URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 1141
[ Назад ]

Исходное сообщение
"CISCO VPN + RADIUS WINDOWS 2008 R2 + iphone"

Отправлено retrooo_7 , 16-Дек-13 14:38 
СообщениеДобавлено: Пт 13 Дек, 2013 14:26    Заголовок сообщения: CISCO VPN + RADIUS WINDOWS 2008 R2 + iphone    Добавить пользователя в список игнора Ответить с цитатой Изменить/удалить это сообщение
Всем привет, имеется
- Windows 2008 R2
поднята роль NPS политика настроена следующим образом
проверка подлинности - ms-chap2
шифрование - без шифрования
ну и группа юзеров добавлена


-имеется роутер cisco 2921
vpn pptp

!!настройка аутентификации
aaa new-model
aaa authentication login default local
aaa authentication ppp default group radius
aaa authorization exec default local
aaa authorization network default group radius
aaa accounting network VPN-USERS
action-type start-stop
group radius
aaa session-id common

! на интерфейс
ppp accounting VPN-USERS

! настройка на радиус
radius server KR-RS
address ipv4 1.1.1.1 auth-port 1812 acct-port 1813
key 7777777

При подключении VPN из под винды все нормально работает, логирование идет, и все счачтливы,
но вот счастливые обладатели IPHONE никак не могут подключиться по VPN , хотя когда до настройки радиуса стояла локальная авторизация на циске с тем же ms-chap 2 все работало, подскажите плиз куда копать!!!


