Автор Тема: CISCO VPN + RADIUS WINDOWS 2008 R2 + iphone  (Прочитано 12750 раз)

retrooo_7

  • Новичок
  • *
  • Сообщений: 3
  • Репутация: 0
    • Просмотр профиля
CISCO VPN + RADIUS WINDOWS 2008 R2 + iphone
« : 17 Декабрь 2013, 12:46:53 »
Всем привет, имеется
- Windows 2008 R2
поднята роль NPS политика настроена следующим образом
проверка подлинности - ms-chap2
шифрование - без шифрования
ну и группа юзеров добавлена


-имеется роутер cisco 2921
vpn pptp

!!настройка аутентификации
aaa new-model
aaa authentication login default local
aaa authentication ppp default group radius
aaa authorization exec default local
aaa authorization network default group radius
aaa accounting network VPN-USERS
action-type start-stop
group radius
aaa session-id common

! на интерфейс
ppp accounting VPN-USERS

! настройка на радиус
radius server KR-RS
address ipv4 1.1.1.1 auth-port 1812 acct-port 1813
key 7777777

При подключении VPN из под винды все нормально работает, логирование идет, и все счачтливы,
но вот счастливые обладатели IPHONE никак не могут подключиться по VPN , хотя когда до настройки радиуса стояла локальная авторизация на циске с тем же ms-chap 2 все работало, подскажите плиз куда копать!!!



NPS
<Event><Timestamp data_type="4">12/16/2013 12:47:16.419</Timestamp><Computer-Name data_type="1">KR-RS</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Framed-Protocol data_type="0">1</Framed-Protocol><User-Name data_type="1">transasia\radiustest</User-Name><NAS-Port-Type data_type="0">5</NAS-Port-Type><NAS-Port data_type="0">339</NAS-Port><NAS-Port-Id data_type="1">Uniq-Sess-ID339</NAS-Port-Id><Service-Type data_type="0">2</Service-Type><NAS-IP-Address data_type="3">192.168.210.87</NAS-IP-Address><Client-IP-Address data_type="3">192.168.210.87</Client-IP-Address><Client-Vendor data_type="0">9</Client-Vendor><Client-Friendly-Name data_type="1">192.168.210.87</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">TRANSASIA\radiustest</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">TRANSASIA\radiustest</Fully-Qualifed-User-Name><Class data_type="1">311 1 192.168.208.219 12/11/2013 23:34:17 48</Class><Authentication-Type data_type="0">2</Authentication-Type><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>
<Event><Timestamp data_type="4">12/16/2013 12:47:16.419</Timestamp><Computer-Name data_type="1">KR-RS</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 192.168.208.219 12/11/2013 23:34:17 48</Class><Authentication-Type data_type="0">2</Authentication-Type><Fully-Qualifed-User-Name data_type="1">TRANSASIA\radiustest</Fully-Qualifed-User-Name><SAM-Account-Name data_type="1">TRANSASIA\radiustest</SAM-Account-Name><Provider-Type data_type="0">1</Provider-Type><Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name><Client-IP-Address data_type="3">192.168.210.87</Client-IP-Address><Client-Vendor data_type="0">9</Client-Vendor><Client-Friendly-Name data_type="1">192.168.210.87</Client-Friendly-Name><Packet-Type data_type="0">3</Packet-Type><Reason-Code data_type="0">19</Reason-Code></Event>


