Häufige Probleme beim Debuggen von TACACS+, PAP und CHAP

Download-Optionen

  • PDF     (187.4 KB)
    Mit Adobe Reader auf verschiedenen Geräten anzeigen
  • ePub     (90.1 KB)
    In verschiedenen Apps auf iPhone, iPad, Android, Sony Reader oder Windows Phone anzeigen
  • Mobi (Kindle)     (85.6 KB)
    Auf einem Kindle-Gerät oder einer Kindle-App auf mehreren Geräten anzeigen
Aktualisiert:19. Januar 2006
Dokument-ID:13864

Inklusive Sprache

In dem Dokumentationssatz für dieses Produkt wird die Verwendung inklusiver Sprache angestrebt. Für die Zwecke dieses Dokumentationssatzes wird Sprache als „inklusiv“ verstanden, wenn sie keine Diskriminierung aufgrund von Alter, körperlicher und/oder geistiger Behinderung, Geschlechtszugehörigkeit und -identität, ethnischer Identität, sexueller Orientierung, sozioökonomischem Status und Intersektionalität impliziert. Dennoch können in der Dokumentation stilistische Abweichungen von diesem Bemühen auftreten, wenn Text verwendet wird, der in Benutzeroberflächen der Produktsoftware fest codiert ist, auf RFP-Dokumentation basiert oder von einem genannten Drittanbieterprodukt verwendet wird. Hier erfahren Sie mehr darüber, wie Cisco inklusive Sprache verwendet.

Informationen zu dieser Übersetzung

Cisco hat dieses Dokument maschinell übersetzen und von einem menschlichen Übersetzer editieren und korrigieren lassen, um unseren Benutzern auf der ganzen Welt Support-Inhalte in ihrer eigenen Sprache zu bieten. Bitte beachten Sie, dass selbst die beste maschinelle Übersetzung nicht so genau ist wie eine von einem professionellen Übersetzer angefertigte. Cisco Systems, Inc. übernimmt keine Haftung für die Richtigkeit dieser Übersetzungen und empfiehlt, immer das englische Originaldokument (siehe bereitgestellter Link) heranzuziehen.

Einführung

Hinweis: Die Informationen in diesem Dokument basieren auf den Cisco IOS® Software-Versionen 11.2 und höher.

Dieses Dokument untersucht häufige Debugprobleme für TACACS+, wenn Password Authentication Protocol (PAP) oder Challenge Handshake Authentication Protocol (CHAP) verwendet werden. Gängige PC-Einstellungen für Microsoft Windows 95, Windows NT, Windows 98 und Windows 2000 sowie Beispiele für Konfigurationen und Beispiele für gute und schlechte Debugging-Optionen werden bereitgestellt.

Voraussetzungen

Anforderungen

Für dieses Dokument bestehen keine speziellen Anforderungen.

Verwendete Komponenten

Dieses Dokument ist nicht auf bestimmte Software- und Hardwareversionen beschränkt.

Die Informationen in diesem Dokument wurden von den Geräten in einer bestimmten Laborumgebung erstellt. Alle in diesem Dokument verwendeten Geräte haben mit einer leeren (Standard-)Konfiguration begonnen. Wenn Ihr Netzwerk in Betrieb ist, stellen Sie sicher, dass Sie die potenziellen Auswirkungen eines Befehls verstehen.

Konventionen

Weitere Informationen zu Dokumentkonventionen finden Sie unter Cisco Technical Tips Conventions (Technische Tipps zu Konventionen von Cisco).

Allgemeine PC-Einstellungen

Windows 95

Gehen Sie wie folgt vor:

  1. Wählen Sie im Fenster Dialup Networking (DFÜ-Netzwerk) den Namen der Verbindung und dann File > Properties (Datei > Eigenschaften).

  2. Überprüfen Sie auf der Registerkarte Servertyp, ob das Kontrollkästchen Verschlüsseltes Kennwort unter Typ des DFÜ-Servers aktivieren ist.

    • Wenn dieses Kontrollkästchen aktiviert ist, akzeptiert der PC nur die CHAP-Authentifizierung.