debug cisco
002682: Dec 16 13:28:00.414 MSK: PPP: Alloc Context [3C560C54]
002683: Dec 16 13:28:00.414 MSK: ppp348 PPP: Initialized Context 3C560C54
002684: Dec 16 13:28:00.414 MSK: ppp348 PPP: Phase is ESTABLISHING
002685: Dec 16 13:28:00.414 MSK: ppp348 PPP: Using AAA Unique Id = 174
002686: Dec 16 13:28:00.414 MSK: ppp348 PPP: Dynamic Bind peer_type[4]
002687: Dec 16 13:28:00.414 MSK: ppp348 PPP: Send Message[Dynamic Bind Response]
002688: Dec 16 13:28:00.414 MSK: ppp348 PPP: Authorization required
002689: Dec 16 13:28:00.414 MSK: ppp348 PPP: Using vpn set call direction
002690: Dec 16 13:28:00.414 MSK: ppp348 PPP: Treating connection as a callin
002691: Dec 16 13:28:00.414 MSK: ppp348 PPP: Session handle[DC000058] Session id[348]
002692: Dec 16 13:28:00.414 MSK: ppp348 PPP LCP: negotiation authorized = 1, tacacs author = 0
002693: Dec 16 13:28:00.414 MSK: ppp348 LCP: Event[OPEN] State[Initial to Starting]
002694: Dec 16 13:28:00.414 MSK: ppp348 PPP LCP: Enter passive mode, state[Stopped]
002695: Dec 16 13:28:00.466 MSK: ppp348 LCP: I CONFREQ [Stopped] id 1 len 20
002696: Dec 16 13:28:00.466 MSK: ppp348 LCP: ACCM 0x00000000 (0x020600000000)
002697: Dec 16 13:28:00.466 MSK: ppp348 LCP: MagicNumber 0x07A81B79 (0x050607A81B79)
002698: Dec 16 13:28:00.466 MSK: ppp348 LCP: PFC (0x0702)
002699: Dec 16 13:28:00.466 MSK: ppp348 LCP: ACFC (0x0802)
002700: Dec 16 13:28:00.466 MSK: ppp348 PPP LCP: neg is authorized, processing incoming CONFREQ
002701: Dec 16 13:28:00.466 MSK: ppp348 LCP: O CONFREQ [Stopped] id 1 len 15
002702: Dec 16 13:28:00.466 MSK: ppp348 LCP: AuthProto CHAP (0x0305C22305)
002703: Dec 16 13:28:00.466 MSK: ppp348 LCP: MagicNumber 0x169CD6AA (0x0506169CD6AA)
002704: Dec 16 13:28:00.466 MSK: ppp348 LCP: O CONFACK [Stopped] id 1 len 20
002705: Dec 16 13:28:00.466 MSK: ppp348 LCP: ACCM 0x00000000 (0x020600000000)
002706: Dec 16 13:28:00.466 MSK: ppp348 LCP: MagicNumber 0x07A81B79 (0x050607A81B79)
002707: Dec 16 13:28:00.466 MSK: ppp348 LCP: PFC (0x0702)
002708: Dec 16 13:28:00.466 MSK: ppp348 LCP: ACFC (0x0802)
002709: Dec 16 13:28:00.466 MSK: ppp348 LCP: Event[Receive ConfReq+] State[Stopped to ACKsent]
002710: Dec 16 13:28:00.498 MSK: ppp348 LCP: I CONFREJ [ACKsent] id 1 len 9
002711: Dec 16 13:28:00.498 MSK: ppp348 LCP: AuthProto CHAP (0x0305C22305)
002712: Dec 16 13:28:00.498 MSK: ppp348 LCP: O CONFREQ [ACKsent] id 2 len 15
002713: Dec 16 13:28:00.498 MSK: ppp348 LCP: AuthProto MS-CHAP-V2 (0x0305C22381)
002714: Dec 16 13:28:00.498 MSK: ppp348 LCP: MagicNumber 0x169CD6AA (0x0506169CD6AA)
002715: Dec 16 13:28:00.498 MSK: ppp348 LCP: Event[Receive ConfNak/Rej] State[ACKsent to ACKsent]
002716: Dec 16 13:28:00.530 MSK: ppp348 LCP: I CONFREJ [ACKsent] id 2 len 9
002717: Dec 16 13:28:00.530 MSK: ppp348 LCP: AuthProto MS-CHAP-V2 (0x0305C22381)
002718: Dec 16 13:28:00.530 MSK: ppp348 LCP: O CONFREQ [ACKsent] id 3 len 15
002719: Dec 16 13:28:00.530 MSK: ppp348 LCP: AuthProto CHAP (0x0305C22305)
002720: Dec 16 13:28:00.530 MSK: ppp348 LCP: MagicNumber 0x169CD6AA (0x0506169CD6AA)
002721: Dec 16 13:28:00.530 MSK: ppp348 LCP: Event[Receive ConfNak/Rej] State[ACKsent to ACKsent]
002722: Dec 16 13:28:00.562 MSK: ppp348 LCP: I CONFREJ [ACKsent] id 3 len 9
002723: Dec 16 13:28:00.562 MSK: ppp348 LCP: AuthProto CHAP (0x0305C22305)
002724: Dec 16 13:28:00.562 MSK: ppp348 LCP: O CONFREQ [ACKsent] id 4 len 15
002725: Dec 16 13:28:00.562 MSK: ppp348 LCP: AuthProto MS-CHAP-V2 (0x0305C22381)
002726: Dec 16 13:28:00.562 MSK: ppp348 LCP: MagicNumber 0x169CD6AA (0x0506169CD6AA)
002727: Dec 16 13:28:00.562 MSK: ppp348 LCP: Event[Receive ConfNak/Rej] State[ACKsent to ACKsent]
002728: Dec 16 13:28:00.594 MSK: ppp348 LCP: I CONFREJ [ACKsent] id 4 len 9
002729: Dec 16 13:28:00.594 MSK: ppp348 LCP: AuthProto MS-CHAP-V2 (0x0305C22381)
002730: Dec 16 13:28:00.594 MSK: ppp348 LCP: O CONFREQ [ACKsent] id 5 len 15