CISCO

002682: Dec 16 13:28:00.414 MSK: PPP: Alloc Context [3C560C54]
002683: Dec 16 13:28:00.414 MSK: ppp348 PPP: Initialized Context 3C560C54
002684: Dec 16 13:28:00.414 MSK: ppp348 PPP: Phase is ESTABLISHING
002685: Dec 16 13:28:00.414 MSK: ppp348 PPP: Using AAA Unique Id = 174
002686: Dec 16 13:28:00.414 MSK: ppp348 PPP: Dynamic Bind peer_type[4]
002687: Dec 16 13:28:00.414 MSK: ppp348 PPP: Send Message[Dynamic Bind Response]
002688: Dec 16 13:28:00.414 MSK: ppp348 PPP: Authorization required
002689: Dec 16 13:28:00.414 MSK: ppp348 PPP: Using vpn set call direction
002690: Dec 16 13:28:00.414 MSK: ppp348 PPP: Treating connection as a callin
002691: Dec 16 13:28:00.414 MSK: ppp348 PPP: Session handle[DC000058] Session id[348]
002692: Dec 16 13:28:00.414 MSK: ppp348 PPP LCP: negotiation authorized = 1, tacacs author = 0
002693: Dec 16 13:28:00.414 MSK: ppp348 LCP: Event[OPEN] State[Initial to Starting]
002694: Dec 16 13:28:00.414 MSK: ppp348 PPP LCP: Enter passive mode, state[Stopped]
002695: Dec 16 13:28:00.466 MSK: ppp348 LCP: I CONFREQ [Stopped] id 1 len 20
002696: Dec 16 13:28:00.466 MSK: ppp348 LCP: ACCM 0x00000000 (0x020600000000)
002697: Dec 16 13:28:00.466 MSK: ppp348 LCP: MagicNumber 0x07A81B79 (0x050607A81B79)
002698: Dec 16 13:28:00.466 MSK: ppp348 LCP: PFC (0x0702)
002699: Dec 16 13:28:00.466 MSK: ppp348 LCP: ACFC (0x0802)
002700: Dec 16 13:28:00.466 MSK: ppp348 PPP LCP: neg is authorized, processing incoming CONFREQ
002701: Dec 16 13:28:00.466 MSK: ppp348 LCP: O CONFREQ [Stopped] id 1 len 15
002702: Dec 16 13:28:00.466 MSK: ppp348 LCP: AuthProto CHAP (0x0305C22305)
002703: Dec 16 13:28:00.466 MSK: ppp348 LCP: MagicNumber 0x169CD6AA (0x0506169CD6AA)
002704: Dec 16 13:28:00.466 MSK: ppp348 LCP: O CONFACK [Stopped] id 1 len 20
002705: Dec 16 13:28:00.466 MSK: ppp348 LCP: ACCM 0x00000000 (0x020600000000)
002706: Dec 16 13:28:00.466 MSK: ppp348 LCP: MagicNumber 0x07A81B79 (0x050607A81B79)
002707: Dec 16 13:28:00.466 MSK: ppp348 LCP: PFC (0x0702)
002708: Dec 16 13:28:00.466 MSK: ppp348 LCP: ACFC (0x0802)
002709: Dec 16 13:28:00.466 MSK: ppp348 LCP: Event[Receive ConfReq+] State[Stopped to ACKsent]
002710: Dec 16 13:28:00.498 MSK: ppp348 LCP: I CONFREJ [ACKsent] id 1 len 9
002711: Dec 16 13:28:00.498 MSK: ppp348 LCP: AuthProto CHAP (0x0305C22305)
002712: Dec 16 13:28:00.498 MSK: ppp348 LCP: O CONFREQ [ACKsent] id 2 len 15
002713: Dec 16 13:28:00.498 MSK: ppp348 LCP: AuthProto MS-CHAP-V2 (0x0305C22381)
002714: Dec 16 13:28:00.498 MSK: ppp348 LCP: MagicNumber 0x169CD6AA (0x0506169CD6AA)
002715: Dec 16 13:28:00.498 MSK: ppp348 LCP: Event[Receive ConfNak/Rej] State[ACKsent to ACKsent]
002716: Dec 16 13:28:00.530 MSK: ppp348 LCP: I CONFREJ [ACKsent] id 2 len 9
002717: Dec 16 13:28:00.530 MSK: ppp348 LCP: AuthProto MS-CHAP-V2 (0x0305C22381)
002718: Dec 16 13:28:00.530 MSK: ppp348 LCP: O CONFREQ [ACKsent] id 3 len 15
002719: Dec 16 13:28:00.530 MSK: ppp348 LCP: AuthProto CHAP (0x0305C22305)
002720: Dec 16 13:28:00.530 MSK: ppp348 LCP: MagicNumber 0x169CD6AA (0x0506169CD6AA)
002721: Dec 16 13:28:00.530 MSK: ppp348 LCP: Event[Receive ConfNak/Rej] State[ACKsent to ACKsent]
002722: Dec 16 13:28:00.562 MSK: ppp348 LCP: I CONFREJ [ACKsent] id 3 len 9
002723: Dec 16 13:28:00.562 MSK: ppp348 LCP: AuthProto CHAP (0x0305C22305)
002724: Dec 16 13:28:00.562 MSK: ppp348 LCP: O CONFREQ [ACKsent] id 4 len 15
002725: Dec 16 13:28:00.562 MSK: ppp348 LCP: AuthProto MS-CHAP-V2 (0x0305C22381)
002726: Dec 16 13:28:00.562 MSK: ppp348 LCP: MagicNumber 0x169CD6AA (0x0506169CD6AA)
002727: Dec 16 13:28:00.562 MSK: ppp348 LCP: Event[Receive ConfNak/Rej] State[ACKsent to ACKsent]
002728: Dec 16 13:28:00.594 MSK: ppp348 LCP: I CONFREJ [ACKsent] id 4 len 9
002729: Dec 16 13:28:00.594 MSK: ppp348 LCP: AuthProto MS-CHAP-V2 (0x0305C22381)
002730: Dec 16 13:28:00.594 MSK: ppp348 LCP: O CONFREQ [ACKsent] id 5 len 15
