L2TP and TACACS+
Hello.
I have PPTP server on my Cisco 3845 router with authentication on freeware TACACS+ server (Linux). TACACS set ACL and IP address for users.
Recently employers decide to migrate to L2TP over IPsec. Moreover old PPTP server should work.
Can I use TACACS server for authenticate L2TP users?
I have config like this on TACACS.
user = user1 {
chap = cleartext "password"
member = vpdn
service = ppp protocol = ip {
addr = 172.20.20.200
inacl=2005
Sorry for my Enflish.
Please see the below documnet. This document describes how to configure Layer 2 Tunnel Protocol (L2TP) with TACACS+. It includes sample configurations for L2TP Access Concentrator (LAC) TACACS+ servers, L2TP Network Server (LNS) TACACS+ servers, and routers.
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a0080118d5f.shtml
Similar Messages
-
Hello All,
I want to download a free, yet reliable AAA and TACACS servers, can you guide me? Also, I need help with configuring them for study purpose.You may download the eval version ACS 4.2.0.124, if you've access to cisco.com
ACS v4.2.0.124 90-Days Evaluation Software
eval-ACS-4.2.0.124-SW.zip
http://tools.cisco.com/squish/9B37e
Path:
Cisco.com > Downloads Home > Products > Cloud and Systems Management > Security and Identity Management
> Cisco Secure Access Control Server Products > Cisco Secure Access Control Server for Windows > Cisco Secure ACS 4.2 for Windows > Secure Access Control Server (ACS) for Windows-4.2.0.124
~BR
Jatin Katyal
**Do rate helpful posts** -
Can a Cisco 2600 router do PPTP,L2TP, and IPSec?
General question.
2600 supports L2TP and PPTP with MPPE with an IP PLUS version, and IPsec with a firewall version.
-
We are trying to get our WAAS environment to authenticate against TACACS and then fall over to local if TACACS is unavailable. For engineer logins everything is working as expected. However we are seeing several thousand failures against the TACACS server from a username of "CMS". This user is not configured in the CM or in TACACS. So we log the failed login and CMS logs into the WAE due to the failover to local mechanism. Looking at packet captures, and debugging aaa on the WAE's it is definitely a CMS user that logs in but shows 127.0.0.1 as its "from" host. I am fairly confident this is automation within the WAE syncing with the CM or vice versa. Does anyone know how to get WAAS and TACACS to work together without a mass amount of login failures? Is there a way this CMS user can be cloned/duplicated on the tacacs server? What is the password for this automation user?
Thanks in advance.Hi Stan,
WAE can authenticate against TACACS, RADIUS and Central Manager (Local) at any time depending on your configuration.
There are couple of things to keep in mind while configuring TACACS on WAE, on both sides - TACACS adn WAE CM.
On TACACS side:
1. Please make sure to create right username.
2. Please make sure to verify if you are using ASCII password authentication.
3. Try to use less than 15 letters - Alphanumeric TACACS password.
4. Please provide right user level / group level persmissions. This is somewhere under user account properties. Please also make sure to select right user password under user properties.
5. Verify if this user needs level 15 (admin equivalent account).
On WAE CM side:
1. Please make sure to select right authentication method as primary and secondary.
2. Please make sure to enable the check box for authentication methods.
You can verify the failure / successful log events on TACACS server in order to find out if the user is atleast trying to authenticate against TACACS.
I am sure you have looked at this link to find out all the required steps: Configuring TACACS+ Server Settings
Hope this helps.
Regards.
PS: Please mark this as Answered, if this resolves your issue. -
L2tp and pptp...
hi...in windows server creating lt2p and pptp server is really no brain. how to setup l2tp and pptp in cisco router? tx :)
hi...in windows server creating lt2p and pptp server is really no brain. how to setup l2tp and pptp in cisco router? tx :)
-
L2TP and fixed Framed IP Address for VPN user
Hi,
I have a running L2TP/IPsec VPN setup with authentification against a radius server (freeradius2 witch mysql). I would like to have some of my VPN users get a fixed IP address instead of the dynamically assigned IP Pool.
The radius server is returning the correct parameters, I think.
I hope someone can help me.
It´s a Cisco 892 Integrated Service Router.
Router Config:
=============================================================
Current configuration : 8239 bytes
! Last configuration change at 10:44:26 CEST Fri Mar 30 2012 by root
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
hostname vpngw2
boot-start-marker
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
logging buffered 51200 warnings
enable secret 5 secret
aaa new-model
aaa authentication login default local group radius
aaa authentication login userauthen local group radius
aaa authentication ppp default group radius local
aaa authorization exec default local
aaa authorization network groupauthor local
aaa accounting delay-start
aaa accounting update newinfo
aaa accounting exec default
action-type start-stop
group radius
aaa accounting network default
action-type start-stop
group radius
aaa accounting resource default
action-type start-stop
group radius
aaa session-id common
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
ip domain name aspect-online.de
ip name-server 10.28.1.31
ip inspect WAAS flush-timeout 10
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip cef
no ipv6 cef
virtual-profile if-needed
multilink bundle-name authenticated
async-bootp dns-server 10.28.1.31
async-bootp nbns-server 10.28.1.31
vpdn enable
vpdn authen-before-forward
vpdn authorize directed-request
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
license udi pid -K9 sn FCZ
username root password 7 secret
ip ssh source-interface FastEthernet8
ip ssh version 2
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key mykey address 0.0.0.0 no-xauth
crypto ipsec transform-set configl2tp esp-3des esp-sha-hmac
mode transport
crypto dynamic-map config-map-l2tp 10
set nat demux
set transform-set configl2tp
crypto map vpnl2tp 10 ipsec-isakmp dynamic config-map-l2tp
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
interface FastEthernet0
no ip address
spanning-tree portfast
interface FastEthernet1
no ip address
spanning-tree portfast
<snip>
interface FastEthernet7
no ip address
spanning-tree portfast
interface FastEthernet8
ip address 10.28.1.97 255.255.255.0
ip access-group vpn_to_lan out
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface Virtual-Template1
ip unnumbered GigabitEthernet0
ip access-group vpn_to_inet_lan in
ip nat inside
ip virtual-reassembly in
peer default ip address pool l2tpvpnpool
ppp encrypt mppe 128
ppp authentication chap
interface GigabitEthernet0
description WAN Port
ip address x.x.x.39 255.255.255.0
ip access-group from_inet in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map vpnl2tp
interface Vlan1
no ip address
shutdown
ip local pool l2tpvpnpool 192.168.252.3 192.168.252.199
ip local pool remotepool 192.168.252.240 192.168.252.243
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat log translations syslog
ip nat inside source route-map natmap interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 x.x.x.33
ip access-list extended from_inet
<snip>
ip access-list extended nat_clients
permit ip 192.168.252.0 0.0.0.255 any
ip access-list extended vpn_to_inet_lan
<snip>
ip access-list extended vpn_to_lan
<snip>
deny ip any any log-input
logging trap debugging
logging facility local2
logging 10.28.1.42
no cdp run
route-map natmap permit 10
match ip address nat_clients
radius-server attribute 8 include-in-access-req
radius-server host 10.27.1.228 auth-port 1812 acct-port 1813
radius-server key 7 mykey
radius-server vsa send accounting
radius-server vsa send authentication
control-plane
mgcp profile default
banner login ^C
Hostname: vpngw2
Model: Cisco 892 Integrated Service Router
Description: L2TP/IPsec VPN Gateway with Radius Auth
^C
line con 0
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
=============================================================
User Config in Radius (tying multiple attributes):
=============================================================
Attribute | op | Value
Service-Type | = | Framed-User
Cisco-AVPair | = | vpdn:ip-addresses=192.168.252.220
Framed-IP-Address | := | 192.168.252.221
Cisco-AVPair | = | ip:addr-pool=remotepool
=============================================================
Debug Log from freeradius2:
=============================================================
rad_recv: Access-Request packet from host 10.28.1.97 port 1645, id=7, length=100
Framed-Protocol = PPP
User-Name = "me1"
CHAP-Password = 0x01b8b897de00317a75c68ee9ce473cf8b8
Connect-Info = "100000000"
NAS-Port-Type = Sync
NAS-Port = 10007
NAS-Port-Id = "Uniq-Sess-ID7"
Service-Type = Framed-User
NAS-IP-Address = 10.28.1.97
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "me1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
[sql] expand: %{User-Name} -> me1
[sql] sql_set_user escaped user --> 'me1'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'me1' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'me1' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'me1' ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = CHAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group CHAP {...}
[chap] login attempt by "me1" with CHAP password
[chap] Using clear text password "test" for user me1 authentication.
