[cisco-nas] Cisco VPN Client: Radius Authorization

Nemec Ladislav Ladislav.Nemec at anect.com
Wed Feb 7 11:20:20 EST 2007


Hi,

I want to authorize VPN Client to make connection to PIX515 only from one specific outside public IP address. (In my LAB test it means AV pair  ip:source-ip=192.168.2.10)

 

Client try to connect, Xauth window appears on Windows machine,  client write right username and password, but connection is not succesfull. Reason on ACS (windows 4.0) in failed attempts log is "CS password invalid".

After removing requirement for authorization from "tunnel-group VPN-SUPPLIERS general-attributes", connection is successful. Interesting is, that there is one passed authentification and one failed in the ACS logs for this one connection. You can also see in full debug, that user (vpn1) is authentificated twice during connection, once successful and once not.

Also, in the debug, there is not authorization request, only authentification request. But it fails on that athentification request.

 

More details:

1.	Tunnel group configuration for required authorization: (authorization-required command)

 

tunnel-group VPN-SUPPLIERS general-attributes

 authentication-server-group (outside) VPN LOCAL

 authorization-server-group (outside) VPN

 accounting-server-group VPN

 default-group-policy VPN-SUPPLIERS-POLICY

 nac-authentication-server-group VPN

 password-management password-expire-in-days 1

 authorization-required

 

**************************************************************************************************************************************************************************************************

In the debug part of failed result:

 

RADIUS packet decode (authentication request)

 

--------------------------------------

Raw packet data (length = 204).....

01 23 00 cc d4 7d 72 c3 40 79 be 1f 6c 35 ca 3b    |  .#...}r. at y..l5.;

58 b1 96 17 01 06 76 70 6e 31 02 12 ab 05 81 cd    |  X.....vpn1......

ef 60 72 1e cc d6 13 a7 67 8a 09 c2 05 06 00 00    |  .`r.....g.......

00 06 06 06 00 00 00 02 07 06 00 00 00 01 1e 11    |  ................

31 39 35 2e 31 34 36 2e 31 33 35 2e 31 33 33 1f    |  195.146.135.133.

0e 31 39 32 2e 31 36 38 2e 32 2e 31 30 42 0e 31    |  .192.168.2.10B.1

39 32 2e 31 36 38 2e 32 2e 31 30 1a 3a 00 00 01    |  92.168.2.10.:...

37 19 34 00 00 ae 4d 55 31 76 7a 62 20 9b 53 a0    |  7.4...MU1vzb .S.

c1 75 38 34 43 00 00 00 00 00 00 00 00 9c 7a 3a    |  .u84C.........z:

cf 7f e2 57 8a e9 a1 db a8 9d f1 9f a0 62 70 71    |  ..W.........bpq

73 00 48 88 05 04 06 0a 24 c8 05 1a 21 00 00 00    |  s.H.....$...!...

09 01 1b 69 70 3a 73 6f 75 72 63 65 2d 69 70 3d    |  ...ip:source-ip=

31 39 32 2e 31 36 38 2e 32 2e 31 30                |  192.168.2.10

 

Parsed packet data.....

Radius: Code = 1 (0x01)

Radius: Identifier = 35 (0x23)

Radius: Length = 204 (0x00CC)

Radius: Vector: D47D72C34079BE1F6C35CA3B58B19617

Radius: Type = 1 (0x01) User-Name

Radius: Length = 6 (0x06)

Radius: Value (String) = 

76 70 6e 31                                        |  vpn1

Radius: Type = 2 (0x02) User-Password

Radius: Length = 18 (0x12)

Radius: Value (String) = 

ab 05 81 cd ef 60 72 1e cc d6 13 a7 67 8a 09 c2    |  .....`r.....g...

