VPN

[ Pobierz całość w formacie PDF ]

Jan 1 01:00:05.391: As12 L2F: MID jeremy@hgw.com state open
Jan 1 01:00:05.391: As12 L2F: MID synced NAS/HG Clid=47/12 Mid=1
Jan 1 01:00:05.523: L2F: L2F_CLOSE received
Jan 1 01:00:05.523: %VPDN-6-AUTHENERR: L2F HGW ENT_HGW cannot locate a AAA server for
As12 user jeremy@hgw.com; Authentication failure
ENT_HGW#
Jan 1 01:00:05.302: L2F: L2F_CONF received
Jan 1 01:00:05.302: L2F: Creating new tunnel for ISP_NAS
Jan 1 01:00:05.302: L2F: Tunnel state closed
Jan 1 01:00:05.302: L2F: Got a tunnel named ISP_NAS, responding
Jan 1 01:00:05.302: L2F: Open UDP socket to 172.22.66.23
Jan 1 01:00:05.302: ISP_NAS L2F: Tunnel state opening
Jan 1 01:00:05.306: L2F: L2F_OPEN received
Jan 1 01:00:05.306: L2F: Removing resend packet (L2F_CONF)
Jan 1 01:00:05.306: ISP_NAS L2F: Tunnel state open
Jan 1 01:00:05.306: L2F: Tunnel authentication succeeded for ISP_NAS
Jan 1 01:00:05.310: L2F: L2F_OPEN received
Jan 1 01:00:05.310: L2F: L2F_CLIENT_INFO: CLID/DNIS 4089548021/5550945
Jan 1 01:00:05.310: L2F: L2F_CLIENT_INFO: NAS-Port Async12
Jan 1 01:00:05.310: L2F: L2F_CLIENT_INFO: Client-Bandwidth-Kbps 115
Jan 1 01:00:05.310: L2F: L2F_CLIENT_INFO: NAS-Rate L2F/26400/28800
Jan 1 01:00:05.310: L2F: Got a MID management packet
Jan 1 01:00:05.310: L2F: MID state closed
Jan 1 01:00:05.310: L2F: Start create mid intf process for jeremy@hgw.com
5w6d: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
Configuring the Access VPN to Work with Remote AAA 85
Jan 1 01:00:05.390: Vi1 L2X: Discarding packet because of no mid/session
Jan 1 01:00:05.390: Vi1 L2F: Transfer NAS-Rate L2F/26400/28800 to LCP
Jan 1 01:00:05.390: Vi1 L2F: Finish create mid intf for jeremy@hgw.com
Jan 1 01:00:05.390: Vi1 L2F: MID jeremy@hgw.com state open
5w6d: %VPDN-6-AUTHENERR: L2F HGW ENT_HGW cannot locate a AAA server for Vi1 user
jeremy@hgw.com; Authentication failure
Error Contacting RADIUS Server
If the aaa authorization command on the home gateway is configured with the default radius none
keywords, the home gateway may allow unauthorized access to your network.
This command is an instruction to first use RADIUS for authorization. The home gateway first
contacts the RADIUS server (because of the radius keyword). If an error occurs when the home
gateway contacts the RADIUS server, the home gateway does not authorize the user (because of the
none keyword).
To see the following debug output, enable the debug aaa authorization command on the home
gateway and dial in to the NAS:
ENT_HGW#
*Feb 5 17:27:36.166: Vi1 AAA/AUTHOR/LCP: Authorize LCP
*Feb 5 17:27:36.166: AAA/AUTHOR/LCP Vi1 (3192359105): Port='Virtual-Access1' list=''
service=NET
*Feb 5 17:27:36.166: AAA/AUTHOR/LCP: Vi1 (3192359105) user='jeremy@hgw.com'
*Feb 5 17:27:36.166: AAA/AUTHOR/LCP: Vi1 (3192359105) send AV service=ppp
*Feb 5 17:27:36.166: AAA/AUTHOR/LCP: Vi1 (3192359105) send AV protocol=lcp
*Feb 5 17:27:36.166: AAA/AUTHOR/LCP (3192359105) found list "default"
*Feb 5 17:27:36.166: AAA/AUTHOR/LCP: Vi1 (3192359105) Method=RADIUS
*Feb 5 17:27:36.166: AAA/AUTHOR (3192359105): Post authorization status = ERROR
*Feb 5 17:27:36.166: AAA/AUTHOR/LCP: Vi1 (3192359105) Method=NONE
*Feb 5 17:27:36.166: AAA/AUTHOR (3192359105): Post authorization status = PASS_ADD
*Feb 5 17:27:36.166: Vi1 CHAP: O SUCCESS id 1 len 4
Caution Using the none keyword can allow unauthorized access to your network. Because of the risk of
such errors occurring, we strongly suggest that you do not use the none keyword in your aaa commands.
Misconfigured AAA Authentication
If you reverse the order of the local and radius keywords in the aaa authentication ppp command
on the home gateway, the L2F tunnel cannot be established. The command should be configured as
aaa authentication ppp default local radius.
If you configure the command as aaa authentication ppp default radius local, the home gateway
first tries to authenticate the L2F tunnel using RADIUS. The RADIUS server sends the following
message to the home gateway. To see this message, enable the debug radius command.
ENT_HGW#
Jan 1 01:34:47.827: RADIUS: SENDPASS not supported (action=4)
The RADIUS protocol does not support inbound challenges. This means that RADIUS is designed
to authenticate user information, but it is not designed to be authenticated by others. When the home
gateway requests the tunnel secret from the RADIUS server, it responds with the SENDPASS not
supported message.
To avoid this problem, use the aaa authentication ppp default local radius command on the home
gateway.
If your call still cannot successfully complete AAA negotiation, contact your support personnel.
86 Access VPN Solutions Using Tunneling Technology
L2F Debug Output for the
L2F Case Study
This appendix contains comprehensive debug output from the configuration tasks in this case study.
The output is a powerful tool that can help you understand the entire process of how an access VPN
is established when a user dials in.
The most important lines of output in this appendix are shown in bold. Tables at the end of the output
explain these bold lines.
This appendix is divided into the following sections:
" Debug Output from Configuring Basic Dial Access for the NAS
" Debug Output from Configuring Access VPN with Local AAA
" Debug Output from Configuring Access VPN with Remote AAA
Note If you are accessing the NAS and home gateway through a Telnet connection, you need to
enable the terminal monitor command. This command ensures that your EXEC session is receiving
the logging and debug output from the devices.
Debug Output from Configuring Basic Dial Access for the NAS
The following debug output is produced when a client dials into the NAS via the public switched
telephone network (PSTN) and is authenticated locally on the NAS.
For more information on how to configure basic dial access for the NAS, see Configuring the NAS
for Basic Dial Access.
Enable the following debug commands on the NAS:
" debug isdn q931
" debug ppp negotiation
" debug ppp authentication
" debug modem csm
" debug ip peer
From the client, dial the PRI telephone number assigned to the NAS T1 trunks. The username is
jeremy; the password is subaru. The user is locally authenticated by the NAS.
As the NAS receives the modem call from the client, the following debug command output appears [ Pobierz całość w formacie PDF ]

Linki