Есть cisco 2911 с прошивкой c2900-universalk9-mz.SPA.151-3.T.bin Настроил pptp vpn c авторизацией пользователей через AD(NPS - Radius).
AAA:
aaa authentication login default local
aaa authentication ppp default group radius
aaa authorization exec default local
aaa authorization network default if-authenticated
aaa accounting network VPN-USERS
action-type start-stop
group radius
VPDN:
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
l2tp tunnel timeout no-session 15
Virtual-Template:
interface Virtual-Template1
ip unnumbered fa0/0
peer default ip address pool VPN
no keepalive
ppp encrypt mppe auto
ppp authentication ms-chap-v2
ppp authorization X-AUTH
ppp accounting VPN-USERS
Настройка Radius:
radius-server host xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813 key xxxxxxxxxxx
Ну и сам pool ip адрессов:
ip local pool VPN 192.168.13.1 192.168.13.20
VPN пользователи нормально подключаются по VPN. Но есть проблема у пользователей VPN есть доступ ко всем подсетям которые есть на cisco. Хотелось бы вешать ACL листы, покурив маны я так понял это делается через VSA, в случае с циской это av-pair. Проблема в том что av-pair приходит на cisco но результата не какого.
Debug Radius:
Dec 25 01:06:46.980: RADIUS/ENCODE(00000CB7):Orig. component type = VPDN
Dec 25 01:06:46.980: RADIUS: AAA Unsupported Attr: interface [209] 13
Dec 25 01:06:46.980: RADIUS: 55 6E 69 71 2D 53 65 73 73 2D 49 [ Uniq-Sess-I]
Dec 25 01:06:46.980: RADIUS(00000CB7): Config NAS IP: 0.0.0.0
Dec 25 01:06:46.980: RADIUS/ENCODE(00000CB7): acct_session_id: 3246
Dec 25 01:06:46.980: RADIUS(00000CB7): sending
Dec 25 01:06:46.980: RADIUS/ENCODE: Best Local IP-Address xxx.xxx.xxx.xxx for Radius-Server xxx.xxx.xxx.xxx
Dec 25 01:06:46.980: RADIUS(00000CB7): Send Access-Request to xxx.xxx.xxx.xxx:1812 id 1645/2, len 157
Dec 25 01:06:46.980: RADIUS: authenticator 6F A4 19 55 FA 91 7A 6E - BA F3 4D C4 83 75 3A C1
Dec 25 01:06:46.980: RADIUS: Framed-Protocol [7] 6 PPP [1]
Dec 25 01:06:46.980: RADIUS: User-Name [1] 10 "TEST"
Dec 25 01:06:46.980: RADIUS: Vendor, Microsoft [26] 24
Dec 25 01:06:46.980: RADIUS: MS-CHAP-Challenge [11] 18
Dec 25 01:06:46.980: RADIUS: 6F A4 19 55 FA 91 7A 6E BA F3 4D C4 83 75 3A C1 [ oUznMu:]
Dec 25 01:06:46.980: RADIUS: Vendor, Microsoft [26] 58
Dec 25 01:06:46.980: RADIUS: MS-CHAP-V2-Response[25] 52 *
Dec 25 01:06:46.980: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Dec 25 01:06:46.980: RADIUS: NAS-Port [5] 6 2
Dec 25 01:06:46.980: RADIUS: NAS-Port-Id [87] 15 "Uniq-Sess-ID2"
Dec 25 01:06:46.980: RADIUS: Service-Type [6] 6 Framed [2]
Dec 25 01:06:46.980: RADIUS: NAS-IP-Address [4] 6 xxx.xxx.xxx.xxx
Dec 25 01:06:46.980: RADIUS(00000CB7): Started 5 sec timeout
Dec 25 01:06:46.984: RADIUS: Received from id 1645/2 xxx.xxx.xxx.xxx:1812, Access-Accept, len 309
Dec 25 01:06:46.984: RADIUS: authenticator 46 89 82 B5 65 ED 5D 20 - 96 C4 EC 48 EB 1F 34 F4
Dec 25 01:06:46.984: RADIUS: Framed-Protocol [7] 6 PPP [1]
Dec 25 01:06:46.984: RADIUS: Service-Type [6] 6 Framed [2]
Dec 25 01:06:46.984: RADIUS: Class [25] 46
Dec 25 01:06:46.984: RADIUS: 5A FE 05 2B 00 00 01 37 00 01 02 00 AC 12 00 96 00 00 00 00 00 00 00 00 00 00 00 00 01 D0 19 BA 65 48 BC 5C 00 00 00 00 00 00 00 32 [ Z+7eH\2]
Dec 25 01:06:46.984: RADIUS: Vendor, Microsoft [26] 42
Dec 25 01:06:46.984: RADIUS: MS-MPPE-Recv-Key [17] 36 *
Dec 25 01:06:46.984: RADIUS: Vendor, Microsoft [26] 42
Dec 25 01:06:46.984: RADIUS: MS-MPPE-Send-Key [16] 36 *