Radius: Type = 5 (0x05) NAS-Port

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0x6

Radius: Type = 6 (0x06) Service-Type

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0x2

Radius: Type = 7 (0x07) Framed-Protocol

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0x1

Radius: Type = 30 (0x1E) Called-Station-Id

Radius: Length = 17 (0x11)

Radius: Value (String) = 

31 39 35 2e 31 34 36 2e 31 33 35 2e 31 33 33       |  195.146.135.133

Radius: Type = 31 (0x1F) Calling-Station-Id

Radius: Length = 14 (0x0E)

Radius: Value (String) = 

31 39 32 2e 31 36 38 2e 32 2e 31 30                |  192.168.2.10

Radius: Type = 66 (0x42) Tunnel-Client-Endpoint

Radius: Length = 14 (0x0E)

Radius: Value (String) = 

31 39 32 2e 31 36 38 2e 32 2e 31 30                |  192.168.2.10

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 58 (0x3A)

Radius: Vendor ID = 311 (0x00000137)

Radius: Type = 25 (0x19) MS-CHAP2-Response

Radius: Length = 52 (0x34)

Radius: Value (String) = 

00 00 ae 4d 55 31 76 7a 62 20 9b 53 a0 c1 75 38    |  ...MU1vzb .S..u8

34 43 00 00 00 00 00 00 00 00 9c 7a 3a cf 7f e2    |  4C.........z:..

57 8a e9 a1 db a8 9d f1 9f a0 62 70 71 73 00 48    |  W.........bpqs.H

88 05                                              |  ..

Radius: Type = 4 (0x04) NAS-IP-Address

Radius: Length = 6 (0x06)

Radius: Value (IP Address) = 10.36.200.5 (0x0A24C805)

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 33 (0x21)

Radius: Vendor ID = 9 (0x00000009)

Radius: Type = 1 (0x01) Cisco-AV-pair

Radius: Length = 27 (0x1B)

Radius: Value (String) = 

69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 39 32    |  ip:source-ip=192

2e 31 36 38 2e 32 2e 31 30                         |  .168.2.10

 

RADIUS packet decode (response)

 

--------------------------------------

Raw packet data (length = 32).....

03 23 00 20 c7 2f d9 f1 0a 78 e9 4f f6 d8 8e bd    |  .#. ./...x.O....

8b a9 ee e8 12 0c 52 65 6a 65 63 74 65 64 0a 0d    |  ......Rejected..

 

Parsed packet data.....

Radius: Code = 3 (0x03)

Radius: Identifier = 35 (0x23)

Radius: Length = 32 (0x0020)

Radius: Vector: C72FD9F10A78E94FF6D88EBD8BA9EEE8

Radius: Type = 18 (0x12) Reply-Message

Radius: Length = 12 (0x0C)

Radius: Value (String) = 

52 65 6a 65 63 74 65 64 0a 0d                      |  Rejected..

Feb 07 16:08:52 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, Username = vpn1, IP = 192.168.2.10, constructing blank hash payload

Feb 07 16:08:52 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, Username = vpn1, IP = 192.168.2.10, constructing qm hash payload

Feb 07 16:08:52 [IKEv1]: IP = 192.168.2.10, IKE_DECODE SENDING Message (msgid=99a4af9d) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 112

 

 

 

*****************************************************************************************************************************************************************************************

And here is full debug from begening:

 

PIX515(config-tunnel-general)# sh debug 

debug aaa authentication enabled at level 1

debug aaa authorization enabled at level 1

debug crypto isakmp enabled at level 10

debug crypto vpnclient enabled at level 1

debug radius decode

 

PIX515(config-tunnel-general)# Feb 07 16:08:49 [IKEv1]: IP = 192.168.2.10, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 857

