Frozen Fido : RU.CISCO : vpdn/pptp

ru.cisco

 
 - RU.CISCO ---------------------------------------------------------------------
 From : Eugene M. Zheganin                   2:5054/37.63   19 Jul 2007  18:05:24
 To : All
 Subject : vpdn/pptp
 --------------------------------------------------------------------------------

 
 Анамнез: есть cisco 2821, есть vpdn accept-dialin на ней, pptp.
 Цепляю клиентов виндовым pptp, по ms-chap-v2/mppe. В клиентах стоит "отключиться
 если нет шифрования". Работает.
 
 В сети у меня есть freeradius/IAS (первый прокси к другому) на которых настроен 
 eap-tls. К ним туда цепляются беспроводные AP, и eap-tls там вполне рабочий.
 
 Придумал я цкеплять туда и pptp-клиенты по сертификатам. Аутентификация вполне
 сеье успешно проходит, сервер шлет Access-Accept. Hо потом клиент выдает
 знаментиое "742, сервер не поддерживает требуемые параметры шифрования".
 Я не понимаю, почему. С ms-chap/ms-chap-v2 такое происходило когда нет строчки
 "aaa authorization network ...". Теперь эта строчка в конфиге есть. :/
 
 Плз, помогите разобраться.
 
 Сильно смущает в логе
 
 Vi5 MPPC: no encryption keys available, disabling optional MPPE
 
 - когда я аутентифицируюсь чапами, такой строчки нет, а есть с ключами.
 
 От типа радиуса не зависит, freeradius/IAS - все одинаково.
 
 Дебаг:
 
 ===Cut===
 kosm65-gw#sh deb
 General OS:
   AAA Authentication debugging is on
   AAA Authorization debugging is on
   AAA Per-user attributes debugging is on
 VPN:
   VPDN events debugging is on
 PPP:
   MPPE Events debugging is on
   PPP protocol negotiation debugging is on
 
 Radius protocol debugging is on
 Radius packet protocol (authentication) debugging is on
 ===Cut===
 
 Лог:
 
