[cisco-nas] Cisco VPN Client: Radius Authorization
Nemec Ladislav
Ladislav.Nemec at anect.com
Wed Feb 7 11:20:20 EST 2007
Hi,
I want to authorize VPN Client to make connection to PIX515 only from one specific outside public IP address. (In my LAB test it means AV pair ip:source-ip=192.168.2.10)
Client try to connect, Xauth window appears on Windows machine, client write right username and password, but connection is not succesfull. Reason on ACS (windows 4.0) in failed attempts log is "CS password invalid".
After removing requirement for authorization from "tunnel-group VPN-SUPPLIERS general-attributes", connection is successful. Interesting is, that there is one passed authentification and one failed in the ACS logs for this one connection. You can also see in full debug, that user (vpn1) is authentificated twice during connection, once successful and once not.
Also, in the debug, there is not authorization request, only authentification request. But it fails on that athentification request.
More details:
1. Tunnel group configuration for required authorization: (authorization-required command)
tunnel-group VPN-SUPPLIERS general-attributes
authentication-server-group (outside) VPN LOCAL
authorization-server-group (outside) VPN
accounting-server-group VPN
default-group-policy VPN-SUPPLIERS-POLICY
nac-authentication-server-group VPN
password-management password-expire-in-days 1
authorization-required
**************************************************************************************************************************************************************************************************
In the debug part of failed result:
RADIUS packet decode (authentication request)
--------------------------------------
Raw packet data (length = 204).....
01 23 00 cc d4 7d 72 c3 40 79 be 1f 6c 35 ca 3b | .#...}r. at y..l5.;
58 b1 96 17 01 06 76 70 6e 31 02 12 ab 05 81 cd | X.....vpn1......
ef 60 72 1e cc d6 13 a7 67 8a 09 c2 05 06 00 00 | .`r.....g.......
00 06 06 06 00 00 00 02 07 06 00 00 00 01 1e 11 | ................
31 39 35 2e 31 34 36 2e 31 33 35 2e 31 33 33 1f | 195.146.135.133.
0e 31 39 32 2e 31 36 38 2e 32 2e 31 30 42 0e 31 | .192.168.2.10B.1
39 32 2e 31 36 38 2e 32 2e 31 30 1a 3a 00 00 01 | 92.168.2.10.:...
37 19 34 00 00 ae 4d 55 31 76 7a 62 20 9b 53 a0 | 7.4...MU1vzb .S.
c1 75 38 34 43 00 00 00 00 00 00 00 00 9c 7a 3a | .u84C.........z:
cf 7f e2 57 8a e9 a1 db a8 9d f1 9f a0 62 70 71 | ..W.........bpq
73 00 48 88 05 04 06 0a 24 c8 05 1a 21 00 00 00 | s.H.....$...!...
09 01 1b 69 70 3a 73 6f 75 72 63 65 2d 69 70 3d | ...ip:source-ip=
31 39 32 2e 31 36 38 2e 32 2e 31 30 | 192.168.2.10
Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 35 (0x23)
Radius: Length = 204 (0x00CC)
Radius: Vector: D47D72C34079BE1F6C35CA3B58B19617
Radius: Type = 1 (0x01) User-Name
Radius: Length = 6 (0x06)
Radius: Value (String) =
76 70 6e 31 | vpn1
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
ab 05 81 cd ef 60 72 1e cc d6 13 a7 67 8a 09 c2 | .....`r.....g...
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x6
Radius: Type = 6 (0x06) Service-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x2
Radius: Type = 7 (0x07) Framed-Protocol
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x1
Radius: Type = 30 (0x1E) Called-Station-Id
Radius: Length = 17 (0x11)
Radius: Value (String) =
31 39 35 2e 31 34 36 2e 31 33 35 2e 31 33 33 | 195.146.135.133
Radius: Type = 31 (0x1F) Calling-Station-Id
Radius: Length = 14 (0x0E)
Radius: Value (String) =
31 39 32 2e 31 36 38 2e 32 2e 31 30 | 192.168.2.10
Radius: Type = 66 (0x42) Tunnel-Client-Endpoint
Radius: Length = 14 (0x0E)
Radius: Value (String) =
31 39 32 2e 31 36 38 2e 32 2e 31 30 | 192.168.2.10
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 58 (0x3A)
Radius: Vendor ID = 311 (0x00000137)
Radius: Type = 25 (0x19) MS-CHAP2-Response
Radius: Length = 52 (0x34)
Radius: Value (String) =
00 00 ae 4d 55 31 76 7a 62 20 9b 53 a0 c1 75 38 | ...MU1vzb .S..u8
34 43 00 00 00 00 00 00 00 00 9c 7a 3a cf 7f e2 | 4C.........z:..