    • Wenn dieses Kontrollkästchen nicht aktiviert ist, akzeptiert der PC die PAP- oder CHAP-Authentifizierung.

Windows NT

Gehen Sie wie folgt vor:

  1. Wählen Sie im Fenster DFÜ-Netzwerk den Namen der Verbindung aus, und wählen Sie dann Datei > Eigenschaften.

  2. Überprüfen Sie die Einstellungen auf der Registerkarte Sicherheit:

    • Wenn das Kontrollkästchen Authentifizierung einschließlich Klartext akzeptieren aktiviert ist, akzeptiert der PC PAP oder CHAP.

    • Wenn das Kontrollkästchen Nur verschlüsselte Authentifizierung akzeptieren aktiviert ist, akzeptiert der PC nur die CHAP-Authentifizierung.

Windows 98

Gehen Sie wie folgt vor:

  1. Wählen Sie im Fenster DFÜ-Netzwerk den Namen der Verbindung aus, und wählen Sie dann Eigenschaften aus.

  2. Überprüfen Sie auf der Registerkarte Servertypen die Einstellungen im Bereich Erweiterte Optionen:

    • Wenn das Kontrollkästchen Verschlüsseltes Kennwort anfordern nicht aktiviert ist, akzeptiert der PC die PAP- oder CHAP-Authentifizierung.

    • Wenn das Kontrollkästchen Verschlüsseltes Kennwort anfordern aktiviert ist, akzeptiert der PC nur die CHAP-Authentifizierung.

Windows 2000

Gehen Sie wie folgt vor:

  1. Wählen Sie unter Netzwerk- und DFÜ-Verbindungen den Namen der Verbindung aus, und wählen Sie dann Eigenschaften aus.

  2. Wählen Sie auf der Registerkarte Sicherheit im Bereich Erweitert > Einstellungen > Diese Protokolle zulassen folgende Protokolle aus:

    • Wenn das Kontrollkästchen Uncrypted Password (PAP) aktiviert ist, akzeptiert der PC PAP.

    • Wenn das Kontrollkästchen Challenge Handshake Authentication Protocol (CHAP) aktiviert ist, akzeptiert der PC CHAP gemäß RFC 1994.

    • Wenn das Kontrollkästchen Microsoft CHAP (MS-CHAP) aktiviert ist, akzeptiert der PC MS-CHAP Version 1 und akzeptiert kein CHAP gemäß RFC 1994.

Konfigurationen und Debugbeispiele

Konfiguration - TACACS+ und PAP 
Current configuration:

!
version 11.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname rtpkrb
!
aaa new-model
!

!--- The following four lines of the !--- configuration are specific to !--- Cisco IOS 11.2 and later, until 11.3.3.T. !--- See below this configuration !--- for commands for other Cisco IOS releases.

!
aaa authentication login default tacacs+ local
aaa authentication ppp default if-needed tacacs+ local
aaa authorization exec tacacs+ if-authenticated
aaa authorization network tacacs+ if-authenticated
enable secret 5 $1$pkX.$JdAySRE1SbdbDe7bj0wyt0
enable password ww
!
username john password 0 doe
username cse password 0 csecse
ip host rtpkrb 10.31.1.5
ip domain-name RTP.CISCO.COM
ip name-server 171.68.118.103
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0
ip address 10.31.1.5 255.255.0.0
no mop enabled
!
interface Serial0
no ip address
no ip mroute-cache
shutdown
!
interface Serial1
no ip address
shutdown
!
interface Async1
ip unnumbered Ethernet0
encapsulation ppp
async mode dedicated
peer default ip address pool async
no cdp enable
ppp authentication pap
!
ip local pool async 15.15.15.15
ip classless
ip route 0.0.0.0 0.0.0.0 10.31.1.1
!
tacacs-server host 171.68.118.101
tacacs-server key cisco
snmp-server community public RW
snmp-server host 171.68.118.100 traps public
!
line con 0
line 1
session-timeout 20 
exec-timeout 20 0
password ww
autoselect during-login
autoselect ppp
modem InOut
transport input all
stopbits 1
speed 38400
flowcontrol hardware
line 2
modem InOut
speed 38400
flowcontrol hardware
line 3 16
line aux 0
line vty 0 4
password ww
!
end

Befehle für andere Cisco IOS-Versionen

Hinweis: Um diese Befehle zu verwenden, entfernen Sie fett formatierte Befehle aus der Konfiguration, und fügen Sie diese Befehle gemäß der Cisco IOS-Version ein.

