.0.0, 
we want 15.15.15.15
3d22h: As1 IPCP: O CONFNAK [ACKrcvd] id 2 len 16
3d22h: As1 IPCP: Address 15.15.15.15 (0x03060F0F0F0F)
3d22h: As1 IPCP: PrimaryDNS 171.68.118.103 (0x8106AB447667)
3d22h: As1 IPCP: I CONFREQ [ACKrcvd] id 3 len 16
3d22h: As1 IPCP: Address 15.15.15.15 (0x03060F0F0F0F)
3d22h: As1 IPCP: PrimaryDNS 171.68.118.103 (0x8106AB447667)
3d22h: AAA/AUTHOR/IPCP As1: Start. Her address 15.15.15.15, 
we want 15.15.15.15
3d22h: AAA/AUTHOR/IPCP: Async1: (3918374858): user='chapuser'
3d22h: AAA/AUTHOR/IPCP: Async1: (3918374858): send AV service=ppp
3d22h: AAA/AUTHOR/IPCP: Async1: (3918374858): send AV protocol=ip
3d22h: AAA/AUTHOR/IPCP: Async1: (3918374858): send AV addr*15.15.15.15
3d22h: AAA/AUTHOR/IPCP: Async1: (3918374858): Method=TACACS+
3d22h: AAA/AUTHOR/TAC+: (3918374858): user=chapuser
3d22h: AAA/AUTHOR/TAC+: (3918374858): send AV service=ppp
3d22h: AAA/AUTHOR/TAC+: (3918374858): send AV protocol=ip
3d22h: AAA/AUTHOR/TAC+: (3918374858): send AV addr*15.15.15.15
3d22h: TAC+: Opening TCP/IP to 171.68.118.101/49 timeout=5
3d22h: TAC+: Opened TCP/IP handle 0x16C9E0 to 171.68.118.101/49
3d22h: TAC+: Opened 171.68.118.101 index=1
3d22h: TAC+: 171.68.118.101 (3918374858) AUTHOR/START queued
3d22h: TAC+: (3918374858) AUTHOR/START processed
3d22h: TAC+: (3918374858): received author response status = PASS_ADD
3d22h: TAC+: Closing TCP/IP 0x16C9E0 connection to 171.68.118.101/49
3d22h: AAA/AUTHOR (3918374858): Post authorization status = PASS_ADD
3d22h: AAA/AUTHOR/IPCP As1: Processing AV service=ppp
3d22h: AAA/AUTHOR/IPCP As1: Processing AV protocol=ip
3d22h: AAA/AUTHOR/IPCP As1: Processing AV addr*15.15.15.15
3d22h: AAA/AUTHOR/IPCP As1: Authorization succeeded
3d22h: AAA/AUTHOR/IPCP As1: Done. Her address 15.15.15.15, 
we want 15.15.15.15
3d22h: As1 IPCP: O CONFACK [ACKrcvd] id 3 len 16
3d22h: As1 IPCP: Address 15.15.15.15 (0x03060F0F0F0F)
3d22h: As1 IPCP: PrimaryDNS 171.68.118.103 (0x8106AB447667)
3d22h: As1 IPCP: State is Open
3d22h: As1 IPCP: Install route to 15.15.15.15
rtpkrb#

comandos debug

Utilizaron a estos comandos debug de presentar el ejemplo de salida del debug en este documento.

Nota: Antes de ejecutar un comando de depuración, consulte Información importante sobre comandos de depuración.

  • haga el debug de la autenticación aaa — Visualiza la información sobre la autenticación AAA.

  • debug aaa authorization — Visualiza la información sobre la autorización AAA.

  • debug tacacs+ — Visualiza la información de debugging detallada asociada al TACACS+.

  • debug ppp negotiation — Muestra los paquetes PPP transmitidos durante el inicio PPP, durante el cual se negocian las opciones PPP.

Discusiones relacionadas de la comunidad de soporte de Cisco

La Comunidad de Soporte de Cisco es un foro donde usted puede preguntar y responder, ofrecer sugerencias y colaborar con colegas.


Información Relacionada


Document ID: 13864