57 8a e9 a1 db a8 9d f1 9f a0 62 70 71 73 00 48 | W.........bpqs.H
88 05 | ..
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 10.36.200.5 (0x0A24C805)
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 33 (0x21)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 27 (0x1B)
Radius: Value (String) =
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 39 32 | ip:source-ip=192
2e 31 36 38 2e 32 2e 31 30 | .168.2.10
RADIUS packet decode (response)
--------------------------------------
Raw packet data (length = 32).....
03 23 00 20 c7 2f d9 f1 0a 78 e9 4f f6 d8 8e bd | .#. ./...x.O....
8b a9 ee e8 12 0c 52 65 6a 65 63 74 65 64 0a 0d | ......Rejected..
Parsed packet data.....
Radius: Code = 3 (0x03)
Radius: Identifier = 35 (0x23)
Radius: Length = 32 (0x0020)
Radius: Vector: C72FD9F10A78E94FF6D88EBD8BA9EEE8
Radius: Type = 18 (0x12) Reply-Message
Radius: Length = 12 (0x0C)
Radius: Value (String) =
52 65 6a 65 63 74 65 64 0a 0d | Rejected..
Feb 07 16:08:52 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, Username = vpn1, IP = 192.168.2.10, constructing blank hash payload
Feb 07 16:08:52 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, Username = vpn1, IP = 192.168.2.10, constructing qm hash payload
Feb 07 16:08:52 [IKEv1]: IP = 192.168.2.10, IKE_DECODE SENDING Message (msgid=99a4af9d) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 112
*****************************************************************************************************************************************************************************************
And here is full debug from begening:
PIX515(config-tunnel-general)# sh debug
debug aaa authentication enabled at level 1
debug aaa authorization enabled at level 1
debug crypto isakmp enabled at level 10
debug crypto vpnclient enabled at level 1
debug radius decode
PIX515(config-tunnel-general)# Feb 07 16:08:49 [IKEv1]: IP = 192.168.2.10, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 857
Feb 07 16:08:49 [IKEv1 DEBUG]: IP = 192.168.2.10, processing SA payload
Feb 07 16:08:49 [IKEv1 DEBUG]: IP = 192.168.2.10, processing ke payload
Feb 07 16:08:49 [IKEv1 DEBUG]: IP = 192.168.2.10, processing ISA_KE payload
Feb 07 16:08:49 [IKEv1 DEBUG]: IP = 192.168.2.10, processing nonce payload
Feb 07 16:08:49 [IKEv1 DEBUG]: IP = 192.168.2.10, processing ID payload
Feb 07 16:08:49 [IKEv1 DEBUG]: IP = 192.168.2.10, processing VID payload
Feb 07 16:08:49 [IKEv1 DEBUG]: IP = 192.168.2.10, Received xauth V6 VID
Feb 07 16:08:49 [IKEv1 DEBUG]: IP = 192.168.2.10, processing VID payload
Feb 07 16:08:49 [IKEv1 DEBUG]: IP = 192.168.2.10, Received DPD VID
Feb 07 16:08:49 [IKEv1 DEBUG]: IP = 192.168.2.10, processing VID payload
Feb 07 16:08:49 [IKEv1 DEBUG]: IP = 192.168.2.10, Received Fragmentation VID
Feb 07 16:08:49 [IKEv1 DEBUG]: IP = 192.168.2.10, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
Feb 07 16:08:49 [IKEv1 DEBUG]: IP = 192.168.2.10, processing VID payload
Feb 07 16:08:49 [IKEv1 DEBUG]: IP = 192.168.2.10, Received NAT-Traversal ver 02 VID
Feb 07 16:08:49 [IKEv1 DEBUG]: IP = 192.168.2.10, processing VID payload
Feb 07 16:08:49 [IKEv1 DEBUG]: IP = 192.168.2.10, Received Cisco Unity client VID
Feb 07 16:08:49 [IKEv1]: IP = 192.168.2.10, Connection landed on tunnel_group VPN-SUPPLIERS
Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, processing IKE SA payload
Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, IKE SA Proposal # 1, Transform # 13 acceptable Matches global IKE entry # 1
Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, constructing ISAKMP SA payload
Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, constructing ke payload
Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, constructing nonce payload
Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, Generating keys for Responder...
Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, constructing ID payload
Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, constructing hash payload
Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, Computing hash for ISAKMP
Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, constructing Cisco Unity VID payload
Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, constructing xauth V6 VID payload
Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, constructing dpd vid payload
Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, constructing NAT-Traversal VID ver 02 payload
Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, constructing NAT-Discovery payload
Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, computing NAT Discovery hash
Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, constructing NAT-Discovery payload
Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, computing NAT Discovery hash
Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, constructing Fragmentation VID + extended capabilities payload
Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, Send IOS VID
Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 00000408)
Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, constructing VID payload
Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Feb 07 16:08:49 [IKEv1]: IP = 192.168.2.10, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 448
Feb 07 16:08:49 [IKEv1]: IP = 192.168.2.10, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 156
Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, processing hash payload
Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, Computing hash for ISAKMP
Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, processing notify payload
Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, processing NAT-Discovery payload
Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, computing NAT Discovery hash
Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, processing NAT-Discovery payload
Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, computing NAT Discovery hash
Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, processing VID payload
Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)
Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, processing VID payload
Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, Received Cisco Unity client VID
Feb 07 16:08:49 [IKEv1]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, constructing blank hash payload
Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, constructing qm hash payload
Feb 07 16:08:49 [IKEv1]: IP = 192.168.2.10, IKE_DECODE SENDING Message (msgid=26c51cd1) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 112
Feb 07 16:08:52 [IKEv1]: IP = 192.168.2.10, IKE_DECODE RECEIVED Message (msgid=26c51cd1) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 82
Feb 07 16:08:52 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, process_attr(): Enter!
Feb 07 16:08:52 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, Processing MODE_CFG Reply attributes.
RADIUS packet decode (authentication request)
--------------------------------------
Raw packet data (length = 210).....
01 21 00 d2 a4 0d c2 d3 10 09 0e 2f 3c c5 1a 4b | .!........./<..K
28 41 e6 27 01 06 76 70 6e 31 05 06 00 00 00 06 | (A.'..vpn1......
06 06 00 00 00 02 07 06 00 00 00 01 1e 11 31 39 | ..............19
35 2e 31 34 36 2e 31 33 35 2e 31 33 33 1f 0e 31 | 5.146.135.133..1
39 32 2e 31 36 38 2e 32 2e 31 30 42 0e 31 39 32 | 92.168.2.10B.192
2e 31 36 38 2e 32 2e 31 30 1a 18 00 00 01 37 0b | .168.2.10.....7.
12 6a a2 34 c4 62 0d 50 3f a6 ed 09 6d 82 0d e7 | .j.4.b.P?...m...
e7 1a 3a 00 00 01 37 19 34 00 00 ae 4d 55 31 76 | ..:...7.4...MU1v
7a 62 20 9b 53 a0 c1 75 38 34 43 00 00 00 00 00 | zb .S..u84C.....
00 00 00 9c 7a 3a cf 7f e2 57 8a e9 a1 db a8 9d | ....z:..W......
f1 9f a0 62 70 71 73 00 48 88 05 04 06 0a 24 c8 | ...bpqs.H.....$.
05 1a 21 00 00 00 09 01 1b 69 70 3a 73 6f 75 72 | ..!......ip:sour
63 65 2d 69 70 3d 31 39 32 2e 31 36 38 2e 32 2e | ce-ip=192.168.2.