[chap] chap user me1 authenticated succesfully
++[chap] returns ok
Login OK: [me1/<CHAP-Password>] (from client vpngw2 port 10007)
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 7 to 10.28.1.97 port 1645
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
Framed-IP-Address := 192.168.252.221
Cisco-AVPair = "vpdn:ip-addresses=192.168.252.220"
Service-Type = Framed-User
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 10.28.1.97 port 1646, id=19, length=213
Acct-Session-Id = "00000011"
Tunnel-Type:0 = L2TP
Tunnel-Medium-Type:0 = IPv4
Tunnel-Server-Endpoint:0 = "x.x.x.39"
Tunnel-Client-Endpoint:0 = "x.x.x.34"
Tunnel-Assignment-Id:0 = "L2TP"
Tunnel-Client-Auth-Id:0 = "me1"
Tunnel-Server-Auth-Id:0 = "vpngw2"
Framed-Protocol = PPP
Framed-IP-Address = 192.168.252.9
User-Name = "me1"
Cisco-AVPair = "connect-progress=LAN Ses Up"
Acct-Authentic = RADIUS
Acct-Status-Type = Start
Connect-Info = "100000000"
NAS-Port-Type = Sync
NAS-Port = 10007
NAS-Port-Id = "Uniq-Sess-ID7"
Service-Type = Framed-User
NAS-IP-Address = 10.28.1.97
Acct-Delay-Time = 0
# Executing section preacct from file /etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 10007,Client-IP-Address = 10.28.1.97,NAS-IP-Address = 10.28.1.97,Acct-Session-Id = "00000011",User-Name = "me1"'
[acct_unique] Acct-Unique-Session-ID = "1fdd95abea6cfac2".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "me1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file /etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail] expand: %{Packet-Src-IP-Address} -> 10.28.1.97
[detail] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/10.28.1.97/detail-20120330
[detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/10.28.1.97/detail-20120330
[detail] expand: %t -> Fri Mar 30 11:20:07 2012
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> me1
++[radutmp] returns ok
[sql] expand: %{User-Name} -> me1
[sql] sql_set_user escaped user --> 'me1'
[sql] expand: %{Acct-Delay-Time} -> 0
[sql] expand: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[exec] returns noop
[attr_filter.accounting_response] expand: %{User-Name} -> me1
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 19 to 10.28.1.97 port 1646
Finished request 1.
Cleaning up request 1 ID 19 with timestamp +53
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 10.28.1.97 port 1646, id=20, length=407
Acct-Session-Id = "00000011"
Tunnel-Type:0 = L2TP
Tunnel-Medium-Type:0 = IPv4
Tunnel-Server-Endpoint:0 = "x.x.x.39"
Tunnel-Client-Endpoint:0 = "x.x.x.34"
Tunnel-Assignment-Id:0 = "L2TP"
Tunnel-Client-Auth-Id:0 = "me1"
Tunnel-Server-Auth-Id:0 = "vpngw2"
Framed-Protocol = PPP
Framed-IP-Address = 192.168.252.9
Cisco-AVPair = "ppp-disconnect-cause=Received LCP TERMREQ from peer"
User-Name = "me1"
Acct-Authentic = RADIUS
Cisco-AVPair = "connect-progress=LAN Ses Up"
Cisco-AVPair = "nas-tx-speed=100000000"
Cisco-AVPair = "nas-rx-speed=100000000"
Acct-Session-Time = 5
Acct-Input-Octets = 5980
Acct-Output-Octets = 120
Acct-Input-Packets = 47
Acct-Output-Packets = 11
Acct-Terminate-Cause = User-Request
Cisco-AVPair = "disc-cause-ext=PPP Receive Term"
Acct-Status-Type = Stop
Connect-Info = "100000000"
NAS-Port-Type = Sync
NAS-Port = 10007
NAS-Port-Id = "Uniq-Sess-ID7"
Service-Type = Framed-User
NAS-IP-Address = 10.28.1.97
Acct-Delay-Time = 0
# Executing section preacct from file /etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 10007,Client-IP-Address = 10.28.1.97,NAS-IP-Address = 10.28.1.97,Acct-Session-Id = "00000011",User-Name = "me1"'
[acct_unique] Acct-Unique-Session-ID = "1fdd95abea6cfac2".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "me1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file /etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail] expand: %{Packet-Src-IP-Address} -> 10.28.1.97
[detail] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/10.28.1.97/detail-20120330
[detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/10.28.1.97/detail-20120330
[detail] expand: %t -> Fri Mar 30 11:20:12 2012
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> me1
++[radutmp] returns ok
[sql] expand: %{User-Name} -> me1
[sql] sql_set_user escaped user --> 'me1'
[sql] expand: %{Acct-Input-Gigawords} ->
[sql] ... expanding second conditional
[sql] expand: %{Acct-Input-Octets} -> 5980
[sql] expand: %{Acct-Output-Gigawords} ->
[sql] ... expanding second conditional
[sql] expand: %{Acct-Output-Octets} -> 120
[sql] expand: %{Acct-Delay-Time} -> 0
[sql] expand: UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}' -> UPDATE radacct SET acctstoptime = '2012-03-30 11:20:12', acctsessiontime = '5', acctinputoctets = '0' << 32 | '5980', acctoutputoctets = '0' << 32 |
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[exec] returns noop
[attr_filter.accounting_response] expand: %{User-Name} -> me1
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 20 to 10.28.1.97 port 1646
Finished request 2.
Cleaning up request 2 ID 20 with timestamp +58
Going to the next request
Waking up in 0.1 seconds.
Cleaning up request 0 ID 7 with timestamp +53
Ready to process requests.