Feb 07 16:08:49 [IKEv1 DEBUG]: IP = 192.168.2.10, processing SA payload

Feb 07 16:08:49 [IKEv1 DEBUG]: IP = 192.168.2.10, processing ke payload

Feb 07 16:08:49 [IKEv1 DEBUG]: IP = 192.168.2.10, processing ISA_KE payload

Feb 07 16:08:49 [IKEv1 DEBUG]: IP = 192.168.2.10, processing nonce payload

Feb 07 16:08:49 [IKEv1 DEBUG]: IP = 192.168.2.10, processing ID payload

Feb 07 16:08:49 [IKEv1 DEBUG]: IP = 192.168.2.10, processing VID payload

Feb 07 16:08:49 [IKEv1 DEBUG]: IP = 192.168.2.10, Received xauth V6 VID

Feb 07 16:08:49 [IKEv1 DEBUG]: IP = 192.168.2.10, processing VID payload

Feb 07 16:08:49 [IKEv1 DEBUG]: IP = 192.168.2.10, Received DPD VID

Feb 07 16:08:49 [IKEv1 DEBUG]: IP = 192.168.2.10, processing VID payload

Feb 07 16:08:49 [IKEv1 DEBUG]: IP = 192.168.2.10, Received Fragmentation VID

Feb 07 16:08:49 [IKEv1 DEBUG]: IP = 192.168.2.10, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False

Feb 07 16:08:49 [IKEv1 DEBUG]: IP = 192.168.2.10, processing VID payload

Feb 07 16:08:49 [IKEv1 DEBUG]: IP = 192.168.2.10, Received NAT-Traversal ver 02 VID

Feb 07 16:08:49 [IKEv1 DEBUG]: IP = 192.168.2.10, processing VID payload

Feb 07 16:08:49 [IKEv1 DEBUG]: IP = 192.168.2.10, Received Cisco Unity client VID

Feb 07 16:08:49 [IKEv1]: IP = 192.168.2.10, Connection landed on tunnel_group VPN-SUPPLIERS

Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, processing IKE SA payload

Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, IKE SA Proposal # 1, Transform # 13 acceptable  Matches global IKE entry # 1

Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, constructing ISAKMP SA payload

Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, constructing ke payload

Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, constructing nonce payload

Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, Generating keys for Responder...

Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, constructing ID payload

Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, constructing hash payload

Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, Computing hash for ISAKMP

Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, constructing Cisco Unity VID payload

Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, constructing xauth V6 VID payload

Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, constructing dpd vid payload

Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, constructing NAT-Traversal VID ver 02 payload

Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, constructing NAT-Discovery payload

Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, computing NAT Discovery hash

Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, constructing NAT-Discovery payload

Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, computing NAT Discovery hash

Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, constructing Fragmentation VID + extended capabilities payload

Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, Send IOS VID

Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 00000408)

Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, constructing VID payload

Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

Feb 07 16:08:49 [IKEv1]: IP = 192.168.2.10, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 448

Feb 07 16:08:49 [IKEv1]: IP = 192.168.2.10, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 156

Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, processing hash payload

Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, Computing hash for ISAKMP

Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, processing notify payload

Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, processing NAT-Discovery payload

Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, computing NAT Discovery hash

Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, processing NAT-Discovery payload

Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, computing NAT Discovery hash

Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, processing VID payload

Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)

Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, processing VID payload

Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, Received Cisco Unity client VID

Feb 07 16:08:49 [IKEv1]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device

Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, constructing blank hash payload

Feb 07 16:08:49 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, constructing qm hash payload

Feb 07 16:08:49 [IKEv1]: IP = 192.168.2.10, IKE_DECODE SENDING Message (msgid=26c51cd1) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 112

Feb 07 16:08:52 [IKEv1]: IP = 192.168.2.10, IKE_DECODE RECEIVED Message (msgid=26c51cd1) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 82

Feb 07 16:08:52 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, process_attr(): Enter!

Feb 07 16:08:52 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, IP = 192.168.2.10, Processing MODE_CFG Reply attributes.

 

RADIUS packet decode (authentication request)

 

--------------------------------------

Raw packet data (length = 210).....

01 21 00 d2 a4 0d c2 d3 10 09 0e 2f 3c c5 1a 4b    |  .!........./<..K

28 41 e6 27 01 06 76 70 6e 31 05 06 00 00 00 06    |  (A.'..vpn1......

06 06 00 00 00 02 07 06 00 00 00 01 1e 11 31 39    |  ..............19

35 2e 31 34 36 2e 31 33 35 2e 31 33 33 1f 0e 31    |  5.146.135.133..1

39 32 2e 31 36 38 2e 32 2e 31 30 42 0e 31 39 32    |  92.168.2.10B.192

2e 31 36 38 2e 32 2e 31 30 1a 18 00 00 01 37 0b    |  .168.2.10.....7.