31 30 | 10
Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 33 (0x21)
Radius: Length = 210 (0x00D2)
Radius: Vector: A40DC2D310090E2F3CC51A4B2841E627
Radius: Type = 1 (0x01) User-Name
Radius: Length = 6 (0x06)
Radius: Value (String) =
76 70 6e 31 | vpn1
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x6
Radius: Type = 6 (0x06) Service-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x2
Radius: Type = 7 (0x07) Framed-Protocol
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x1
Radius: Type = 30 (0x1E) Called-Station-Id
Radius: Length = 17 (0x11)
Radius: Value (String) =
31 39 35 2e 31 34 36 2e 31 33 35 2e 31 33 33 | 195.146.135.133
Radius: Type = 31 (0x1F) Calling-Station-Id
Radius: Length = 14 (0x0E)
Radius: Value (String) =
31 39 32 2e 31 36 38 2e 32 2e 31 30 | 192.168.2.10
Radius: Type = 66 (0x42) Tunnel-Client-Endpoint
Radius: Length = 14 (0x0E)
Radius: Value (String) =
31 39 32 2e 31 36 38 2e 32 2e 31 30 | 192.168.2.10
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 24 (0x18)
Radius: Vendor ID = 311 (0x00000137)
Radius: Type = 11 (0x0B) MS-CHAP-Challenge
Radius: Length = 18 (0x12)
Radius: Value (String) =
6a a2 34 c4 62 0d 50 3f a6 ed 09 6d 82 0d e7 e7 | j.4.b.P?...m....
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 58 (0x3A)
Radius: Vendor ID = 311 (0x00000137)
Radius: Type = 25 (0x19) MS-CHAP2-Response
Radius: Length = 52 (0x34)
Radius: Value (String) =
00 00 ae 4d 55 31 76 7a 62 20 9b 53 a0 c1 75 38 | ...MU1vzb .S..u8
34 43 00 00 00 00 00 00 00 00 9c 7a 3a cf 7f e2 | 4C.........z:..
57 8a e9 a1 db a8 9d f1 9f a0 62 70 71 73 00 48 | W.........bpqs.H
88 05 | ..
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 10.36.200.5 (0x0A24C805)
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 33 (0x21)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 27 (0x1B)
Radius: Value (String) =
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 39 32 | ip:source-ip=192
2e 31 36 38 2e 32 2e 31 30 | .168.2.10
RADIUS packet decode (response)
--------------------------------------
Raw packet data (length = 231).....
02 21 00 e7 28 ec 3e ce e6 9e 28 0e f1 3e 8a 54 | .!..(.>...(..>.T
cf 5c 57 b3 1a 21 00 00 00 09 01 1b 69 70 3a 73 | .\W..!......ip:s
6f 75 72 63 65 2d 69 70 3d 31 39 32 2e 31 36 38 | ource-ip=192.168
2e 32 2e 31 30 1a 41 00 00 00 09 01 3b 41 43 53 | .2.10.A.....;ACS
3a 43 69 73 63 6f 53 65 63 75 72 65 2d 44 65 66 | :CiscoSecure-Def
69 6e 65 64 2d 41 43 4c 3d 23 41 43 53 41 43 4c | ined-ACL=#ACSACL
23 2d 49 50 2d 56 50 4e 31 5f 4f 55 54 2d 34 35 | #-IP-VPN1_OUT-45
63 39 61 33 39 66 1a 33 00 00 01 37 1a 2d 00 53 | c9a39f.3...7.-.S
3d 45 31 39 38 36 41 37 31 45 38 37 41 38 41 36 | =E1986A71E87A8A6
42 44 32 45 30 39 33 33 45 45 30 34 41 38 43 32 | BD2E0933EE04A8C2
30 44 38 34 37 33 36 41 38 08 06 0a 24 74 0a 1a | 0D84736A8...$t..
0c 00 00 0c 04 10 06 00 00 00 01 1a 15 00 00 0c | ................
04 55 0f 56 50 4e 2d 53 55 50 50 4c 49 45 52 53 | .U.VPN-SUPPLIERS
19 17 43 41 43 53 3a 30 2f 32 66 38 65 2f 61 32 | ..CACS:0/2f8e/a2
34 63 38 30 35 2f 36 | 4c805/6
Parsed packet data.....