002731: Dec 16 13:28:00.594 MSK: ppp348 LCP: AuthProto CHAP (0x0305C22305)
002732: Dec 16 13:28:00.594 MSK: ppp348 LCP: MagicNumber 0x169CD6AA (0x0506169CD6AA)
002733: Dec 16 13:28:00.594 MSK: ppp348 LCP: Event[Receive ConfNak/Rej] State[ACKsent to ACKsent]
002734: Dec 16 13:28:00.626 MSK: ppp348 LCP: I CONFREJ [ACKsent] id 5 len 9
002735: Dec 16 13:28:00.626 MSK: ppp348 LCP: AuthProto CHAP (0x0305C22305)
002736: Dec 16 13:28:00.626 MSK: ppp348 LCP: O CONFREQ [ACKsent] id 6 len 15
002737: Dec 16 13:28:00.626 MSK: ppp348 LCP: AuthProto MS-CHAP-V2 (0x0305C22381)
002738: Dec 16 13:28:00.626 MSK: ppp348 LCP: MagicNumber 0x169CD6AA (0x0506169CD6AA)
002739: Dec 16 13:28:00.626 MSK: ppp348 LCP: Event[Receive ConfNak/Rej] State[ACKsent to ACKsent]
002740: Dec 16 13:28:00.658 MSK: ppp348 LCP: I CONFREJ [ACKsent] id 6 len 9
002741: Dec 16 13:28:00.658 MSK: ppp348 LCP: AuthProto MS-CHAP-V2 (0x0305C22381)
002742: Dec 16 13:28:00.658 MSK: ppp348 LCP: O CONFREQ [ACKsent] id 7 len 15
002743: Dec 16 13:28:00.658 MSK: ppp348 LCP: AuthProto CHAP (0x0305C22305)
002744: Dec 16 13:28:00.658 MSK: ppp348 LCP: MagicNumber 0x169CD6AA (0x0506169CD6AA)
002745: Dec 16 13:28:00.658 MSK: ppp348 LCP: Event[Receive ConfNak/Rej] State[ACKsent to ACKsent]
002746: Dec 16 13:28:00.706 MSK: ppp348 LCP: I CONFREJ [ACKsent] id 7 len 9
002747: Dec 16 13:28:00.706 MSK: ppp348 LCP: AuthProto CHAP (0x0305C22305)
002748: Dec 16 13:28:00.706 MSK: ppp348 LCP: O CONFREQ [ACKsent] id 8 len 15
002749: Dec 16 13:28:00.706 MSK: ppp348 LCP: AuthProto MS-CHAP-V2 (0x0305C22381)
002750: Dec 16 13:28:00.706 MSK: ppp348 LCP: MagicNumber 0x169CD6AA (0x0506169CD6AA)
002751: Dec 16 13:28:00.706 MSK: ppp348 LCP: Event[Receive ConfNak/Rej] State[ACKsent to ACKsent]
002752: Dec 16 13:28:00.738 MSK: ppp348 LCP: I CONFREJ [ACKsent] id 8 len 9
002753: Dec 16 13:28:00.738 MSK: ppp348 LCP: AuthProto MS-CHAP-V2 (0x0305C22381)
002754: Dec 16 13:28:00.738 MSK: ppp348 LCP: O CONFREQ [ACKsent] id 9 len 15
002755: Dec 16 13:28:00.738 MSK: ppp348 LCP: AuthProto CHAP (0x0305C22305)
002756: Dec 16 13:28:00.738 MSK: ppp348 LCP: MagicNumber 0x169CD6AA (0x0506169CD6AA)
002757: Dec 16 13:28:00.738 MSK: ppp348 LCP: Event[Receive ConfNak/Rej] State[ACKsent to ACKsent]
002758: Dec 16 13:28:00.786 MSK: ppp348 LCP: I CONFREJ [ACKsent] id 9 len 9
002759: Dec 16 13:28:00.786 MSK: ppp348 LCP: AuthProto CHAP (0x0305C22305)
002760: Dec 16 13:28:00.786 MSK: ppp348 LCP: O CONFREQ [ACKsent] id 10 len 15
002761: Dec 16 13:28:00.786 MSK: ppp348 LCP: AuthProto MS-CHAP-V2 (0x0305C22381)
002762: Dec 16 13:28:00.786 MSK: ppp348 LCP: MagicNumber 0x169CD6AA (0x0506169CD6AA)
002763: Dec 16 13:28:00.786 MSK: ppp348 LCP: Event[Receive ConfNak/Rej] State[ACKsent to ACKsent]
002764: Dec 16 13:28:00.818 MSK: ppp348 LCP: I CONFREJ [ACKsent] id 10 len 9
002765: Dec 16 13:28:00.818 MSK: ppp348 LCP: AuthProto MS-CHAP-V2 (0x0305C22381)
002766: Dec 16 13:28:00.818 MSK: ppp348 LCP: Received too many CONFREJs. Closing CP
002767: Dec 16 13:28:00.818 MSK: ppp348 PPP DISC: LCP failed to negotiate
002768: Dec 16 13:28:00.818 MSK: ppp348 PPP: Sending Acct Event[Down] id[174]
002769: Dec 16 13:28:00.818 MSK: PPP: NET STOP send to AAA.
002770: Dec 16 13:28:00.818 MSK: ppp348 LCP: O TERMREQ [ACKsent] id 11 len 4
002771: Dec 16 13:28:00.818 MSK: ppp348 LCP: Event[CLOSE] State[ACKsent to Closing]
002772: Dec 16 13:28:00.850 MSK: ppp348 LCP: I TERMACK [Closing] id 11 len 4
002773: Dec 16 13:28:00.850 MSK: ppp348 LCP: Event[Receive TermAck] State[Closing to Closed]
002774: Dec 16 13:28:00.850 MSK: ppp348 LCP: Event[DOWN] State[Closed to Initial]
002775: Dec 16 13:28:00.850 MSK: ppp348 PPP: Clearing AAA Unique Id = 174
002776: Dec 16 13:28:00.850 MSK: ppp348 PPP: Send Message[Disconnect]
002777: Dec 16 13:28:00.850 MSK: ppp348 PPP: Phase is DOWN