=============================================================
Log From Cisco Router:
=============================================================
Mar 30 11:20:07 vpngw2 1217: Mar 30 09:21:51.414: RADIUS/ENCODE(00000015):Orig. component type = VPDN
Mar 30 11:20:07 vpngw2 1218: Mar 30 09:21:51.414: RADIUS: DSL line rate attributes successfully added
Mar 30 11:20:07 vpngw2 1219: Mar 30 09:21:51.414: RADIUS(00000015): Config NAS IP: 0.0.0.0
Mar 30 11:20:07 vpngw2 1220: Mar 30 09:21:51.414: RADIUS(00000015): Config NAS IPv6: ::
Mar 30 11:20:07 vpngw2 1221: Mar 30 09:21:51.414: RADIUS/ENCODE: No idb found! Framed IP Addr might not be included
Mar 30 11:20:07 vpngw2 1222: Mar 30 09:21:51.414: RADIUS/ENCODE(00000015): acct_session_id: 17
Mar 30 11:20:07 vpngw2 1223: Mar 30 09:21:51.414: RADIUS(00000015): sending
Mar 30 11:20:07 vpngw2 1224: Mar 30 09:21:51.418: RADIUS/ENCODE: Best Local IP-Address 10.28.1.97 for Radius-Server 10.27.1.228
Mar 30 11:20:07 vpngw2 1225: Mar 30 09:21:51.418: RADIUS(00000015): Send Access-Request to 10.27.1.228:1812 id 1645/7, len 100
Mar 30 11:20:07 vpngw2 1226: Mar 30 09:21:51.418: RADIUS: authenticator DE 5F 2E 3E EF BF 50 F4 - 49 C3 4F BE 1A 66 72 22
Mar 30 11:20:07 vpngw2 1227: Mar 30 09:21:51.418: RADIUS: Framed-Protocol [7] 6 PPP [1]
Mar 30 11:20:07 vpngw2 1228: Mar 30 09:21:51.418: RADIUS: User-Name [1] 5 "me1"
Mar 30 11:20:07 vpngw2 1229: Mar 30 09:21:51.418: RADIUS: CHAP-Password [3] 19 *
Mar 30 11:20:07 vpngw2 1230: Mar 30 09:21:51.418: RADIUS: Connect-Info [77] 11 "100000000"
Mar 30 11:20:07 vpngw2 1231: Mar 30 09:21:51.418: RADIUS: NAS-Port-Type [61] 6 Sync [1]
Mar 30 11:20:07 vpngw2 1232: Mar 30 09:21:51.418: RADIUS: NAS-Port [5] 6 10007
Mar 30 11:20:07 vpngw2 1233: Mar 30 09:21:51.418: RADIUS: NAS-Port-Id [87] 15 "Uniq-Sess-ID7"
Mar 30 11:20:07 vpngw2 1234: Mar 30 09:21:51.418: RADIUS: Service-Type [6] 6 Framed [2]
Mar 30 11:20:07 vpngw2 1235: Mar 30 09:21:51.418: RADIUS: NAS-IP-Address [4] 6 10.28.1.97
Mar 30 11:20:07 vpngw2 1236: Mar 30 09:21:51.418: RADIUS(00000015): Sending a IPv4 Radius Packet
Mar 30 11:20:07 vpngw2 1237: Mar 30 09:21:51.418: RADIUS(00000015): Started 5 sec timeout
Mar 30 11:20:07 vpngw2 1238: Mar 30 09:21:51.422: RADIUS: Received from id 1645/7 10.27.1.228:1812, Access-Accept, len 85
Mar 30 11:20:07 vpngw2 1239: Mar 30 09:21:51.422: RADIUS: authenticator 25 CD 93 D5 78 2C F4 4F - F2 66 2C 45 8D D4 E1 16
Mar 30 11:20:07 vpngw2 1240: Mar 30 09:21:51.422: RADIUS: Framed-Protocol [7] 6 PPP [1]
Mar 30 11:20:07 vpngw2 1241: Mar 30 09:21:51.422: RADIUS: Framed-Compression [13] 6 VJ TCP/IP Header Compressi[1]
Mar 30 11:20:07 vpngw2 1242: Mar 30 09:21:51.422: RADIUS: Framed-IP-Address [8] 6 192.168.252.221
Mar 30 11:20:07 vpngw2 1243: Mar 30 09:21:51.422: RADIUS: Vendor, Cisco [26] 41
Mar 30 11:20:07 vpngw2 1244: Mar 30 09:21:51.422: RADIUS: Cisco AVpair [1] 35 "vpdn:ip-addresses=192.168.252.220"
Mar 30 11:20:07 vpngw2 1245: Mar 30 09:21:51.422: RADIUS: Service-Type [6] 6 Framed [2]
Mar 30 11:20:07 vpngw2 1246: Mar 30 09:21:51.426: RADIUS(00000015): Received from id 1645/7
Mar 30 11:20:07 vpngw2 1247: Mar 30 09:21:51.438: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
Mar 30 11:20:07 vpngw2 1248: Mar 30 09:21:51.442: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
Mar 30 11:20:07 vpngw2 1249: Mar 30 09:21:51.478: RADIUS/ENCODE(00000015):Orig. component type = VPDN
Mar 30 11:20:07 vpngw2 1250: Mar 30 09:21:51.478: RADIUS(00000015): Config NAS IP: 0.0.0.0
Mar 30 11:20:07 vpngw2 1251: Mar 30 09:21:51.478: RADIUS(00000015): Config NAS IPv6: ::
Mar 30 11:20:07 vpngw2 1252: Mar 30 09:21:51.478: RADIUS(00000015): sending
Mar 30 11:20:07 vpngw2 1253: Mar 30 09:21:51.478: RADIUS/ENCODE: Best Local IP-Address 10.28.1.97 for Radius-Server 10.27.1.228
Mar 30 11:20:07 vpngw2 1254: Mar 30 09:21:51.478: RADIUS(00000015): Send Accounting-Request to 10.27.1.228:1813 id 1646/19, len 213
Mar 30 11:20:07 vpngw2 1255: Mar 30 09:21:51.478: RADIUS: authenticator 1B E0 A3 DF 16 7F F1 8D - E5 7F BD 88 50 01 73 53
Mar 30 11:20:07 vpngw2 1256: Mar 30 09:21:51.478: RADIUS: Acct-Session-Id [44] 10 "00000011"
Mar 30 11:20:07 vpngw2 1257: Mar 30 09:21:51.478: RADIUS: Tunnel-Type [64] 6 00:
Mar 30 11:20:07 vpngw2 1258: L2TP [3]
Mar 30 11:20:07 vpngw2 1259: Mar 30 09:21:51.478: RADIUS: Tunnel-Medium-Type [65] 6 00:IPv4 [1]
Mar 30 11:20:07 vpngw2 1260: Mar 30 09:21:51.478: RADIUS: Tunnel-Server-Endpoi[67] 16 "x.x.x.39"
Mar 30 11:20:07 vpngw2 1261: Mar 30 09:21:51.478: RADIUS: Tunnel-Client-Endpoi[66] 16 "x.x.x.34"
Mar 30 11:20:07 vpngw2 1262: Mar 30 09:21:51.478: RADIUS: Tunnel-Assignment-Id[82] 6 "L2TP"
Mar 30 11:20:07 vpngw2 1263: Mar 30 09:21:51.478: RADIUS: Tunnel-Client-Auth-I[90] 5 "me1"
Mar 30 11:20:07 vpngw2 1264: Mar 30 09:21:51.478: RADIUS: Tunnel-Server-Auth-I[91] 8 "vpngw2"
Mar 30 11:20:07 vpngw2 1265: Mar 30 09:21:51.478: RADIUS: Framed-Protocol [7] 6 PPP [1]
Mar 30 11:20:07 vpngw2 1266: Mar 30 09:21:51.478: RADIUS: Framed-IP-Address [8] 6 192.168.252.9