Radius: Code = 2 (0x02)
Radius: Identifier = 33 (0x21)
Radius: Length = 231 (0x00E7)
Radius: Vector: 28EC3ECEE69E280EF13E8A54CF5C57B3
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 33 (0x21)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 27 (0x1B)
Radius: Value (String) =
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 39 32 | ip:source-ip=192
2e 31 36 38 2e 32 2e 31 30 | .168.2.10
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 65 (0x41)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 59 (0x3B)
Radius: Value (String) =
41 43 53 3a 43 69 73 63 6f 53 65 63 75 72 65 2d | ACS:CiscoSecure-
44 65 66 69 6e 65 64 2d 41 43 4c 3d 23 41 43 53 | Defined-ACL=#ACS
41 43 4c 23 2d 49 50 2d 56 50 4e 31 5f 4f 55 54 | ACL#-IP-VPN1_OUT
2d 34 35 63 39 61 33 39 66 | -45c9a39f
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 51 (0x33)
Radius: Vendor ID = 311 (0x00000137)
Radius: Type = 26 (0x1A) MS-CHAP2-Success
Radius: Length = 45 (0x2D)
Radius: Value (String) =
00 53 3d 45 31 39 38 36 41 37 31 45 38 37 41 38 | .S=E1986A71E87A8
41 36 42 44 32 45 30 39 33 33 45 45 30 34 41 38 | A6BD2E0933EE04A8
43 32 30 44 38 34 37 33 36 41 38 | C20D84736A8
Radius: Type = 8 (0x08) Framed-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 10.36.116.10 (0x0A24740A)
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 12 (0x0C)
Radius: Vendor ID = 3076 (0x00000C04)
Radius: Type = 16 (0x10) Store-PW
Radius: Length = 6 (0x06)
Radius: Value (Integer) = 1 (0x0001)
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 21 (0x15)
Radius: Vendor ID = 3076 (0x00000C04)
Radius: Type = 85 (0x55) The tunnel group that tunnel must be associated with
Radius: Length = 15 (0x0F)
Radius: Value (String) =
56 50 4e 2d 53 55 50 50 4c 49 45 52 53 | VPN-SUPPLIERS
Radius: Type = 25 (0x19) Class
Radius: Length = 23 (0x17)
Radius: Value (String) =
43 41 43 53 3a 30 2f 32 66 38 65 2f 61 32 34 63 | CACS:0/2f8e/a24c
38 30 35 2f 36 | 805/6
RADIUS packet decode (authentication request)
--------------------------------------
Raw packet data (length = 134).....
01 22 00 86 a4 0d c2 d3 10 09 0e 2f 3c c5 1a 4b | ."........./<..K
28 41 e6 27 01 1f 23 41 43 53 41 43 4c 23 2d 49 | (A.'..#ACSACL#-I
50 2d 56 50 4e 31 5f 4f 55 54 2d 34 35 63 39 61 | P-VPN1_OUT-45c9a
33 39 66 04 06 0a 24 c8 05 05 06 00 00 00 00 1a | 39f...$.........
17 00 00 00 09 01 11 61 61 61 3a 73 65 72 76 69 | .......aaa:servi
63 65 3d 76 70 6e 1a 1e 00 00 00 09 01 18 61 61 | ce=vpn........aa
61 3a 65 76 65 6e 74 3d 61 63 6c 2d 64 6f 77 6e | a:event=acl-down
6c 6f 61 64 50 12 f1 24 57 97 2b 50 79 27 5d 5b | loadP..$W.+Py'][
33 52 bd 17 8d 22 | 3R..."
Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 34 (0x22)
Radius: Length = 134 (0x0086)
Radius: Vector: A40DC2D310090E2F3CC51A4B2841E627
Radius: Type = 1 (0x01) User-Name
Radius: Length = 31 (0x1F)
Radius: Value (String) =
23 41 43 53 41 43 4c 23 2d 49 50 2d 56 50 4e 31 | #ACSACL#-IP-VPN1
5f 4f 55 54 2d 34 35 63 39 61 33 39 66 | _OUT-45c9a39f
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 10.36.200.5 (0x0A24C805)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x0
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 23 (0x17)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 17 (0x11)
Radius: Value (String) =
61 61 61 3a 73 65 72 76 69 63 65 3d 76 70 6e | aaa:service=vpn
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 30 (0x1E)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 24 (0x18)
Radius: Value (String) =
61 61 61 3a 65 76 65 6e 74 3d 61 63 6c 2d 64 6f | aaa:event=acl-do
77 6e 6c 6f 61 64 | wnload
Radius: Type = 80 (0x50) Message-Authenticator
Radius: Length = 18 (0x12)
Radius: Value (String) =
f1 24 57 97 2b 50 79 27 5d 5b 33 52 bd 17 8d 22 | .$W.+Py'][3R..."