 ===Cut===
 *Jul 19 12:05:01.370: ppp98 PPP/AAA: Check Attr: Framed-Protocol
 *Jul 19 12:05:01.370: ppp98 PPP/AAA: Check Attr: service-type
 *Jul 19 12:05:01.370: ppp98 PPP/AAA: Check Attr: EAP-Message
 *Jul 19 12:05:01.370: ppp98 PPP/AAA: Check Attr: MS-MPPE-Send-Key
 *Jul 19 12:05:01.370: ppp98 PPP/AAA: Check Attr: MS-MPPE-Recv-Key
 *Jul 19 12:05:01.370: ppp98 PPP/AAA: Check Attr: Message-Authenticator
 *Jul 19 12:05:01.370: ppp98 PPP: Phase is FORWARDING, Attempting Forward
 *Jul 19 12:05:01.370: ppp98 PPP: Send Message[Connect Local]
 *Jul 19 12:05:01.374: Vi5 PPP: Phase is DOWN, Setup
 *Jul 19 12:05:01.378: Vi5 Tnl/Sn 75/75 PPTP: Virtual interface created for
 unknown, bandwidth 100000 Kbps
 *Jul 19 12:05:01.378: ppp98 PPP: Bind to [Virtual-Access5]
 *Jul 19 12:05:01.378: AAA/BIND(00000114): Bind i/f Virtual-Access5
 *Jul 19 12:05:01.378: Vi5 PPP: Send Message[Static Bind Response]
 *Jul 19 12:05:01.378: Vi5 Tnl/Sn 75/75 PPTP: VPDN session up
 *Jul 19 12:05:01.726: %LINK-3-UPDOWN: Interface Virtual-Access5, changed state
 to up
 *Jul 19 12:05:01.746: Vi5 PPP: Phase is AUTHENTICATING, Authenticated User
 *Jul 19 12:05:01.746: AAA/AUTHOR (0x114): Pick method list 'default'
 *Jul 19 12:05:01.746: AAA/AUTHOR (0x114): Pick method list 'default'
 *Jul 19 12:05:01.746: RADIUS/ENCODE(00000114): send packet; PASS
 *Jul 19 12:05:01.746: RADIUS/ENCODE(00000114): send packet; PASS
 *Jul 19 12:05:01.750: Vi5 PPP/AAA: Check Attr: timeout: Peruser
 *Jul 19 12:05:01.750: Vi5 PPP/AAA: Check Attr: EAP-Message
 *Jul 19 12:05:01.750: Vi5 PPP/AAA: Check Attr: Message-Authenticator
 *Jul 19 12:05:01.750: Vi5 AAA/AUTHOR/FSM: We can start LCP
 *Jul 19 12:05:01.750: Vi5 PPP/AAA: Check Attr: timeout: Peruser
 *Jul 19 12:05:01.750: Vi5 PPP/AAA: Check Attr: EAP-Message
 *Jul 19 12:05:01.750: Vi5 PPP/AAA: Check Attr: Message-Authenticator
 *Jul 19 12:05:01.750: Vi5 AAA/AUTHOR/FSM: We can start IPCP
 *Jul 19 12:05:01.750: Vi5 AAA/AUTHOR/LCP: Process Author
 *Jul 19 12:05:01.750: Vi5 AAA/AUTHOR/LCP: Process Attr: timeout
 *Jul 19 12:05:01.750: AAA/AUTHOR: Processing PerUser AV timeout
 *Jul 19 12:05:01.750: Vi5 AAA/PER-USER: session timeout 30 seconds
 *Jul 19 12:05:01.750: Vi5 AAA/AUTHOR/LCP: Process Attr: timeout
 *Jul 19 12:05:01.750: AAA/AUTHOR: Processing PerUser AV timeout
 *Jul 19 12:05:01.750: Vi5 AAA/PER-USER: session timeout 30 seconds
 *Jul 19 12:05:01.750: Vi5 EAP: O SUCCESS id 10 len 4
 *Jul 19 12:05:01.750: Vi5 PPP: Phase is UP
 *Jul 19 12:05:01.750: Vi5 AAA/AUTHOR/IPCP: Already authorized
 *Jul 19 12:05:01.750: Vi5 AAA/AUTHOR/FSM: We can start IPCP
 *Jul 19 12:05:01.750: Vi5 IPCP: O CONFREQ [Closed] id 1 len 10
 *Jul 19 12:05:01.750: Vi5 IPCP:    Address 192.168.244.1 (0x0306C0A8F401)
 *Jul 19 12:05:01.754: Vi5 MPPC: no encryption keys available, disabling optional
 MPPE
 *Jul 19 12:05:01.754: AAA/AUTHOR (0x114): Pick method list 'default'
 *Jul 19 12:05:01.754: Vi5 PPP: Process pending ncp packets
 *Jul 19 12:05:01.754: RADIUS/ENCODE(00000114):Orig. component type = VPDN
 *Jul 19 12:05:01.754: RADIUS(00000114): Config NAS IP: 0.0.0.0
 *Jul 19 12:05:01.754: RADIUS/ENCODE: Best Local IP-Address 192.168.3.15 for
 Radius-Server 192.168.3.1
 *Jul 19 12:05:01.754: RADIUS/ENCODE(00000114): send packet; PASS
 *Jul 19 12:05:01.754: Vi5 PPP/AAA: Check Attr: timeout: Peruser
 *Jul 19 12:05:01.754: Vi5 PPP/AAA: Check Attr: EAP-Message
 *Jul 19 12:05:01.754: Vi5 PPP/AAA: Check Attr: Message-Authenticator
 *Jul 19 12:05:01.754: Vi5 AAA/AUTHOR/FSM: We can start CCP
 *Jul 19 12:05:01.754: Vi5 CCP: O CONFREQ [Closed] id 1 len 4
 *Jul 19 12:05:01.758: RADIUS: Received from id 1646/172 192.168.3.1:1813,
 Accounting-response, len 20
 *Jul 19 12:05:02.494: Vi5 CCP: I CONFREQ [REQsent] id 6 len 10
 *Jul 19 12:05:02.494: Vi5 CCP:    MS-PPC supported bits 0x010000E1
 (0x1206010000E1)
 *Jul 19 12:05:02.494: Vi5 MPPE: don't understand all options, NAK
 *Jul 19 12:05:02.494: Vi5 CCP: O CONFNAK [REQsent] id 6 len 10
 *Jul 19 12:05:01.750: Vi5 AAA/AUTHOR/FSM: We can start IPCP
 *Jul 19 12:05:02.494: Vi5 IPCP: I CONFREQ [REQsent] id 7 len 34
 *Jul 19 12:05:02.494: Vi5 IPCP:    Address 0.0.0.0 (0x030600000000)
 *Jul 19 12:05:02.494: Vi5 IPCP:    PrimaryDNS 0.0.0.0 (0x810600000000)
 *Jul 19 12:05:02.494: Vi5 IPCP:    PrimaryWINS 0.0.0.0 (0x820600000000)
 *Jul 19 12:05:02.494: Vi5 IPCP:    SecondaryDNS 0.0.0.0 (0x830600000000)
 *Jul 19 12:05:02.494: Vi5 IPCP:    SecondaryWINS 0.0.0.0 (0x840600000000)
 *Jul 19 12:05:02.494: Vi5 AAA/AUTHOR/IPCP: Start.  Her address 0.0.0.0, we want 
 0.0.0.0
 *Jul 19 12:05:02.494: Vi5 AAA/AUTHOR/IPCP: Authorization succeeded
 *Jul 19 12:05:02.494: Vi5 AAA/AUTHOR/IPCP: Done.  Her address 0.0.0.0, we want
 0.0.0.0
 *Jul 19 12:05:02.494: Vi5 IPCP: Pool returned 192.168.244.6
 *Jul 19 12:05:02.494: Vi5 AAA/AUTHOR/IPCP: no author-info for primary dns
 *Jul 19 12:05:02.494: Vi5 AAA/AUTHOR/IPCP: no author-info for primary wins
 *Jul 19 12:05:02.494: Vi5 AAA/AUTHOR/IPCP: no author-info for seconday dns
 *Jul 19 12:05:02.494: Vi5 AAA/AUTHOR/IPCP: no author-info for seconday wins
 *Jul 19 12:05:02.498: Vi5 IPCP: O CONFREJ [REQsent] id 7 len 16
 *Jul 19 12:05:02.498: Vi5 IPCP:    PrimaryWINS 0.0.0.0 (0x820600000000)
 *Jul 19 12:05:02.498: Vi5 IPCP:    SecondaryWINS 0.0.0.0 (0x840600000000)
 *Jul 19 12:05:02.498: Vi5 IPCP: I CONFACK [REQsent] id 1 len 10
 *Jul 19 12:05:02.498: Vi5 IPCP:    Address 192.168.244.1 (0x0306C0A8F401)
 *Jul 19 12:05:02.626: %LINEPROTO-5-UPDOWN: Line protocol on Interface
 Virtual-Access5, changed state to up
 *Jul 19 12:05:02.630: Vi5 CCP: I CONFNAK [REQsent] id 1 len 10
 *Jul 19 12:05:02.630: Vi5 CCP:    MS-PPC supported bits 0x00000000
 (0x120600000000)
 *Jul 19 12:05:02.630: Vi5 CCP: Ignoring unrequested options
 *Jul 19 12:05:02.630: Vi5 CCP: O CONFREQ [REQsent] id 2 len 4
 *Jul 19 12:05:02.630: Vi5 LCP: I TERMREQ [Open] id 8 len 16
 (0x2943693F003CCD74000002E6)
 *Jul 19 12:05:02.630: Vi5 LCP: O TERMACK [Open] id 8 len 4
 *Jul 19 12:05:02.630: Vi5 PPP: Sending Acct Event[Down] id[114]
 *Jul 19 12:05:02.630: Vi5 PPP: Phase is TERMINATING
 *Jul 19 12:05:02.646: RADIUS/ENCODE(00000114):Orig. component type = VPDN
 *Jul 19 12:05:02.646: RADIUS(00000114): Config NAS IP: 0.0.0.0
 *Jul 19 12:05:02.774: RADIUS/ENCODE: Best Local IP-Address 192.168.3.15 for
 Radius-Server 192.168.3.1
 *Jul 19 12:05:02.790: RADIUS: Received from id 1646/173 192.168.3.1:1813,
 Accounting-response, len 20
 *Jul 19 12:05:02.794: Vi5 VPDN: Resetting interface
 *Jul 19 12:05:02.794: Vi5 PPP: Block vaccess from being freed [0x18]
 *Jul 19 12:05:02.798: %LINK-3-UPDOWN: Interface Virtual-Access5, changed state
 to down
 *Jul 19 12:05:02.798: Vi5 LCP: State is Closed
 *Jul 19 12:05:02.798: Vi5 PPP: Phase is DOWN
 *Jul 19 12:05:02.798: Vi5 CCP: State is Closed
 *Jul 19 12:05:02.798: Vi5 IPCP: State is Closed
 *Jul 19 12:05:02.798: Vi5 PPP: Unlocked by [0x10] Still Locked by [0xA]
 *Jul 19 12:05:02.798: Vi5 PPP: Send Message[Disconnect]
 *Jul 19 12:05:02.798: Vi5 PPP: Unlocked by [0x8] Still Locked by [0x2]
 *Jul 19 12:05:02.798: Vi5 PPP: Unlocked by [0x2] Still Locked by [0x0]
 *Jul 19 12:05:02.798: Vi5 PPP: Free previously blocked vaccess
 ===Cut===
 