Mar 30 11:20:07 vpngw2 1267: Mar 30 09:21:51.478: RADIUS: User-Name [1] 5 "me1"
Mar 30 11:20:07 vpngw2 1268: Mar 30 09:21:51.478: RADIUS: Vendor, Cisco [26] 35
Mar 30 11:20:07 vpngw2 1269: Mar 30 09:21:51.478: RADIUS: Cisco AVpair [1] 29 "connect-progress=LAN Ses Up"
Mar 30 11:20:07 vpngw2 1270: Mar 30 09:21:51.478: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
Mar 30 11:20:07 vpngw2 1271: Mar 30 09:21:51.482: RADIUS: Acct-Status-Type [40] 6 Start [1]
Mar 30 11:20:07 vpngw2 1272: Mar 30 09:21:51.482: RADIUS: Connect-Info [77] 11 "100000000"
Mar 30 11:20:07 vpngw2 1273: Mar 30 09:21:51.482: RADIUS: NAS-Port-Type [61] 6 Sync [1]
Mar 30 11:20:07 vpngw2 1274: Mar 30 09:21:51.482: RADIUS: NAS-Port [5] 6 10007
Mar 30 11:20:08 vpngw2 1275: Mar 30 09:21:51.482: RADIUS: NAS-Port-Id [87] 15 "Uniq-Sess-ID7"
Mar 30 11:20:08 vpngw2 1276: Mar 30 09:21:51.482: RADIUS: Service-Type [6] 6 Framed [2]
Mar 30 11:20:08 vpngw2 1277: Mar 30 09:21:51.482: RADIUS: NAS-IP-Address [4] 6 10.28.1.97
Mar 30 11:20:08 vpngw2 1278: Mar 30 09:21:51.482: RADIUS: Acct-Delay-Time [41] 6 0
Mar 30 11:20:08 vpngw2 1279: Mar 30 09:21:51.482: RADIUS(00000015): Sending a IPv4 Radius Packet
Mar 30 11:20:08 vpngw2 1280: Mar 30 09:21:51.482: RADIUS(00000015): Started 5 sec timeout
Mar 30 11:20:08 vpngw2 1281: Mar 30 09:21:51.486: RADIUS: Received from id 1646/19 10.27.1.228:1813, Accounting-response, len 20
Mar 30 11:20:08 vpngw2 1282: Mar 30 09:21:51.486: RADIUS: authenticator 73 5E 95 46 5B 57 B1 4A - 44 4F 7C 71 F0 26 AA A4
Mar 30 11:20:12 vpngw2 1283: Mar 30 09:21:56.282: RADIUS/ENCODE(00000015):Orig. component type = VPDN
Mar 30 11:20:12 vpngw2 1284: Mar 30 09:21:56.282: RADIUS(00000015): Config NAS IP: 0.0.0.0
Mar 30 11:20:12 vpngw2 1285: Mar 30 09:21:56.282: RADIUS(00000015): Config NAS IPv6: ::
Mar 30 11:20:12 vpngw2 1286: Mar 30 09:21:56.282: RADIUS(00000015): sending
Mar 30 11:20:12 vpngw2 1287: Mar 30 09:21:56.282: RADIUS/ENCODE: Best Local IP-Address 10.28.1.97 for Radius-Server 10.27.1.228
Mar 30 11:20:12 vpngw2 1288: Mar 30 09:21:56.286: RADIUS(00000015): Send Accounting-Request to 10.27.1.228:1813 id 1646/20, len 407
Mar 30 11:20:12 vpngw2 1289: Mar 30 09:21:56.286: RADIUS: authenticator 26 7A 27 91 EB 3F 34 C6 - DB 2D 88 F8 B1 A4 C1 12
Mar 30 11:20:12 vpngw2 1290: Mar 30 09:21:56.286: RADIUS: Acct-Session-Id [44] 10 "00000011"
Mar 30 11:20:12 vpngw2 1291: Mar 30 09:21:56.286: RADIUS: Tunnel-Type [64] 6 00:
Mar 30 11:20:12 vpngw2 1292: L2TP [3]
Mar 30 11:20:12 vpngw2 1293: Mar 30 09:21:56.286: RADIUS: Tunnel-Medium-Type [65] 6 00:IPv4 [1]
Mar 30 11:20:12 vpngw2 1294: Mar 30 09:21:56.286: RADIUS: Tunnel-Server-Endpoi[67] 16 "x.x.x.39"
Mar 30 11:20:12 vpngw2 1295: Mar 30 09:21:56.286: RADIUS: Tunnel-Client-Endpoi[66] 16 "x.x.x.34"
Mar 30 11:20:12 vpngw2 1296: Mar 30 09:21:56.286: RADIUS: Tunnel-Assignment-Id[82] 6 "L2TP"
Mar 30 11:20:12 vpngw2 1297: Mar 30 09:21:56.286: RADIUS: Tunnel-Client-Auth-I[90] 5 "me1"
Mar 30 11:20:12 vpngw2 1298: Mar 30 09:21:56.286: RADIUS: Tunnel-Server-Auth-I[91] 8 "vpngw2"
Mar 30 11:20:12 vpngw2 1299: Mar 30 09:21:56.286: RADIUS: Framed-Protocol [7] 6 PPP [1]
Mar 30 11:20:12 vpngw2 1300: Mar 30 09:21:56.286: RADIUS: Framed-IP-Address [8] 6 192.168.252.9
Mar 30 11:20:12 vpngw2 1301: Mar 30 09:21:56.286: RADIUS: Vendor, Cisco [26] 59
Mar 30 11:20:12 vpngw2 1302: Mar 30 09:21:56.286: RADIUS: Cisco AVpair [1] 53 "ppp-disconnect-cause=Received LCP TERMREQ from peer"
Mar 30 11:20:12 vpngw2 1303: Mar 30 09:21:56.286: RADIUS: User-Name [1] 5 "me1"
Mar 30 11:20:12 vpngw2 1304: Mar 30 09:21:56.286: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
Mar 30 11:20:12 vpngw2 1305: Mar 30 09:21:56.286: RADIUS: Vendor, Cisco [26] 35
Mar 30 11:20:12 vpngw2 1306: Mar 30 09:21:56.286: RADIUS: Cisco AVpair [1] 29 "connect-progress=LAN Ses Up"
Mar 30 11:20:12 vpngw2 1307: Mar 30 09:21:56.286: RADIUS: Vendor, Cisco [26] 30
Mar 30 11:20:12 vpngw2 1308: Mar 30 09:21:56.286: RADIUS: Cisco AVpair [1] 24 "nas-tx-speed=100000000"
Mar 30 11:20:12 vpngw2 1309: Mar 30 09:21:56.286: RADIUS: Vendor, Cisco [26] 30
Mar 30 11:20:12 vpngw2 1310: Mar 30 09:21:56.286: RADIUS: Cisco AVpair [1] 24 "nas-rx-speed=100000000"
Mar 30 11:20:12 vpngw2 1311: Mar 30 09:21:56.286: RADIUS: Acct-Session-Time [46] 6 5
Mar 30 11:20:12 vpngw2 1312: Mar 30 09:21:56.286: RADIUS: Acct-Input-Octets [42] 6 5980
Mar 30 11:20:12 vpngw2 1313: Mar 30 09:21:56.286: RADIUS: Acct-Output-Octets [43] 6 120
Mar 30 11:20:12 vpngw2 1314: Mar 30 09:21:56.286: RADIUS: Acct-Input-Packets [47] 6 47
Mar 30 11:20:12 vpngw2 1315: Mar 30 09:21:56.286: RADIUS: Acct-Output-Packets [48] 6 11
Mar 30 11:20:12 vpngw2 1316: Mar 30 09:21:56.286: RADIUS: Acct-Terminate-Cause[49] 6 user-request [1]
Mar 30 11:20:12 vpngw2 1317: Mar 30 09:21:56.286: RADIUS: Vendor, Cisco [26] 39
Mar 30 11:20:12 vpngw2 1318: Mar 30 09:21:56.286: RADIUS: Cisco AVpair [1] 33 "disc-cause-ext=PPP Receive Term"
Mar 30 11:20:12 vpngw2 1319: Mar 30 09:21:56.286: RADIUS: Acct-Status-Type [40] 6 Stop [2]
Mar 30 11:20:12 vpngw2 1320: Mar 30 09:21:56.286: RADIUS: Connect-Info [77] 11 "100000000"