Dec 25 01:06:46.984: RADIUS: Vendor, Microsoft [26] 51
Dec 25 01:06:46.984: RADIUS: MS-CHAP-V2-Success [26] 45 "S=72A45B8CB57C36FF86C7CADB586D15B00038B0DB"
Dec 25 01:06:46.984: RADIUS: Vendor, Microsoft [26] 12
Dec 25 01:06:46.984: RADIUS: MS-CHAP-DOMAIN [10] 6 "TEST"
Dec 25 01:06:46.984: RADIUS: Vendor, Cisco [26] 36
Dec 25 01:06:46.988: RADIUS: Cisco AVpair [1] 30 "ip:inacl#500=deny ip any any"
Dec 25 01:06:46.988: RADIUS: Vendor, Microsoft [26] 12
Dec 25 01:06:46.988: RADIUS: MS-Link-Util-Thresh[14] 6
Dec 25 01:06:46.988: RADIUS: 00 00 00 32 [ 2]
Dec 25 01:06:46.988: RADIUS: Vendor, Microsoft [26] 12
Dec 25 01:06:46.988: RADIUS: MS-Link-Drop-Time-L[15] 6
Dec 25 01:06:46.988: RADIUS: 00 00 00 78 [ x]
Dec 25 01:06:46.988: RADIUS: Vendor, Microsoft [26] 12
Dec 25 01:06:46.988: RADIUS: MS-MPPE-Enc-Policy [7] 6
Dec 25 01:06:46.988: RADIUS: 00 00 00 02
Dec 25 01:06:46.988: RADIUS: Vendor, Microsoft [26] 12
Dec 25 01:06:46.988: RADIUS: MS-MPPE-Enc-Type [8] 6
Dec 25 01:06:46.988: RADIUS: 00 00 00 04
Dec 25 01:06:46.988: RADIUS(00000CB7): Received from id 1645/2
Dec 25 01:06:46.996: RADIUS/ENCODE(00000CB7):Orig. component type = VPDN
Dec 25 01:06:46.996: RADIUS(00000CB7): Config NAS IP: 0.0.0.0
Dec 25 01:06:46.996: RADIUS(00000CB7): sending
Dec 25 01:06:46.996: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
Dec 25 01:06:46.996: RADIUS/ENCODE: Best Local IP-Address xxx.xxx.xxx.xxx for Radius-Server xxx.xxx.xxx.xxx
Dec 25 01:06:46.996: RADIUS(00000CB7): Send Accounting-Request to xxx.xxx.xxx.xxx:1813 id 1646/3, len 197
Dec 25 01:06:46.996: RADIUS: authenticator 0E CC 68 3E F3 67 A1 67 - B1 35 A9 6A 65 3B 8D F7
Dec 25 01:06:46.996: RADIUS: Acct-Session-Id [44] 10 "00000CAE"
Dec 25 01:06:46.996: RADIUS: Tunnel-Medium-Type [65] 6 00:IPv4 [1]
Dec 25 01:06:46.996: RADIUS: Tunnel-Server-Endpoi[67] 16 "xxx.xxx.xxx.xxx"
Dec 25 01:06:46.996: RADIUS: Tunnel-Client-Endpoi[66] 15 "xxx.xxx.xxx.xxx"
Dec 25 01:06:46.996: RADIUS: Tunnel-Assignment-Id[82] 3 "1"
Dec 25 01:06:46.996: RADIUS: Tunnel-Server-Auth-I[91] 4 "R0"
Dec 25 01:06:46.996: RADIUS: Acct-Tunnel-Connecti[68] 4 "42"
Dec 25 01:06:46.996: RADIUS: Framed-Protocol [7] 6 PPP [1]
Dec 25 01:06:46.996: RADIUS: User-Name [1] 10 "TEST"
Dec 25 01:06:46.996: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
Dec 25 01:06:46.996: RADIUS: Acct-Status-Type [40] 6 Start [1]
Dec 25 01:06:46.996: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Dec 25 01:06:46.996: RADIUS: NAS-Port [5] 6 2
Dec 25 01:06:46.996: RADIUS: NAS-Port-Id [87] 15 "Uniq-Sess-ID2"
Dec 25 01:06:46.996: RADIUS: Class [25] 46
Dec 25 01:06:46.996: RADIUS: 5A FE 05 2B 00 00 01 37 00 01 02 00 AC 12 00 96 00 00 00 00 00 00 00 00 00 00 00 00 01 D0 19 BA 65 48 BC 5C 00 00 00 00 00 00 00 32 [ Z+7eH\2]
Dec 25 01:06:46.996: RADIUS: Service-Type [6] 6 Framed [2]
Dec 25 01:06:46.996: RADIUS: NAS-IP-Address [4] 6 xxx.xxx.xxx.xxx
Dec 25 01:06:46.996: RADIUS: Acct-Delay-Time [41] 6 0
Dec 25 01:06:46.996: RADIUS(00000CB7): Started 5 sec timeout
Dec 25 01:06:47.000: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
R0#
Dec 25 01:06:47.000: RADIUS: Received from id 1646/3 xxx.xxx.xxx.xxx:1813, Accounting-response, len 20
Dec 25 01:06:47.004: RADIUS: authenticator 8D 72 92 EE DE 16 1F AD - 66 C4 CC C3 7D DF BC 03
Мне не нравится строчка:
AAA Unsupported Attr: interface [209] 13
NPS настроен так:
Cisco не как не реагирует на AV-Pair, хелпп плизз(