Cisco IOS 11.3.3.T bis 12.0.5.T 

aaa authen login default tacacs+ local
aaa authen ppp default if-needed tacacs+ local
aaa authorization exec default tacacs+ if-authenticated
aaa authorization network default tacacs+ if-authenticated

Cisco IOS 12.0.5.T und höher 

aaa authen login default group tacacs+ local
aaa authen ppp default if-needed group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization network default group tacacs+ if-authenticated

Beispieldebugging - TACACS+ und PAP

Hinweis: In der Debugausgabe wird der fett formatierte Text auf Probleme beim Debuggen hinweisen. Einfacher Text weist auf eine gute Fehlersuche hin.

rtpkrb#show debug
General OS:
TACACS access control debugging is on
AAA Authentication debugging is on
AAA Authorization debugging is on
PPP:
PPP authentication debugging is on
PPP protocol negotiation debugging is on
rtpkrb#
3d22h: %LINK-3-UPDOWN: Interface Async1, changed state to up
3d22h: As1 PPP: Treating connection as a dedicated line
3d22h: As1 PPP: Phase is ESTABLISHING, Active Open
3d22h: As1 LCP: O CONFREQ [Closed] id 14 len 24
3d22h: As1 LCP: ACCM 0x000A0000 (0x0206000A0000)
3d22h: As1 LCP: AuthProto PAP (0x0304C023)
3d22h: As1 LCP: MagicNumber 0xF45FB7A7 (0x0506F45FB7A7)
3d22h: As1 LCP: PFC (0x0702)
3d22h: As1 LCP: ACFC (0x0802)

 !--- PC insists on doing CHAP !--- ("accept encrypted authentication only"), !--- but router is set up for PAP.

As1 LCP: I CONFNAK [REQsent] id 27 len 12
As1 LCP: AuthProto 0xC123 (0x0308C12301000001)
As1 PPP: Closing connection because remote won't authenticate

3d22h: As1 LCP: Interface transitioned, discarding packet
3d22h: As1 LCP: I CONFACK [REQsent] id 14 len 24
3d22h: As1 LCP: ACCM 0x000A0000 (0x0206000A0000)
3d22h: As1 LCP: AuthProto PAP (0x0304C023)
3d22h: As1 LCP: MagicNumber 0xF45FB7A7 (0x0506F45FB7A7)
3d22h: As1 LCP: PFC (0x0702)
3d22h: As1 LCP: ACFC (0x0802)
3d22h: As1 LCP: TIMEout: Time 0x14417CC4 State ACKrcvd
3d22h: As1 LCP: O CONFREQ [ACKrcvd] id 15 len 24
3d22h: As1 LCP: ACCM 0x000A0000 (0x0206000A0000)
3d22h: As1 LCP: AuthProto PAP (0x0304C023)
3d22h: As1 LCP: MagicNumber 0xF45FB7A7 (0x0506F45FB7A7)
3d22h: As1 LCP: PFC (0x0702)
3d22h: As1 LCP: ACFC (0x0802)
3d22h: As1 LCP: I CONFACK [REQsent] id 15 len 24
3d22h: As1 LCP: ACCM 0x000A0000 (0x0206000A0000)
3d22h: As1 LCP: AuthProto PAP (0x0304C023)
3d22h: As1 LCP: MagicNumber 0xF45FB7A7 (0x0506F45FB7A7)
3d22h: As1 LCP: PFC (0x0702)
3d22h: As1 LCP: ACFC (0x0802)
3d22h: As1 LCP: I CONFREQ [ACKrcvd] id 0 len 20
3d22h: As1 LCP: ACCM 0x00000000 (0x020600000000)
3d22h: As1 LCP: MagicNumber 0x000030A3 (0x0506000030A3)
3d22h: As1 LCP: PFC (0x0702)
3d22h: As1 LCP: ACFC (0x0802)
3d22h: As1 LCP: O CONFACK [ACKrcvd] id 0 len 20
3d22h: As1 LCP: ACCM 0x00000000 (0x020600000000)
3d22h: As1 LCP: MagicNumber 0x000030A3 (0x0506000030A3)
3d22h: As1 LCP: PFC (0x0702)
3d22h: As1 LCP: ACFC (0x0802)
3d22h: As1 LCP: State is Open
3d22h: As1 PPP: Phase is AUTHENTICATING, by this end
3d22h: As1 PAP: I AUTH-REQ id 4 len 20 from "papuser"
3d22h: As1 PAP: Authenticating peer papuser
3d22h: AAA/AUTHEN: create_user (0x16DAC0) user='papuser' 
ruser='' port='Async1' rem_addr='async' authen_type=PAP 
service=PPP priv=1
3d22h: AAA/AUTHEN/START (1190231344): port='Async1' list=''
 action=LOGIN service=PPP
3d22h: AAA/AUTHEN/START (1190231344): using "default" list
3d22h: AAA/AUTHEN (1190231344): status = UNKNOWN
3d22h: AAA/AUTHEN/START (1190231344): Method=TACACS+
3d22h: TAC+: send AUTHEN/START packet ver=193 id=1190231344
3d22h: TAC+: Using default tacacs server list.
3d22h: TAC+: Opening TCP/IP to 171.68.118.101/49 timeout=5