Mar 30 11:20:12 vpngw2 1321: Mar 30 09:21:56.286: RADIUS: NAS-Port-Type [61] 6 Sync [1]
Mar 30 11:20:12 vpngw2 1322: Mar 30 09:21:56.286: RADIUS: NAS-Port [5] 6 10007
Mar 30 11:20:12 vpngw2 1323: Mar 30 09:21:56.286: RADIUS: NAS-Port-Id [87] 15 "Uniq-Sess-ID7"
Mar 30 11:20:12 vpngw2 1324: Mar 30 09:21:56.286: RADIUS: Service-Type [6] 6 Framed [2]
Mar 30 11:20:12 vpngw2 1325: Mar 30 09:21:56.286: RADIUS: NAS-IP-Address [4] 6 10.28.1.97
Mar 30 11:20:12 vpngw2 1326: Mar 30 09:21:56.286: RADIUS: Acct-Delay-Time [41] 6 0
Mar 30 11:20:12 vpngw2 1327: Mar 30 09:21:56.286: RADIUS(00000015): Sending a IPv4 Radius Packet
Mar 30 11:20:12 vpngw2 1328: Mar 30 09:21:56.286: RADIUS(00000015): Started 5 sec timeout
Mar 30 11:20:12 vpngw2 1329: Mar 30 09:21:56.294: RADIUS: Received from id 1646/20 10.27.1.228:1813, Accounting-response, len 20
Mar 30 11:20:12 vpngw2 1330: Mar 30 09:21:56.294: RADIUS: authenticator E1 09 A6 6D 91 C6 B1 B3 - 78 00 FF 4F 25 32 C6 B5
Mar 30 11:20:12 vpngw2 1331: Mar 30 09:21:56.406: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down
Mar 30 11:20:12 vpngw2 1332: Mar 30 09:21:56.410: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down
=============================================================I found the failure.
In the cisco config it must be
aaa authorization network default group radius local
not
aaa authorization network groupauthor local -
I'm having to use the free TACACS+ in an environment to configure authentication for all the network devices. I have all the routers and switches working just fine, but am having issue with getting the ACE to use TACACS. I've configured ACE to authenticate to an ACS server by adding the additional shell custom attributes (shell:Admin*Admin default-domain) and this worked fine. I found in some documentation on TACACS+ that described how to add this similar attribute to the tac_plus.conf file, but it doesn't seem to want to work. My aaa config from the ACE as well as the tac_plus.conf file content below. I know the AAA is working with this TACACS server as the accounting functions properly.
ACE AAA
tacacs-server host 10.1.0.202 key 7 <removed>
aaa group server tacacs+ TAC_AUTH
server 10.1.0.202
aaa authentication login default group TAC_AUTH local
aaa authentication login console group TAC_AUTH local
aaa accounting default group TAC_AUTH local
tac_plus.conf
# Accounting Logs
accounting file = /data/tacacs.log
# Server Key
key = <removed>
# ACL
acl = auth_routers {
permit = .*
# Groups
group = admin {
login = file /etc/passwd
acl = auth_routers
service = exec {
optional shell:Admin = "Admin default-domain"
# Users
user = admin1 {
default service = permit
member = admin
user = admin2 {
default service = permit
member = admin
user = admin3 {
default service = permit
member = adminAnyone?
-
Authenticating against RADIUS *AND* TACACS
G'day...
Toys:
Cisco Secure ACS 3.2
Cisco 1242 Access Points
I want to authenticate spectralink phones via LEAP (Radius Aironet) and IT staff logging onto the CLI via TACACS+, all off the same ACS Server.
The only way I have gotten this to work is to setup TWO Network Device Groups, and add the access point in TWICE (with different unique hostnames). One authenticating RADIUS, and the other profile authenticating TACACS.
Is this the right way to go about it? Why can't I pick two authentication methods under the one AAA Client profile?
Cheers,
Andrew.Hi,
The AAA client hostname configured in Cisco Secure ACS is not required to match the hostname configured on a network device, you can assign any name. What is important is the IP Address to allow the device and ACS to communicate via each AAA protocol.
If your device need to use both TACACS+ and RADIUS to authenticate 2 different users, then your method is right. This is because a device with same name cannot use both AAA methods to authenticate users - different operation. You have to use 2 different names, but running on the same IP on both TACACS+ and RADIUS.
I am using the same approach to authenticate remote access clients and network admin in my Access Server.
Rgds,
AK -
802.1x and TACACS+
I use the ACS box mainly for AAA on the switches and routers using tacacs. Now we're looking at the possibility of using 802.1x, my early reading tell me I have to use RADIUS, but I'm using TACACS, can I have ttow different methods of authentication on the same switch/router?
Any help would be greatly appreciated.
Thanks.Hi ,
Yes you can have different authentication methods on the same router/switch .
In case if you need to configure 802.1x you can simply add the 802.1x commands as they will not interfare in the working of your tacacs authentication .
http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a00801f0a44.html
If you want to configure radius for login authentication along with exsisting Tacacs then you need to configure method list .
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7a8.html#wp1000906
Regards,
Puneet -
Configuring RAS and TACACS+. through ACS.