RADIUS packet decode (response)
--------------------------------------
Raw packet data (length = 104).....
02 22 00 68 d1 fb 56 52 35 a9 a3 89 cc 1a 0c 1d | .".h..VR5.......
63 db d1 ad 1a 24 00 00 00 09 01 1e 69 70 3a 69 | c....$......ip:i
6e 61 63 6c 23 31 3d 70 65 72 6d 69 74 20 69 70 | nacl#1=permit ip
20 61 6e 79 20 61 6e 79 19 1e 43 41 43 53 3a 66 | any any..CACS:f
66 66 66 66 66 66 66 2f 32 66 38 66 2f 61 32 34 | fffffff/2f8f/a24
63 38 30 35 2f 30 50 12 a1 d1 39 d8 11 c5 f2 47 | c805/0P...9....G
c6 87 66 f2 48 b3 32 4d | ..f.H.2M
Parsed packet data.....
Radius: Code = 2 (0x02)
Radius: Identifier = 34 (0x22)
Radius: Length = 104 (0x0068)
Radius: Vector: D1FB565235A9A389CC1A0C1D63DBD1AD
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 36 (0x24)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 30 (0x1E)
Radius: Value (String) =
69 70 3a 69 6e 61 63 6c 23 31 3d 70 65 72 6d 69 | ip:inacl#1=permi
74 20 69 70 20 61 6e 79 20 61 6e 79 | t ip any any
Radius: Type = 25 (0x19) Class
Radius: Length = 30 (0x1E)
Radius: Value (String) =
43 41 43 53 3a 66 66 66 66 66 66 66 66 2f 32 66 | CACS:ffffffff/2f
38 66 2f 61 32 34 63 38 30 35 2f 30 | 8f/a24c805/0
Radius: Type = 80 (0x50) Message-Authenticator
Radius: Length = 18 (0x12)
Radius: Value (String) =
a1 d1 39 d8 11 c5 f2 47 c6 87 66 f2 48 b3 32 4d | ..9....G..f.H.2M
RADIUS packet decode (authentication request)
--------------------------------------
Raw packet data (length = 204).....
01 23 00 cc d4 7d 72 c3 40 79 be 1f 6c 35 ca 3b | .#...}r. at y..l5.;
58 b1 96 17 01 06 76 70 6e 31 02 12 ab 05 81 cd | X.....vpn1......
ef 60 72 1e cc d6 13 a7 67 8a 09 c2 05 06 00 00 | .`r.....g.......
00 06 06 06 00 00 00 02 07 06 00 00 00 01 1e 11 | ................
31 39 35 2e 31 34 36 2e 31 33 35 2e 31 33 33 1f | 195.146.135.133.
0e 31 39 32 2e 31 36 38 2e 32 2e 31 30 42 0e 31 | .192.168.2.10B.1
39 32 2e 31 36 38 2e 32 2e 31 30 1a 3a 00 00 01 | 92.168.2.10.:...
37 19 34 00 00 ae 4d 55 31 76 7a 62 20 9b 53 a0 | 7.4...MU1vzb .S.
c1 75 38 34 43 00 00 00 00 00 00 00 00 9c 7a 3a | .u84C.........z:
cf 7f e2 57 8a e9 a1 db a8 9d f1 9f a0 62 70 71 | ..W.........bpq
73 00 48 88 05 04 06 0a 24 c8 05 1a 21 00 00 00 | s.H.....$...!...