 Конфиги:
 
 ===Cut===
 aaa authentication login default local group radius
 aaa authentication ppp default local group radius
 aaa authorization network default local group radius
 aaa accounting network default start-stop group radius
 aaa accounting system default start-stop group radius
 !
 vpdn-group norma-vpdn-pptp
 ! Default PPTP VPDN group
  accept-dialin
   protocol pptp
   virtual-template 2
 !
 interface Virtual-Template2
  description pptp interface template
  ip unnumbered Loopback1
  ip mtu 1380
  peer default ip address pool l2tp
  ppp encrypt mppe auto
  ppp authentication eap ms-chap-v2 ms-chap
 !
 ===Cut===
                                     Hа этом остаюсь искренне Ваш, Евгений.
 --- GoldED+/BSD 1.1.5-b20061116
  * Origin:  Если drook оказался vdrook (c)  (2:5054/37.63)

Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор

Тема:	Автор:	Дата:
vpdn/pptp	Eugene M. Zheganin	19 Jul 2007 18:05:24
Re: vpdn/pptp	Alexander V. Klepikov	23 Jul 2007 12:04:08
Re: vpdn/pptp	Andrew Anikin	23 Jul 2007 17:00:27
vpdn/pptp	Eugene M. Zheganin	24 Jul 2007 10:49:18
Re: vpdn/pptp	Andrew Anikin	25 Jul 2007 11:34:30
vpdn/pptp	Eugene M. Zheganin	26 Jul 2007 11:51:14

Архивное /ru.cisco/3374469f540f.html, оценка 3 из 5, голосов 10