!--- The TAC+ server is down, producing an error. !--- Since the user is not in the local database, !--- the failover to local fails.

TAC+: TCP/IP open to 171.68.118.101/49 failed -- 
Connection refused by remote host
AAA/AUTHEN (866823886): status = ERROR
AAA/AUTHEN/START (866823886): Method=LOCAL
AAA/AUTHEN (866823886): status = FAIL

3d22h: TAC+: Opened TCP/IP handle 0x16C1F8 to 171.68.118.101/49
3d22h: TAC+: 171.68.118.101 (1190231344) AUTHEN/START/LOGIN/PAP queued
3d22h: TAC+: (1190231344) AUTHEN/START/LOGIN/PAP processed


!--- The key in the router does not match that of the server.

TAC+: received bad AUTHEN packet: length = 68, expected 67857
TAC+: Invalid AUTHEN/START packet (check keys)
AAA/AUTHEN (1771887965): status = ERROR
 
3d22h: TAC+: ver=192 id=1190231344 received AUTHEN status = GETPASS
3d22h: TAC+: Closing TCP/IP 0x16C1F8 connection to 171.68.118.101/49
3d22h: TAC+: Opening TCP/IP to 171.68.118.101/49 timeout=5
3d22h: TAC+: Opened TCP/IP handle 0x16EF4C to 171.68.118.101/49
3d22h: TAC+: Opened 171.68.118.101 index=1
3d22h: AAA/AUTHEN: create_user (0x16C5EC) user='papuser' ruser='' 
port='Async1' rem_addr='async' authen_type=PAP service=PPP priv=1
3d22h: TAC+: rev0 inbound pap login for id=1190231344 using id=3112896669
3d22h: TAC+: 171.68.118.101 (3112896669) AUTHEN/START/LOGIN/PAP queued
3d22h: TAC+: (3112896669) AUTHEN/START/LOGIN/PAP processed
3d22h: TAC+: ver=192 id=3112896669 received AUTHEN status = GETPASS
3d22h: TAC+: send AUTHEN/CONT packet
3d22h: TAC+: 171.68.118.101 (3112896669) AUTHEN/CONT queued
3d22h: TAC+: (3112896669) AUTHEN/CONT processed


!--- The NT client sends the "DOMAIN\user" !--- and the TAC+ server expects "user".

TAC+: ver=192 id=260507389 received AUTHEN status = FAIL
TAC+: rev0 inbound pap completed for 1139034411 status=FAIL
AAA/AUTHEN: free_user (0x16CDD4) user='CISCO\papuser' ruser='' 
port='Async1' rem_addr='async' authen_type=PAP service=PPP priv=1


!--- The TAC+ server refuses the user !--- because the user is set up for PAP. !--- The user enters a bad password, !--- or both the username and password are bad.