Hi all,
I have very basic question about
configuring RAS with digital modems
and AAA through TACACS+. I use
command peer default ip address pool OLA under interface Group-Async0 and interface Dialer10
for example. And inside router I configure this pool with some range of
IP addresses...for example
ip local pool OLA 192.168.10.2 192.168.10.127.
And I set AAA through TACACS+.
What should I do next on ACS ? Should I configure this pool of IP addresses on ACS or it is sufficient to do it only on router? Or do this on router is not important ?
Thanks
jlJohn
I have configured RAS for dial-in services where we authenticated the dial-in users via TACACS and ACS. I did not have to do anything on ACS about the dial pool. The only thing that I had to do on ACS was to configure it to authenticate users whose authentication request came from that router. (In other words nothing special on ACS just because they were dial-in.) Just be sure that your aaa on the router provides for authenticating ppp.
HTH
Rick -
WLC s/w v4.1 and TACACS unreachable
In,
Cisco WLC_Config Guide_Web & CLI_Release 4.1
it says,
"If the TACACS+ authorization server becomes unreachable or unable to authorize, users are unable to log into the controller."
Does this mean it does not support a fail-safe password like IOS does where the Enable password can be used to get into a router if TACACS+ is unreachable?Hi Mark,
No, the local database is always queried first.
Please read Chapter 5 and the section on configuring TACACS:
"You can specify the order of authentication when multiple databases are configured, click Security > Priority Order > Management User. The Priority Order > Management User page will appear."
It goes on further to explain:
For Authentication Priority, choose either Radius or TACACS+ to specify which server has priority over the other when the controller attempts to authenticate management users. By default, the local database is always queried first. If the username is not found, the controller switches to the TACACS+ server if configured for TACACS+ or to the RADIUS server if configured for Radius. The default setting is local and then Radius."
Hope this helps.
Paul -
Client initiated L2TP and control channel passwords
I am building a CVS application for CPEs that use client-initiated tunneling feature. IOS version is 12.4(6)T3. The l2tp-class is
configured as below:
l2tp-class l2tpclass1
password 7 15145D015037812E70
The password string changes at a regular interval. I have two questions w.r.t the password changes.
1) Why does it happens? I have not seen this happening on other passwords that use encryption type 7. I could not find any references to this in "L2TP Control Channel Authentication Parameters" documentation.
2) Is there a way to stop this behavior? Currently there is a diff. generated even though the actual configuration has not changed because of the change in password string.
Regards,
- GauravIf you configure "username xxxx password yyyyy" on a system, the encrypted form of the password will in fact change each time you do a "write memory." This is part of a "random seed" that's supposed to make the coded password harder to crack. If the box was actually configured by reading an NV config that contains the "password 7 151E080214382420" form, it should stay that way (basically, the internal format used to store the password is always the form it was "entered" in, and the password is encrypted appropriately (if it's not already encrypted) when you do the "writes.
-
Hello.
We have an ASA 5510 up and running since 2 years, with many vpnclients configured.
Now we want to enable also l2tp.
I've followed this guide:
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bc7540.shtml
at the end of the configuration steps (I've also upgraded to 8.2.5 as required), l2tp vpns work properly, but vpnclients don't work anymore.
I've removede crypto map l2tp entry from configuration, and now vpnclients work again.
I've tried to insert L2TP transform set (3des/sha/transport) into dynamic entry 65535, but l2tp doesn't work anyway.
Configuration of crypto map now is:
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set L2TP-TS ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
if I configure
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10 set transform-set L2TP-TS
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
l2tp works, but not vpnclients.
Anyone has successfully configured both vpn on same asa?
Thanks
DanieleThanks for your suggestion, but it doesn't work
I've enabled debug, error follows:
Oct 26 2012 10:36:05: %ASA-7-713236: IP = 217.200.185.232, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 500
Oct 26 2012 10:36:05: %ASA-7-713906: IP = 217.200.185.232, Oakley proposal is acceptable
Oct 26 2012 10:36:05: %ASA-7-715049: IP = 217.200.185.232, Received NAT-Traversal RFC VID
Oct 26 2012 10:36:05: %ASA-7-715049: IP = 217.200.185.232, Received NAT-Traversal ver 03 VID
Oct 26 2012 10:36:05: %ASA-7-715049: IP = 217.200.185.232, Received NAT-Traversal ver 02 VID
Oct 26 2012 10:36:05: %ASA-7-715049: IP = 217.200.185.232, Received Fragmentation VID
Oct 26 2012 10:36:05: %ASA-7-715064: IP = 217.200.185.232, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
Oct 26 2012 10:36:05: %ASA-7-715049: IP = 217.200.185.232, Received DPD VID
Oct 26 2012 10:36:05: %ASA-7-715028: IP = 217.200.185.232, IKE SA Proposal # 1, Transform # 5 acceptable Matches global IKE entry # 1
Oct 26 2012 10:36:05: %ASA-7-713236: IP = 217.200.185.232, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
Oct 26 2012 10:36:05: %ASA-7-713236: IP = 217.200.185.232, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 228
Oct 26 2012 10:36:05: %ASA-7-713906: IP = 217.200.185.232, computing NAT Discovery hash
Oct 26 2012 10:36:05: %ASA-7-713906: IP = 217.200.185.232, computing NAT Discovery hash
Oct 26 2012 10:36:05: %ASA-7-715048: IP = 217.200.185.232, Send IOS VID
Oct 26 2012 10:36:05: %ASA-7-715038: IP = 217.200.185.232, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Oct 26 2012 10:36:05: %ASA-7-715048: IP = 217.200.185.232, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Oct 26 2012 10:36:05: %ASA-7-713906: IP = 217.200.185.232, computing NAT Discovery hash
Oct 26 2012 10:36:05: %ASA-7-713906: IP = 217.200.185.232, computing NAT Discovery hash
Oct 26 2012 10:36:05: %ASA-7-713906: IP = 217.200.185.232, Connection landed on tunnel_group DefaultRAGroup
Oct 26 2012 10:36:05: %ASA-7-713906: Group = DefaultRAGroup, IP = 217.200.185.232, Generating keys for Responder...
Oct 26 2012 10:36:05: %ASA-7-713236: IP = 217.200.185.232, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304
Oct 26 2012 10:36:05: %ASA-7-713236: IP = 217.200.185.232, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NOTIFY (11) + NONE (0) total length : 92
Oct 26 2012 10:36:05: %ASA-7-714011: Group = DefaultRAGroup, IP = 217.200.185.232, ID_IPV4_ADDR ID received
Oct 26 2012 10:36:05: %ASA-7-715076: Group = DefaultRAGroup, IP = 217.200.185.232, Computing hash for ISAKMP
Oct 26 2012 10:36:05: %ASA-6-713172: Group = DefaultRAGroup, IP = 217.200.185.232, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device
Oct 26 2012 10:36:05: %ASA-7-713906: IP = 217.200.185.232, Connection landed on tunnel_group DefaultRAGroup
Oct 26 2012 10:36:05: %ASA-7-715076: Group = DefaultRAGroup, IP = 217.200.185.232, Computing hash for ISAKMP
Oct 26 2012 10:36:05: %ASA-7-713236: IP = 217.200.185.232, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
Oct 26 2012 10:36:05: %ASA-5-713119: Group = DefaultRAGroup, IP = 217.200.185.232, PHASE 1 COMPLETED
Oct 26 2012 10:36:05: %ASA-7-713121: IP = 217.200.185.232, Keep-alive type for this connection: DPD
Oct 26 2012 10:36:05: %ASA-7-715080: Group = DefaultRAGroup, IP = 217.200.185.232, Starting P1 rekey timer: 2700 seconds.