Содержание

Сообщения в этом обсуждении
"CISCO VPN + RADIUS WINDOWS 2008 R2 + iphone"
Отправлено rusadmin , 17-Дек-13 08:52 
>[оверквотинг удален]
> ppp accounting VPN-USERS
> ! настройка на радиус
> radius server KR-RS
> address ipv4 1.1.1.1 auth-port 1812 acct-port 1813
> key 7777777
> При подключении VPN из под винды все нормально работает, логирование идет, и
> все счачтливы,
> но вот счастливые обладатели IPHONE никак не могут подключиться по VPN ,
> хотя когда до настройки радиуса стояла локальная авторизация на циске с
> тем же ms-chap 2 все работало, подскажите плиз куда копать!!!

Смотрите лог радиуса, разрешает ли он соединение. Судя по логу - нет.


"CISCO VPN + RADIUS WINDOWS 2008 R2 + iphone"
Отправлено retrooo_7 , 17-Дек-13 09:11 
>[оверквотинг удален]
>> ! настройка на радиус
>> radius server KR-RS
>> address ipv4 1.1.1.1 auth-port 1812 acct-port 1813
>> key 7777777
>> При подключении VPN из под винды все нормально работает, логирование идет, и
>> все счачтливы,
>> но вот счастливые обладатели IPHONE никак не могут подключиться по VPN ,
>> хотя когда до настройки радиуса стояла локальная авторизация на циске с
>> тем же ms-chap 2 все работало, подскажите плиз куда копать!!!
> Смотрите лог радиуса, разрешает ли он соединение. Судя по логу - нет.

NPS
<Event><Timestamp data_type="4">12/16/2013 12:47:16.419</Timestamp><Computer-Name data_type="1">KR-RS</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Framed-Protocol data_type="0">1</Framed-Protocol><User-Name data_type="1">transasia\radiustest</User-Name><NAS-Port-Type data_type="0">5</NAS-Port-Type><NAS-Port data_type="0">339</NAS-Port><NAS-Port-Id data_type="1">Uniq-Sess-ID339</NAS-Port-Id><Service-Type data_type="0">2</Service-Type><NAS-IP-Address data_type="3">192.168.210.87</NAS-IP-Address><Client-IP-Address data_type="3">192.168.210.87</Client-IP-Address><Client-Vendor data_type="0">9</Client-Vendor><Client-Friendly-Name data_type="1">192.168.210.87</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">TRANSASIA\radiustest</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">TRANSASIA\radiustest</Fully-Qualifed-User-Name><Class data_type="1">311 1 192.168.208.219 12/11/2013 23:34:17 48</Class><Authentication-Type data_type="0">2</Authentication-Type><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>
<Event><Timestamp data_type="4">12/16/2013 12:47:16.419</Timestamp><Computer-Name data_type="1">KR-RS</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 192.168.208.219 12/11/2013 23:34:17 48</Class><Authentication-Type data_type="0">2</Authentication-Type><Fully-Qualifed-User-Name data_type="1">TRANSASIA\radiustest</Fully-Qualifed-User-Name><SAM-Account-Name data_type="1">TRANSASIA\radiustest</SAM-Account-Name><Provider-Type data_type="0">1</Provider-Type><Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name><Client-IP-Address data_type="3">192.168.210.87</Client-IP-Address><Client-Vendor data_type="0">9</Client-Vendor><Client-Friendly-Name data_type="1">192.168.210.87</Client-Friendly-Name><Packet-Type data_type="0">3</Packet-Type><Reason-Code data_type="0">19</Reason-Code></Event>

все равно не понятно что с ним, и ведь только айфоны не впускает


"CISCO VPN + RADIUS WINDOWS 2008 R2 + iphone"
Отправлено retrooo_7 , 18-Дек-13 10:42 
>[оверквотинг удален]
> data_type="1">KR-RS</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class
> data_type="1">311 1 192.168.208.219 12/11/2013 23:34:17 48</Class><Authentication-Type
> data_type="0">2</Authentication-Type><Fully-Qualifed-User-Name data_type="1">TRANSASIA\radiustest</Fully-Qualifed-User-Name><SAM-Account-Name
> data_type="1">TRANSASIA\radiustest</SAM-Account-Name><Provider-Type data_type="0">1</Provider-Type><Proxy-Policy-Name
> data_type="1">Use Windows authentication for all users</Proxy-Policy-Name><Client-IP-Address
> data_type="3">192.168.210.87</Client-IP-Address><Client-Vendor data_type="0">9</Client-Vendor><Client-Friendly-Name
> data_type="1">192.168.210.87</Client-Friendly-Name><Packet-Type data_type="0">3</Packet-Type><Reason-Code
> data_type="0">19</Reason-Code></Event>
> все равно не понятно что с ним, и ведь только айфоны не
> впускает

ВСЕ ПОБЕДИЛ!!!

На виртуальном интерфейсе должно быть так

ppp authentication ms-chap-v2

и в политике радиуса также


Айфоны не курят pap eap и chap и поэтому радиус отпинывает...

Всем спасибо!