12 6a a2 34 c4 62 0d 50 3f a6 ed 09 6d 82 0d e7    |  .j.4.b.P?...m...

e7 1a 3a 00 00 01 37 19 34 00 00 ae 4d 55 31 76    |  ..:...7.4...MU1v

7a 62 20 9b 53 a0 c1 75 38 34 43 00 00 00 00 00    |  zb .S..u84C.....

00 00 00 9c 7a 3a cf 7f e2 57 8a e9 a1 db a8 9d    |  ....z:..W......

f1 9f a0 62 70 71 73 00 48 88 05 04 06 0a 24 c8    |  ...bpqs.H.....$.

05 1a 21 00 00 00 09 01 1b 69 70 3a 73 6f 75 72    |  ..!......ip:sour

63 65 2d 69 70 3d 31 39 32 2e 31 36 38 2e 32 2e    |  ce-ip=192.168.2.

31 30                                              |  10

 

Parsed packet data.....

Radius: Code = 1 (0x01)

Radius: Identifier = 33 (0x21)

Radius: Length = 210 (0x00D2)

Radius: Vector: A40DC2D310090E2F3CC51A4B2841E627

Radius: Type = 1 (0x01) User-Name

Radius: Length = 6 (0x06)

Radius: Value (String) = 

76 70 6e 31                                        |  vpn1

Radius: Type = 5 (0x05) NAS-Port

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0x6

Radius: Type = 6 (0x06) Service-Type

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0x2

Radius: Type = 7 (0x07) Framed-Protocol

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0x1

Radius: Type = 30 (0x1E) Called-Station-Id

Radius: Length = 17 (0x11)

Radius: Value (String) = 

31 39 35 2e 31 34 36 2e 31 33 35 2e 31 33 33       |  195.146.135.133

Radius: Type = 31 (0x1F) Calling-Station-Id

Radius: Length = 14 (0x0E)

Radius: Value (String) = 

31 39 32 2e 31 36 38 2e 32 2e 31 30                |  192.168.2.10

Radius: Type = 66 (0x42) Tunnel-Client-Endpoint

Radius: Length = 14 (0x0E)

Radius: Value (String) = 

31 39 32 2e 31 36 38 2e 32 2e 31 30                |  192.168.2.10

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 24 (0x18)

Radius: Vendor ID = 311 (0x00000137)

Radius: Type = 11 (0x0B) MS-CHAP-Challenge

Radius: Length = 18 (0x12)

Radius: Value (String) = 

6a a2 34 c4 62 0d 50 3f a6 ed 09 6d 82 0d e7 e7    |  j.4.b.P?...m....

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 58 (0x3A)

Radius: Vendor ID = 311 (0x00000137)

Radius: Type = 25 (0x19) MS-CHAP2-Response

Radius: Length = 52 (0x34)

Radius: Value (String) = 

00 00 ae 4d 55 31 76 7a 62 20 9b 53 a0 c1 75 38    |  ...MU1vzb .S..u8

34 43 00 00 00 00 00 00 00 00 9c 7a 3a cf 7f e2    |  4C.........z:..

57 8a e9 a1 db a8 9d f1 9f a0 62 70 71 73 00 48    |  W.........bpqs.H

88 05                                              |  ..

Radius: Type = 4 (0x04) NAS-IP-Address

Radius: Length = 6 (0x06)

Radius: Value (IP Address) = 10.36.200.5 (0x0A24C805)

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 33 (0x21)

Radius: Vendor ID = 9 (0x00000009)

Radius: Type = 1 (0x01) Cisco-AV-pair

Radius: Length = 27 (0x1B)

Radius: Value (String) = 

69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 39 32    |  ip:source-ip=192

2e 31 36 38 2e 32 2e 31 30                         |  .168.2.10

 

RADIUS packet decode (response)

 

--------------------------------------

Raw packet data (length = 231).....

