Долго разбирался, делал все как написано в доках у циски, но видимо где-то натыкаюсь на засаду. Необходимо настроить коммутируемый доступ на cisco 3745 с ААА на Радиусе. Циска включена в сеть по MPLS. Не шлет, окаянная, пакеты на радиус сервер. Вернее пишет, что шлет, но пакетов этих не видно ни на радиусе, ни на пиксе, который стоит перед радиусом! :(
Ниже выдержки из конфига, которые, на мой чайницкий взгляд, относятся к настройкам диалапа, радиуса и посылки пакетов на сервер ("дырка" для циски проковырена в пиксе, за адрес циски принимается адрес, глобальный, на Loopback10):
version 12.3
! ...
modem country microcom_hdms new-zealand
aaa new-model
!
!
aaa group server radius DIAL
server-private X.X.X.X auth-port 1645 acct-port 1646 timeout 60 retransmit 3 key 7 050UYEUYEUY1C081E190A1E
!
aaa authentication ppp radius-list group DIAL
aaa authorization network radius-list group DIAL
aaa accounting send stop-record authentication failure vrf Inet
aaa accounting delay-start vrf Inet
aaa accounting network radius-list start-stop group DIAL
aaa session-id common
ip vrf Inet
rd 21879:100
route-target export 21879:100
route-target import 21879:100
interface Loopback10
ip vrf forwarding Inet
ip address Y.Y.Y.Y 255.255.255.255
!
interface Group-Async1
ip unnumbered Loopback10
encapsulation ppp
async mode interactive
peer default ip address pool DIALPOOL
ppp authentication ms-chap chap pap radius-list
ppp authorization radius-list
ppp accounting radius-list
group-range 97 112
!
ip local pool DIALPOOL 192.168.10.1 192.168.10.32
no ip http server
ip classless
!
ip radius source-interface Loopback10 vrf Inet
radius-server attribute 44 include-in-access-req vrf Inet
radius-server host X.X.X.X auth-port 1645 acct-port 1646 retransmit 3 key 7 050UYEUYEUY1C081E190A1E
radius-server timeout 60
radius-server vsa send accounting
radius-server vsa send authentication
line 97 112
session-timeout 30
location Semikar
exec-timeout 30 0
absolute-timeout 240
login authentication radius-list
modem InOut
transport preferred none
transport input all
autoselect during-login
autoselect ppp
flowcontrol hardware
Здесь адрес РАДИУС сервера заменен на Х.Х.Х.Х, а адрес циски на У.У.У.У
А вот "что мы умеем":
1.
Router#ping vrf Inet X.X.X.X
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to X.X.X.X, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms
Router#
2.
Router#debug radius verbose
Radius protocol debugging is on
Radius protocol brief debugging is off
Radius protocol verbose debugging is on
Radius packet hex dump debugging is off
Radius packet protocol debugging is on
Radius packet retransmission debugging is on
Radius server fail-over debugging is off
Router#terminal monitor
Router#
11w5d: %LINK-3-UPDOWN: Interface Async97, changed state to up
11w5d: RADIUS(0000AE7C): Storing nasport 97 in rad_db
11w5d: RADIUS(0000AE7C): Config NAS IP: 0.0.0.0
11w5d: RADIUS/ENCODE(0000AE7C): acct_session_id: 440
11w5d: RADIUS(0000AE7C): sending
11w5d: RADIUS/ENCODE: Best Local IP-Address 10.10.0.150 for Radius-Server X.X.X.X
11w5d: RADIUS(0000AE7C): Send Access-Request to X.X.X.X:1645 id 21645/40
, len 182
11w5d: RADIUS: authenticator 9D C5 1E B4 B7 56 FE AE - B8 BC 9E D1 2E 9A BB 60
11w5d: RADIUS: Framed-Protocol [7] 6 PPP [1]
11w5d: RADIUS: User-Name [1] 7 "ktest"
11w5d: RADIUS: Vendor, Microsoft [26] 16
11w5d: RADIUS: MSCHAP_Challenge [11] 10
11w5d: RADIUS: 9D C5 1E B4 B7 56 FE AE [?????V??]
11w5d: RADIUS: Vendor, Microsoft [26] 58
11w5d: RADIUS: MS-CHAP-Response [1] 52 *
11w5d: RADIUS: NAS-Port-Type [61] 6 Async [0]
11w5d: RADIUS: Calling-Station-Id [31] 7 "async"
11w5d: RADIUS: Vendor, Cisco [26] 15
11w5d: RADIUS: cisco-nas-port [2] 9 "Async97"
11w5d: RADIUS: NAS-Port [5] 6 97
11w5d: RADIUS: Connect-Info [77] 29 "21600/16800 V34/V42bis/LAPM"
11w5d: RADIUS: Service-Type [6] 6 Framed [2]
11w5d: RADIUS: Vendor, Microsoft [26] 58
Router#10.10.0.150
Router#
11w5d: %LINK-5-CHANGED: Interface Async97, changed state to reset
Router#
11w5d: %LINK-3-UPDOWN: Interface Async97, changed state to down
Router#
11w5d: RADIUS: Retransmit to (X.X.X.X:1645,1646) for id 21645/40
11w5d: RADIUS: authenticator 9D C5 1E B4 B7 56 FE AE - B8 BC 9E D1 2E 9A BB 60
11w5d: RADIUS: Framed-Protocol [7] 6 PPP [1]
11w5d: RADIUS: User-Name [1] 7 "ktest"
11w5d: RADIUS: Vendor, Microsoft [26] 16
11w5d: RADIUS: MSCHAP_Challenge [11] 10
11w5d: RADIUS: 9D C5 1E B4 B7 56 FE AE [?????V??]
11w5d: RADIUS: Vendor, Microsoft [26] 58
11w5d: RADIUS: MS-CHAP-Response [1] 52 *
11w5d: RADIUS: NAS-Port-Type [61] 6 Async [0]
11w5d: RADIUS: Calling-Station-Id [31] 7 "async"
Router#
11w5d: RADIUS: NAS-Port-Type [61] 6 Async [0]
11w5d: RADIUS: cisco-nas-port [2] 9 "Async97"
11w5d: RADIUS: NAS-Port [5] 6 97
11w5d: RADIUS: Connect-Info [77] 29 "21600/16800 V34/V42bis/LAPM"
11w5d: RADIUS: Service-Type [6] 6 Framed [2]
11w5d: RADIUS: NAS-IP-Address [4] 6 10.10.0.150
Router#
11w5d: RADIUS: No response from (X.X.X.X:1645,1646) for id 21645/40
11w5d: RADIUS/DECODE: parse response no app start; FAIL
11w5d: RADIUS/DECODE: parse response; FAIL