002731: Dec 16 13:28:00.594 MSK: ppp348 LCP: AuthProto CHAP (0x0305C22305)
002732: Dec 16 13:28:00.594 MSK: ppp348 LCP: MagicNumber 0x169CD6AA (0x0506169CD6AA)
002733: Dec 16 13:28:00.594 MSK: ppp348 LCP: Event[Receive ConfNak/Rej] State[ACKsent to ACKsent]
002734: Dec 16 13:28:00.626 MSK: ppp348 LCP: I CONFREJ [ACKsent] id 5 len 9
002735: Dec 16 13:28:00.626 MSK: ppp348 LCP: AuthProto CHAP (0x0305C22305)
002736: Dec 16 13:28:00.626 MSK: ppp348 LCP: O CONFREQ [ACKsent] id 6 len 15
002737: Dec 16 13:28:00.626 MSK: ppp348 LCP: AuthProto MS-CHAP-V2 (0x0305C22381)
002738: Dec 16 13:28:00.626 MSK: ppp348 LCP: MagicNumber 0x169CD6AA (0x0506169CD6AA)
002739: Dec 16 13:28:00.626 MSK: ppp348 LCP: Event[Receive ConfNak/Rej] State[ACKsent to ACKsent]
002740: Dec 16 13:28:00.658 MSK: ppp348 LCP: I CONFREJ [ACKsent] id 6 len 9
002741: Dec 16 13:28:00.658 MSK: ppp348 LCP: AuthProto MS-CHAP-V2 (0x0305C22381)
002742: Dec 16 13:28:00.658 MSK: ppp348 LCP: O CONFREQ [ACKsent] id 7 len 15
002743: Dec 16 13:28:00.658 MSK: ppp348 LCP: AuthProto CHAP (0x0305C22305)
002744: Dec 16 13:28:00.658 MSK: ppp348 LCP: MagicNumber 0x169CD6AA (0x0506169CD6AA)
002745: Dec 16 13:28:00.658 MSK: ppp348 LCP: Event[Receive ConfNak/Rej] State[ACKsent to ACKsent]
002746: Dec 16 13:28:00.706 MSK: ppp348 LCP: I CONFREJ [ACKsent] id 7 len 9
002747: Dec 16 13:28:00.706 MSK: ppp348 LCP: AuthProto CHAP (0x0305C22305)
002748: Dec 16 13:28:00.706 MSK: ppp348 LCP: O CONFREQ [ACKsent] id 8 len 15
002749: Dec 16 13:28:00.706 MSK: ppp348 LCP: AuthProto MS-CHAP-V2 (0x0305C22381)
002750: Dec 16 13:28:00.706 MSK: ppp348 LCP: MagicNumber 0x169CD6AA (0x0506169CD6AA)
002751: Dec 16 13:28:00.706 MSK: ppp348 LCP: Event[Receive ConfNak/Rej] State[ACKsent to ACKsent]
002752: Dec 16 13:28:00.738 MSK: ppp348 LCP: I CONFREJ [ACKsent] id 8 len 9
002753: Dec 16 13:28:00.738 MSK: ppp348 LCP: AuthProto MS-CHAP-V2 (0x0305C22381)
002754: Dec 16 13:28:00.738 MSK: ppp348 LCP: O CONFREQ [ACKsent] id 9 len 15
002755: Dec 16 13:28:00.738 MSK: ppp348 LCP: AuthProto CHAP (0x0305C22305)
002756: Dec 16 13:28:00.738 MSK: ppp348 LCP: MagicNumber 0x169CD6AA (0x0506169CD6AA)
002757: Dec 16 13:28:00.738 MSK: ppp348 LCP: Event[Receive ConfNak/Rej] State[ACKsent to ACKsent]
002758: Dec 16 13:28:00.786 MSK: ppp348 LCP: I CONFREJ [ACKsent] id 9 len 9
002759: Dec 16 13:28:00.786 MSK: ppp348 LCP: AuthProto CHAP (0x0305C22305)
002760: Dec 16 13:28:00.786 MSK: ppp348 LCP: O CONFREQ [ACKsent] id 10 len 15
002761: Dec 16 13:28:00.786 MSK: ppp348 LCP: AuthProto MS-CHAP-V2 (0x0305C22381)
002762: Dec 16 13:28:00.786 MSK: ppp348 LCP: MagicNumber 0x169CD6AA (0x0506169CD6AA)
002763: Dec 16 13:28:00.786 MSK: ppp348 LCP: Event[Receive ConfNak/Rej] State[ACKsent to ACKsent]
002764: Dec 16 13:28:00.818 MSK: ppp348 LCP: I CONFREJ [ACKsent] id 10 len 9
002765: Dec 16 13:28:00.818 MSK: ppp348 LCP: AuthProto MS-CHAP-V2 (0x0305C22381)
002766: Dec 16 13:28:00.818 MSK: ppp348 LCP: Received too many CONFREJs. Closing CP
002767: Dec 16 13:28:00.818 MSK: ppp348 PPP DISC: LCP failed to negotiate
002768: Dec 16 13:28:00.818 MSK: ppp348 PPP: Sending Acct Event[Down] id[174]
002769: Dec 16 13:28:00.818 MSK: PPP: NET STOP send to AAA.
002770: Dec 16 13:28:00.818 MSK: ppp348 LCP: O TERMREQ [ACKsent] id 11 len 4
002771: Dec 16 13:28:00.818 MSK: ppp348 LCP: Event[CLOSE] State[ACKsent to Closing]
002772: Dec 16 13:28:00.850 MSK: ppp348 LCP: I TERMACK [Closing] id 11 len 4
002773: Dec 16 13:28:00.850 MSK: ppp348 LCP: Event[Receive TermAck] State[Closing to Closed]
002774: Dec 16 13:28:00.850 MSK: ppp348 LCP: Event[DOWN] State[Closed to Initial]
002775: Dec 16 13:28:00.850 MSK: ppp348 PPP: Clearing AAA Unique Id = 174
002776: Dec 16 13:28:00.850 MSK: ppp348 PPP: Send Message[Disconnect]
002777: Dec 16 13:28:00.850 MSK: ppp348 PPP: Phase is DOWN