Oct 26 2012 10:36:05: %ASA-7-720041: (VPN-Primary) Sending New Phase 1 SA message (type RA, remote addr 217.200.185.232, my cookie 1EE358C2, his cookie 591DEF02) to standby unit
Oct 26 2012 10:36:06: %ASA-7-714003: IP = 217.200.185.232, IKE Responder starting QM: msg id = d148be4a
Oct 26 2012 10:36:06: %ASA-7-713236: IP = 217.200.185.232, IKE_DECODE RECEIVED Message (msgid=d148be4a) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NAT-OA (131) + NAT-OA (131) + NONE (0) total length : 304
Oct 26 2012 10:36:06: %ASA-7-714011: Group = DefaultRAGroup, IP = 217.200.185.232, ID_IPV4_ADDR ID received
Oct 26 2012 10:36:06: %ASA-7-713025: Group = DefaultRAGroup, IP = 217.200.185.232, Received remote Proxy Host data in ID Payload: Address 10.170.18.159, Protocol 17, Port 58636
Oct 26 2012 10:36:06: %ASA-7-714011: Group = DefaultRAGroup, IP = 217.200.185.232, ID_IPV4_ADDR ID received
Oct 26 2012 10:36:06: %ASA-7-713024: Group = DefaultRAGroup, IP = 217.200.185.232, Received local Proxy Host data in ID Payload: Address 89.96.154.130, Protocol 17, Port 1701
Oct 26 2012 10:36:06: %ASA-7-713906: Group = DefaultRAGroup, IP = 217.200.185.232, L2TP/IPSec session detected.
Oct 26 2012 10:36:06: %ASA-7-720041: (VPN-Primary) Sending Phase 1 Rcv Delete message (type RA, remote addr 217.200.185.232, my cookie 1EE358C2, his cookie 591DEF02) to standby unit
Oct 26 2012 10:36:06: %ASA-7-713906: Group = DefaultRAGroup, IP = 217.200.185.232, QM IsRekeyed old sa not found by addr
Oct 26 2012 10:36:06: %ASA-7-713221: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, checking map = outside_map, seq = 1...
Oct 26 2012 10:36:06: %ASA-7-713222: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, map = outside_map, seq = 1, ACL does not match proxy IDs src:217.200.185.232 dst:89.96.154.130
Oct 26 2012 10:36:06: %ASA-7-713221: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, checking map = outside_map, seq = 2...
Oct 26 2012 10:36:06: %ASA-7-713222: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, map = outside_map, seq = 2, ACL does not match proxy IDs src:217.200.185.232 dst:89.96.154.130
Oct 26 2012 10:36:06: %ASA-7-713221: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, checking map = outside_map, seq = 3...
Oct 26 2012 10:36:06: %ASA-7-713222: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, map = outside_map, seq = 3, ACL does not match proxy IDs src:217.200.185.232 dst:89.96.154.130
Oct 26 2012 10:36:06: %ASA-7-713221: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, checking map = outside_map, seq = 4...
Oct 26 2012 10:36:06: %ASA-7-713222: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, map = outside_map, seq = 4, ACL does not match proxy IDs src:217.200.185.232 dst:89.96.154.130
Oct 26 2012 10:36:06: %ASA-7-713221: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, checking map = outside_map, seq = 5...
Oct 26 2012 10:36:06: %ASA-7-713222: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, map = outside_map, seq = 5, ACL does not match proxy IDs src:217.200.185.232 dst:89.96.154.130
Oct 26 2012 10:36:06: %ASA-7-713221: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, checking map = outside_map, seq = 6...
Oct 26 2012 10:36:06: %ASA-7-713222: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, map = outside_map, seq = 6, ACL does not match proxy IDs src:217.200.185.232 dst:89.96.154.130
Oct 26 2012 10:36:06: %ASA-7-713221: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, checking map = outside_map, seq = 7...
Oct 26 2012 10:36:06: %ASA-7-713222: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, map = outside_map, seq = 7, ACL does not match proxy IDs src:217.200.185.232 dst:89.96.154.130
Oct 26 2012 10:36:06: %ASA-7-713221: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, checking map = outside_map, seq = 8...
Oct 26 2012 10:36:06: %ASA-7-713222: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, map = outside_map, seq = 8, ACL does not match proxy IDs src:217.200.185.232 dst:89.96.154.130
Oct 26 2012 10:36:06: %ASA-7-713221: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, checking map = outside_map, seq = 9...
Oct 26 2012 10:36:06: %ASA-7-713222: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, map = outside_map, seq = 9, ACL does not match proxy IDs src:217.200.185.232 dst:89.96.154.130
Oct 26 2012 10:36:06: %ASA-7-713221: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, checking map = outside_map, seq = 10...
Oct 26 2012 10:36:06: %ASA-7-713222: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, map = outside_map, seq = 10, ACL does not match proxy IDs src:217.200.185.232 dst:89.96.154.130
Oct 26 2012 10:36:06: %ASA-7-713221: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, checking map = outside_map, seq = 11...
Oct 26 2012 10:36:06: %ASA-7-713222: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, map = outside_map, seq = 11, ACL does not match proxy IDs src:217.200.185.232 dst:89.96.154.130
Oct 26 2012 10:36:06: %ASA-7-713221: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, checking map = outside_map, seq = 12...
Oct 26 2012 10:36:06: %ASA-7-713222: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, map = outside_map, seq = 12, ACL does not match proxy IDs src:217.200.185.232 dst:89.96.154.130
Oct 26 2012 10:36:06: %ASA-7-715059: Group = DefaultRAGroup, IP = 217.200.185.232, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
Oct 26 2012 10:36:06: %ASA-7-715059: Group = DefaultRAGroup, IP = 217.200.185.232, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
Oct 26 2012 10:36:06: %ASA-7-715059: Group = DefaultRAGroup, IP = 217.200.185.232, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
Oct 26 2012 10:36:06: %ASA-7-715059: Group = DefaultRAGroup, IP = 217.200.185.232, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
Oct 26 2012 10:36:06: %ASA-7-715059: Group = DefaultRAGroup, IP = 217.200.185.232, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
Oct 26 2012 10:36:06: %ASA-7-715059: Group = DefaultRAGroup, IP = 217.200.185.232, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
Oct 26 2012 10:36:06: %ASA-7-715059: Group = DefaultRAGroup, IP = 217.200.185.232, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
Oct 26 2012 10:36:06: %ASA-7-715059: Group = DefaultRAGroup, IP = 217.200.185.232, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
Oct 26 2012 10:36:06: %ASA-7-715059: Group = DefaultRAGroup, IP = 217.200.185.232, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
Oct 26 2012 10:36:06: %ASA-7-715059: Group = DefaultRAGroup, IP = 217.200.185.232, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
Oct 26 2012 10:36:06: %ASA-7-715059: Group = DefaultRAGroup, IP = 217.200.185.232, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
Oct 26 2012 10:36:06: %ASA-7-713066: Group = DefaultRAGroup, IP = 217.200.185.232, IKE Remote Peer configured for crypto map: SYSTEM_DEFAULT_CRYPTO_MAP
Oct 26 2012 10:36:06: %ASA-5-713904: Group = DefaultRAGroup, IP = 217.200.185.232, All IPSec SA proposals found unacceptable!