02 21 00 e7 28 ec 3e ce e6 9e 28 0e f1 3e 8a 54    |  .!..(.>...(..>.T

cf 5c 57 b3 1a 21 00 00 00 09 01 1b 69 70 3a 73    |  .\W..!......ip:s

6f 75 72 63 65 2d 69 70 3d 31 39 32 2e 31 36 38    |  ource-ip=192.168

2e 32 2e 31 30 1a 41 00 00 00 09 01 3b 41 43 53    |  .2.10.A.....;ACS

3a 43 69 73 63 6f 53 65 63 75 72 65 2d 44 65 66    |  :CiscoSecure-Def

69 6e 65 64 2d 41 43 4c 3d 23 41 43 53 41 43 4c    |  ined-ACL=#ACSACL

23 2d 49 50 2d 56 50 4e 31 5f 4f 55 54 2d 34 35    |  #-IP-VPN1_OUT-45

63 39 61 33 39 66 1a 33 00 00 01 37 1a 2d 00 53    |  c9a39f.3...7.-.S

3d 45 31 39 38 36 41 37 31 45 38 37 41 38 41 36    |  =E1986A71E87A8A6

42 44 32 45 30 39 33 33 45 45 30 34 41 38 43 32    |  BD2E0933EE04A8C2

30 44 38 34 37 33 36 41 38 08 06 0a 24 74 0a 1a    |  0D84736A8...$t..

0c 00 00 0c 04 10 06 00 00 00 01 1a 15 00 00 0c    |  ................

04 55 0f 56 50 4e 2d 53 55 50 50 4c 49 45 52 53    |  .U.VPN-SUPPLIERS

19 17 43 41 43 53 3a 30 2f 32 66 38 65 2f 61 32    |  ..CACS:0/2f8e/a2

34 63 38 30 35 2f 36                               |  4c805/6

 

Parsed packet data.....

Radius: Code = 2 (0x02)

Radius: Identifier = 33 (0x21)

Radius: Length = 231 (0x00E7)

Radius: Vector: 28EC3ECEE69E280EF13E8A54CF5C57B3

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 33 (0x21)

Radius: Vendor ID = 9 (0x00000009)

Radius: Type = 1 (0x01) Cisco-AV-pair

Radius: Length = 27 (0x1B)

Radius: Value (String) = 

69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 39 32    |  ip:source-ip=192

2e 31 36 38 2e 32 2e 31 30                         |  .168.2.10

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 65 (0x41)

Radius: Vendor ID = 9 (0x00000009)

Radius: Type = 1 (0x01) Cisco-AV-pair

Radius: Length = 59 (0x3B)

Radius: Value (String) = 

41 43 53 3a 43 69 73 63 6f 53 65 63 75 72 65 2d    |  ACS:CiscoSecure-

44 65 66 69 6e 65 64 2d 41 43 4c 3d 23 41 43 53    |  Defined-ACL=#ACS

41 43 4c 23 2d 49 50 2d 56 50 4e 31 5f 4f 55 54    |  ACL#-IP-VPN1_OUT

2d 34 35 63 39 61 33 39 66                         |  -45c9a39f

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 51 (0x33)

Radius: Vendor ID = 311 (0x00000137)

Radius: Type = 26 (0x1A) MS-CHAP2-Success

Radius: Length = 45 (0x2D)

Radius: Value (String) = 

00 53 3d 45 31 39 38 36 41 37 31 45 38 37 41 38    |  .S=E1986A71E87A8

41 36 42 44 32 45 30 39 33 33 45 45 30 34 41 38    |  A6BD2E0933EE04A8

43 32 30 44 38 34 37 33 36 41 38                   |  C20D84736A8

Radius: Type = 8 (0x08) Framed-IP-Address

Radius: Length = 6 (0x06)

Radius: Value (IP Address) = 10.36.116.10 (0x0A24740A)

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 12 (0x0C)

Radius: Vendor ID = 3076 (0x00000C04)

Radius: Type = 16 (0x10) Store-PW

Radius: Length = 6 (0x06)

Radius: Value (Integer) = 1 (0x0001)

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 21 (0x15)

Radius: Vendor ID = 3076 (0x00000C04)

Radius: Type = 85 (0x55) The tunnel group that tunnel must be associated with

Radius: Length = 15 (0x0F)

Radius: Value (String) = 

56 50 4e 2d 53 55 50 50 4c 49 45 52 53             |  VPN-SUPPLIERS

Radius: Type = 25 (0x19) Class

Radius: Length = 23 (0x17)

Radius: Value (String) = 

43 41 43 53 3a 30 2f 32 66 38 65 2f 61 32 34 63    |  CACS:0/2f8e/a24c

38 30 35 2f 36                                     |  805/6

 

RADIUS packet decode (authentication request)

 

--------------------------------------

Raw packet data (length = 134).....