itpro

  • Administrator
  • Sr. Member
  • *****
  • Сообщений: 444
  • Репутация: 204
    • Просмотр профиля
Re: CISCO VPN + RADIUS WINDOWS 2008 R2 + iphone
« Ответ #1 : 18 Декабрь 2013, 13:55:09 »
Сложно однозначно сказать - возможно на iOS (кстати какая версия) своя особенность реализации msCHAP v2, отличающаяся от MS реализации. Пробовали на NPS включать другие типы аутентификации? простой MS-CHAP, или CHAP - с ним vpn поднимается?

retrooo_7

  • Новичок
  • *
  • Сообщений: 3
  • Репутация: 0
    • Просмотр профиля
Re: CISCO VPN + RADIUS WINDOWS 2008 R2 + iphone
« Ответ #2 : 18 Декабрь 2013, 14:52:02 »
Кароче победил...
На виртуальном интерфейсе должно быть так

ppp authentication ms-chap-v2

и в политике радиуса также


Айфоны не курят pap eap и chap и поэтому радиус отпинывает...

Всем спасибо!

 

Related Topics

  Тема / Автор Ответов Последний ответ
2 Ответов
32776 Просмотров
Последний ответ 20 Апрель 2012, 13:02:50
от evgen80
2 Ответов
30912 Просмотров
Последний ответ 27 Апрель 2012, 14:55:00
от itpro
2 Ответов
22964 Просмотров
Последний ответ 03 Сентябрь 2012, 08:27:13
от dimokkk
7 Ответов
20354 Просмотров
Последний ответ 26 Июль 2013, 10:25:17
от dgscom
0 Ответов
9078 Просмотров
Последний ответ 20 Декабрь 2013, 09:59:35
от retrooo_7