09 01 1b 69 70 3a 73 6f 75 72 63 65 2d 69 70 3d | ...ip:source-ip=
31 39 32 2e 31 36 38 2e 32 2e 31 30 | 192.168.2.10
Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 35 (0x23)
Radius: Length = 204 (0x00CC)
Radius: Vector: D47D72C34079BE1F6C35CA3B58B19617
Radius: Type = 1 (0x01) User-Name
Radius: Length = 6 (0x06)
Radius: Value (String) =
76 70 6e 31 | vpn1
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
ab 05 81 cd ef 60 72 1e cc d6 13 a7 67 8a 09 c2 | .....`r.....g...
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x6
Radius: Type = 6 (0x06) Service-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x2
Radius: Type = 7 (0x07) Framed-Protocol
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x1
Radius: Type = 30 (0x1E) Called-Station-Id
Radius: Length = 17 (0x11)
Radius: Value (String) =
31 39 35 2e 31 34 36 2e 31 33 35 2e 31 33 33 | 195.146.135.133
Radius: Type = 31 (0x1F) Calling-Station-Id
Radius: Length = 14 (0x0E)
Radius: Value (String) =
31 39 32 2e 31 36 38 2e 32 2e 31 30 | 192.168.2.10
Radius: Type = 66 (0x42) Tunnel-Client-Endpoint
Radius: Length = 14 (0x0E)
Radius: Value (String) =
31 39 32 2e 31 36 38 2e 32 2e 31 30 | 192.168.2.10
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 58 (0x3A)
Radius: Vendor ID = 311 (0x00000137)
Radius: Type = 25 (0x19) MS-CHAP2-Response
Radius: Length = 52 (0x34)
Radius: Value (String) =
00 00 ae 4d 55 31 76 7a 62 20 9b 53 a0 c1 75 38 | ...MU1vzb .S..u8
34 43 00 00 00 00 00 00 00 00 9c 7a 3a cf 7f e2 | 4C.........z:..
57 8a e9 a1 db a8 9d f1 9f a0 62 70 71 73 00 48 | W.........bpqs.H
88 05 | ..
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 10.36.200.5 (0x0A24C805)
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 33 (0x21)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 27 (0x1B)
Radius: Value (String) =
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 39 32 | ip:source-ip=192
2e 31 36 38 2e 32 2e 31 30 | .168.2.10
RADIUS packet decode (response)
--------------------------------------
Raw packet data (length = 32).....
03 23 00 20 c7 2f d9 f1 0a 78 e9 4f f6 d8 8e bd | .#. ./...x.O....
8b a9 ee e8 12 0c 52 65 6a 65 63 74 65 64 0a 0d | ......Rejected..
Parsed packet data.....
Radius: Code = 3 (0x03)
Radius: Identifier = 35 (0x23)
Radius: Length = 32 (0x0020)
Radius: Vector: C72FD9F10A78E94FF6D88EBD8BA9EEE8
Radius: Type = 18 (0x12) Reply-Message
Radius: Length = 12 (0x0C)
Radius: Value (String) =
52 65 6a 65 63 74 65 64 0a 0d | Rejected..
Feb 07 16:08:52 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, Username = vpn1, IP = 192.168.2.10, constructing blank hash payload
Feb 07 16:08:52 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, Username = vpn1, IP = 192.168.2.10, constructing qm hash payload
Feb 07 16:08:52 [IKEv1]: IP = 192.168.2.10, IKE_DECODE SENDING Message (msgid=99a4af9d) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 112
*****************************************************************************************************************************************************************************************
Thanks for help.
Laco Nemec
Ladislav Nemec
Network Consulting Engineer
CCIE(tm) No. 8821
------------------------------------
ANECT a.s. 'direct: + 421 2 4821 3107
Teslova 30 7fax: + 421 2 4821 3199
821 02 Bratislava *mobile: +421 904 707 107
Slovakia *:<mailto:Ladislav.Nemec at anect.com>
http://www.anect.com <http://www.anect.com/>
------------------------------------
IČO: 35 787 546
SK: 2020256579
Obch. register, OS Bratislava 1
Oddiel: Sa vložka číslo: 2431/B
----------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/cisco-nas/attachments/20070207/6499ac30/attachment-0001.html
More information about the cisco-nas
mailing list