01 22 00 86 a4 0d c2 d3 10 09 0e 2f 3c c5 1a 4b    |  ."........./<..K

28 41 e6 27 01 1f 23 41 43 53 41 43 4c 23 2d 49    |  (A.'..#ACSACL#-I

50 2d 56 50 4e 31 5f 4f 55 54 2d 34 35 63 39 61    |  P-VPN1_OUT-45c9a

33 39 66 04 06 0a 24 c8 05 05 06 00 00 00 00 1a    |  39f...$.........

17 00 00 00 09 01 11 61 61 61 3a 73 65 72 76 69    |  .......aaa:servi

63 65 3d 76 70 6e 1a 1e 00 00 00 09 01 18 61 61    |  ce=vpn........aa

61 3a 65 76 65 6e 74 3d 61 63 6c 2d 64 6f 77 6e    |  a:event=acl-down

6c 6f 61 64 50 12 f1 24 57 97 2b 50 79 27 5d 5b    |  loadP..$W.+Py'][

33 52 bd 17 8d 22                                  |  3R..."

 

Parsed packet data.....

Radius: Code = 1 (0x01)

Radius: Identifier = 34 (0x22)

Radius: Length = 134 (0x0086)

Radius: Vector: A40DC2D310090E2F3CC51A4B2841E627

Radius: Type = 1 (0x01) User-Name

Radius: Length = 31 (0x1F)

Radius: Value (String) = 

23 41 43 53 41 43 4c 23 2d 49 50 2d 56 50 4e 31    |  #ACSACL#-IP-VPN1

5f 4f 55 54 2d 34 35 63 39 61 33 39 66             |  _OUT-45c9a39f

Radius: Type = 4 (0x04) NAS-IP-Address

Radius: Length = 6 (0x06)

Radius: Value (IP Address) = 10.36.200.5 (0x0A24C805)

Radius: Type = 5 (0x05) NAS-Port

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0x0

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 23 (0x17)

Radius: Vendor ID = 9 (0x00000009)

Radius: Type = 1 (0x01) Cisco-AV-pair

Radius: Length = 17 (0x11)

Radius: Value (String) = 

61 61 61 3a 73 65 72 76 69 63 65 3d 76 70 6e       |  aaa:service=vpn

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 30 (0x1E)

Radius: Vendor ID = 9 (0x00000009)

Radius: Type = 1 (0x01) Cisco-AV-pair

Radius: Length = 24 (0x18)

Radius: Value (String) = 

61 61 61 3a 65 76 65 6e 74 3d 61 63 6c 2d 64 6f    |  aaa:event=acl-do

77 6e 6c 6f 61 64                                  |  wnload

Radius: Type = 80 (0x50) Message-Authenticator

Radius: Length = 18 (0x12)

Radius: Value (String) = 

f1 24 57 97 2b 50 79 27 5d 5b 33 52 bd 17 8d 22    |  .$W.+Py'][3R..."

 

RADIUS packet decode (response)

 

--------------------------------------

Raw packet data (length = 104).....

02 22 00 68 d1 fb 56 52 35 a9 a3 89 cc 1a 0c 1d    |  .".h..VR5.......