Oct 26 2012 10:36:06: %ASA-7-713906: Group = DefaultRAGroup, IP = 217.200.185.232, sending notify message
Oct 26 2012 10:36:06: %ASA-7-713906: Group = DefaultRAGroup, IP = 217.200.185.232, constructing ipsec notify payload for msg id d148be4a
Oct 26 2012 10:36:06: %ASA-7-713236: IP = 217.200.185.232, IKE_DECODE SENDING Message (msgid=949acedb) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Oct 26 2012 10:36:06: %ASA-3-713902: Group = DefaultRAGroup, IP = 217.200.185.232, QM FSM error (P2 struct &0xd8819da8, mess id 0xd148be4a)!
Oct 26 2012 10:36:06: %ASA-7-715065: Group = DefaultRAGroup, IP = 217.200.185.232, IKE QM Responder FSM error history (struct &0xd8819da8) , : QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Oct 26 2012 10:36:06: %ASA-7-713906: Group = DefaultRAGroup, IP = 217.200.185.232, sending delete/delete with reason message
Oct 26 2012 10:36:06: %ASA-3-713902: Group = DefaultRAGroup, IP = 217.200.185.232, Removing peer from correlator table failed, no match!
Oct 26 2012 10:36:06: %ASA-7-713906: Group = DefaultRAGroup, IP = 217.200.185.232, IKE SA MM:1ee358c2 rcv'd Terminate: state MM_ACTIVE flags 0x00010042, refcnt 1, tuncnt 0
Oct 26 2012 10:36:06: %ASA-7-713906: Group = DefaultRAGroup, IP = 217.200.185.232, IKE SA MM:1ee358c2 terminating: flags 0x01010002, refcnt 0, tuncnt 0
Oct 26 2012 10:36:06: %ASA-7-713906: Group = DefaultRAGroup, IP = 217.200.185.232, sending delete/delete with reason message
Oct 26 2012 10:36:06: %ASA-7-713236: IP = 217.200.185.232, IKE_DECODE SENDING Message (msgid=ce2eb537) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Oct 26 2012 10:36:06: %ASA-5-713259: Group = DefaultRAGroup, IP = 217.200.185.232, Session is being torn down. Reason: Phase 2 Mismatch
Oct 26 2012 10:36:06: %ASA-4-113019: Group = DefaultRAGroup, Username = , IP = 217.200.185.232, Session disconnected. Session Type: IKE, Duration: 0h:00m:01s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch -
AAA and TACACS on everything BUT NOT console
Would like to enable login authentication AND enable authentication on VTY but NOT console. Console should authenticate locally for both user and privilige modes ... I can't seem to seperate the 'enable' piece ... any thoughts?
I do not think you can separate method list for
the enable piece. I've asked Cisco about this
in the past and they told me that it is not
possible. You can have a different method list
for the console for the "exec" mode but not
the enable or privilege mode. It is either
"tacacs" or "enable" or some other
combinations but not a separate method list for "enable" by itself. Maybe cisco added
this new feature in 12.4. I've my my testing
on both 12.2T and 12.3T and, IMHO, it is not
possible to separate the enable piece. Here
is my config:
username cisco password cisco
enable secret cisco
aaa authentication login notac local
aaa authentication login VTY group tacacs+ local
aaa authentication login web local enable
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec notac none
aaa authorization exec VTY group tacacs+ if-authenticated none
aaa authorization commands 0 VTY group tacacs+ if-authenticated none
aaa authorization commands 1 VTY group tacacs+ if-authenticated none
aaa authorization commands 15 VTY group tacacs+ if-authenticated none
aaa authorization network VTY group tacacs+ if-authenticated none
aaa accounting exec TAC start-stop group tacacs+
aaa accounting exec VTY start-stop group tacacs+
aaa accounting commands 0 TAC start-stop group tacacs+
aaa accounting commands 0 VTY start-stop group tacacs+
aaa accounting commands 1 TAC start-stop group tacacs+
aaa accounting commands 1 VTY start-stop group tacacs+
aaa accounting commands 10 TAC start-stop group tacacs+
aaa accounting commands 15 TAC start-stop group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
aaa accounting network VTY start-stop group tacacs+
aaa accounting connection TAC start-stop group tacacs+
aaa session-id common
line con 0
exec-timeout 0 0
authorization exec notac
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
logging synchronous
login authentication notac
line vty 0 15
exec-timeout 0 0
authorization commands 0 VTY
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
login authentication VTY -
Our management network is via VRF, the ip addess of the ACS also exists in the VRF. After the configuration, the ACS seems doesnt work and there is no reports on the ACS. Below is the configuration. Your help is appreciated!
client: int vlan 10
ip add 192.168.1.233
ip vrf forwarding Virtual
aaa authentication login new group tacacs+ local
aaa authorization exec new group tacacs+ local
aaa authorization commands 15 new group tacacs+ local
ip tacacs source-interface vlan 10
tacacs-server host 192.168.1.240
tacacs-server key key
lin vty 0 4
authorization commands 15 new
authorization exec new
login authentication new
I can ping from the source interface to the ACS via VRF.
Thank you!Can you share the config?
Depending on your setup/design, pls check the following configig guide & sample for TACACS+ with VRF:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00806996cc.html
HTH
AK
Maybe you are looking for
-
Audio Clicking and broken up when playing back from timeline
Can anyone please give me some advice about a possible solution to a continuing audio problem I am having when using the Tascam Fireone with Final Cut Pro 5.1.4. (Fireone working well with Logic 7 on the same machine) The Symptoms are as follow: When
-
Looking for a way to switch views using Javascript
Hi ! I'm currently studying Acrobat 3D. <br /><br />I've got a PDF document with a 3D Annotation, which was imported from a U3D file. I defined 3 views : "initial", "front" and "top".<br /><br />My problem is that I'm looking for a way to switch view
-
When I try to open, I get 404 Not Found.
When I try to open Mozilla, I only get 404 NOT FOUND and in a seperate tab some advertising. What is wrong and how do I fix it. I uninstalled Mozilla and re-installed and I still get the same problem. == User Agent == Mozilla/4.0 (compatible; MSIE 8.
-
Best practice: Saving form data
Hello, I'm new to the JSP technology. To get some experience I built my own little shoutbox "application" where you can insert your name and a message and if you click on "submit" your message appears at the top of the page. Older messages also appea
-
Hi , I need to understand the concept of xml bursting.So can anyone suggest me a link or document? Thanks