63 db d1 ad 1a 24 00 00 00 09 01 1e 69 70 3a 69    |  c....$......ip:i

6e 61 63 6c 23 31 3d 70 65 72 6d 69 74 20 69 70    |  nacl#1=permit ip

20 61 6e 79 20 61 6e 79 19 1e 43 41 43 53 3a 66    |   any any..CACS:f

66 66 66 66 66 66 66 2f 32 66 38 66 2f 61 32 34    |  fffffff/2f8f/a24

63 38 30 35 2f 30 50 12 a1 d1 39 d8 11 c5 f2 47    |  c805/0P...9....G

c6 87 66 f2 48 b3 32 4d                            |  ..f.H.2M

 

Parsed packet data.....

Radius: Code = 2 (0x02)

Radius: Identifier = 34 (0x22)

Radius: Length = 104 (0x0068)

Radius: Vector: D1FB565235A9A389CC1A0C1D63DBD1AD

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 36 (0x24)

Radius: Vendor ID = 9 (0x00000009)

Radius: Type = 1 (0x01) Cisco-AV-pair

Radius: Length = 30 (0x1E)

Radius: Value (String) = 

69 70 3a 69 6e 61 63 6c 23 31 3d 70 65 72 6d 69    |  ip:inacl#1=permi

74 20 69 70 20 61 6e 79 20 61 6e 79                |  t ip any any

Radius: Type = 25 (0x19) Class

Radius: Length = 30 (0x1E)

Radius: Value (String) = 

43 41 43 53 3a 66 66 66 66 66 66 66 66 2f 32 66    |  CACS:ffffffff/2f

38 66 2f 61 32 34 63 38 30 35 2f 30                |  8f/a24c805/0

Radius: Type = 80 (0x50) Message-Authenticator

Radius: Length = 18 (0x12)

Radius: Value (String) = 

a1 d1 39 d8 11 c5 f2 47 c6 87 66 f2 48 b3 32 4d    |  ..9....G..f.H.2M

 

RADIUS packet decode (authentication request)

 

--------------------------------------

Raw packet data (length = 204).....

01 23 00 cc d4 7d 72 c3 40 79 be 1f 6c 35 ca 3b    |  .#...}r. at y..l5.;

58 b1 96 17 01 06 76 70 6e 31 02 12 ab 05 81 cd    |  X.....vpn1......

ef 60 72 1e cc d6 13 a7 67 8a 09 c2 05 06 00 00    |  .`r.....g.......

00 06 06 06 00 00 00 02 07 06 00 00 00 01 1e 11    |  ................

31 39 35 2e 31 34 36 2e 31 33 35 2e 31 33 33 1f    |  195.146.135.133.

0e 31 39 32 2e 31 36 38 2e 32 2e 31 30 42 0e 31    |  .192.168.2.10B.1

39 32 2e 31 36 38 2e 32 2e 31 30 1a 3a 00 00 01    |  92.168.2.10.:...

37 19 34 00 00 ae 4d 55 31 76 7a 62 20 9b 53 a0    |  7.4...MU1vzb .S.

c1 75 38 34 43 00 00 00 00 00 00 00 00 9c 7a 3a    |  .u84C.........z:

cf 7f e2 57 8a e9 a1 db a8 9d f1 9f a0 62 70 71    |  ..W.........bpq

73 00 48 88 05 04 06 0a 24 c8 05 1a 21 00 00 00    |  s.H.....$...!...

09 01 1b 69 70 3a 73 6f 75 72 63 65 2d 69 70 3d    |  ...ip:source-ip=

31 39 32 2e 31 36 38 2e 32 2e 31 30                |  192.168.2.10

 

Parsed packet data.....

Radius: Code = 1 (0x01)

Radius: Identifier = 35 (0x23)

Radius: Length = 204 (0x00CC)

Radius: Vector: D47D72C34079BE1F6C35CA3B58B19617

Radius: Type = 1 (0x01) User-Name

Radius: Length = 6 (0x06)

Radius: Value (String) = 

76 70 6e 31                                        |  vpn1

Radius: Type = 2 (0x02) User-Password

Radius: Length = 18 (0x12)

Radius: Value (String) = 

ab 05 81 cd ef 60 72 1e cc d6 13 a7 67 8a 09 c2    |  .....`r.....g...

Radius: Type = 5 (0x05) NAS-Port

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0x6

Radius: Type = 6 (0x06) Service-Type

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0x2

Radius: Type = 7 (0x07) Framed-Protocol

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0x1

Radius: Type = 30 (0x1E) Called-Station-Id

Radius: Length = 17 (0x11)

Radius: Value (String) = 

31 39 35 2e 31 34 36 2e 31 33 35 2e 31 33 33       |  195.146.135.133

Radius: Type = 31 (0x1F) Calling-Station-Id

Radius: Length = 14 (0x0E)

Radius: Value (String) = 

31 39 32 2e 31 36 38 2e 32 2e 31 30                |  192.168.2.10

Radius: Type = 66 (0x42) Tunnel-Client-Endpoint

Radius: Length = 14 (0x0E)

Radius: Value (String) = 

31 39 32 2e 31 36 38 2e 32 2e 31 30                |  192.168.2.10

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 58 (0x3A)

Radius: Vendor ID = 311 (0x00000137)

Radius: Type = 25 (0x19) MS-CHAP2-Response

Radius: Length = 52 (0x34)

Radius: Value (String) = 

00 00 ae 4d 55 31 76 7a 62 20 9b 53 a0 c1 75 38    |  ...MU1vzb .S..u8

34 43 00 00 00 00 00 00 00 00 9c 7a 3a cf 7f e2    |  4C.........z:..

57 8a e9 a1 db a8 9d f1 9f a0 62 70 71 73 00 48    |  W.........bpqs.H

88 05                                              |  ..

Radius: Type = 4 (0x04) NAS-IP-Address

Radius: Length = 6 (0x06)

Radius: Value (IP Address) = 10.36.200.5 (0x0A24C805)

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 33 (0x21)

Radius: Vendor ID = 9 (0x00000009)

Radius: Type = 1 (0x01) Cisco-AV-pair

Radius: Length = 27 (0x1B)

Radius: Value (String) = 

69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 39 32    |  ip:source-ip=192

2e 31 36 38 2e 32 2e 31 30                         |  .168.2.10

 

RADIUS packet decode (response)

 

--------------------------------------

Raw packet data (length = 32).....

03 23 00 20 c7 2f d9 f1 0a 78 e9 4f f6 d8 8e bd    |  .#. ./...x.O....

8b a9 ee e8 12 0c 52 65 6a 65 63 74 65 64 0a 0d    |  ......Rejected..

 

Parsed packet data.....

Radius: Code = 3 (0x03)

Radius: Identifier = 35 (0x23)

Radius: Length = 32 (0x0020)

Radius: Vector: C72FD9F10A78E94FF6D88EBD8BA9EEE8

Radius: Type = 18 (0x12) Reply-Message

Radius: Length = 12 (0x0C)

Radius: Value (String) = 

52 65 6a 65 63 74 65 64 0a 0d                      |  Rejected..

Feb 07 16:08:52 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, Username = vpn1, IP = 192.168.2.10, constructing blank hash payload

Feb 07 16:08:52 [IKEv1 DEBUG]: Group = VPN-SUPPLIERS, Username = vpn1, IP = 192.168.2.10, constructing qm hash payload

Feb 07 16:08:52 [IKEv1]: IP = 192.168.2.10, IKE_DECODE SENDING Message (msgid=99a4af9d) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 112

 

*****************************************************************************************************************************************************************************************

 

 

Thanks for help.

 

Laco Nemec

 

 

 

 

Ladislav Nemec

Network Consulting Engineer

CCIE(tm) No. 8821

 

------------------------------------

ANECT a.s.        'direct: + 421 2 4821 3107

Teslova 30        7fax:   + 421 2 4821 3199

821 02 Bratislava    *mobile: +421 904 707 107

Slovakia         *:<mailto:Ladislav.Nemec at anect.com>

http://www.anect.com <http://www.anect.com/> 

------------------------------------

IČO: 35 787 546

SK: 2020256579

Obch. register, OS Bratislava 1

Oddiel: Sa  vložka číslo: 2431/B

----------------------

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/cisco-nas/attachments/20070207/6499ac30/attachment-0001.html 


More information about the cisco-nas mailing list