TAC+: ver=192 id=691012958 received AUTHEN status = FAIL
TAC+: rev0 inbound pap completed for 3917384959 status=FAIL
AAA/AUTHEN: free_user (0x15AD58) user='idochap' ruser='' 
port='Async1' rem_addr='async' authen_type=PAP service=PPP priv=1

3d22h: TAC+: ver=192 id=3112896669 received AUTHEN status = PASS
3d22h: TAC+: rev0 inbound pap completed for 1190231344 status=PASS
3d22h: AAA/AUTHEN: free_user (0x16C5EC) user='papuser' ruser='' 
port='Async1' rem_addr='async' authen_type=PAP service=PPP priv=1
3d22h: TAC+: Closing TCP/IP 0x16EF4C connection to 171.68.118.101/49
3d22h: AAA/AUTHEN (1190231344): status = PASS
3d22h: AAA/AUTHOR/LCP As1: Authorize LCP
3d22h: AAA/AUTHOR/LCP: Async1: (1061976769): user='papuser'
3d22h: AAA/AUTHOR/LCP: Async1: (1061976769): send AV service=ppp
3d22h: AAA/AUTHOR/LCP: Async1: (1061976769): send AV protocol=lcp
3d22h: AAA/AUTHOR/LCP: Async1: (1061976769): Method=TACACS+
3d22h: AAA/AUTHOR/TAC+: (1061976769): user=papuser
3d22h: AAA/AUTHOR/TAC+: (1061976769): send AV service=ppp
3d22h: AAA/AUTHOR/TAC+: (1061976769): send AV protocol=lcp
3d22h: TAC+: Opening TCP/IP to 171.68.118.101/49 timeout=5
3d22h: TAC+: Opened TCP/IP handle 0x16C9E0 to 171.68.118.101/49
3d22h: TAC+: Opened 171.68.118.101 index=1
3d22h: TAC+: 171.68.118.101 (1061976769) AUTHOR/START queued
3d22h: TAC+: (1061976769) AUTHOR/START processed


!--- The user passes authentication !--- (the username/password is good) !--- but fails authorization !--- (the profile is not set up to authorize PPP).

TAC+: (1793875816): received author response status = FAIL
TAC+: Closing TCP/IP 0x17054C connection to 171.68.118.101/49
AAA/AUTHOR (1793875816): Post authorization status = FAIL
AAA/AUTHOR/LCP As1: Denied

3d22h: TAC+: (1061976769): received author response status = PASS_ADD
3d22h: TAC+: Closing TCP/IP 0x16C9E0 connection to 171.68.118.101/49
3d22h: AAA/AUTHOR (1061976769): Post authorization status = PASS_ADD
3d22h: As1 PAP: O AUTH-ACK id 4 len 5
3d22h: As1 PPP: Phase is UP
3d22h: AAA/AUTHOR/FSM As1: (0): Can we start IPCP?
3d22h: AAA/AUTHOR/FSM: Async1: (3602788894): user='papuser'
3d22h: AAA/AUTHOR/FSM: Async1: (3602788894): send AV service=ppp
3d22h: AAA/AUTHOR/FSM: Async1: (3602788894): send AV protocol=ip
3d22h: AAA/AUTHOR/FSM: Async1: (3602788894): Method=TACACS+
3d22h: AAA/AUTHOR/TAC+: (3602788894): user=papuser
3d22h: AAA/AUTHOR/TAC+: (3602788894): send AV service=ppp
3d22h: AAA/AUTHOR/TAC+: (3602788894): send AV protocol=ip
3d22h: TAC+: Opening TCP/IP to 171.68.118.101/49 timeout=5
3d22h: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async1, 
changed state to up
3d22h: TAC+: Opened TCP/IP handle 0x17054C to 171.68.118.101/49
3d22h: TAC+: Opened 171.68.118.101 index=1
3d22h: TAC+: 171.68.118.101 (3602788894) AUTHOR/START queued
3d22h: As1 IPCP: I CONFREQ [Closed] id 1 len 34
3d22h: As1 IPCP: Address 0.0.0.0 (0x030600000000)
3d22h: As1 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
3d22h: As1 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
3d22h: As1 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
3d22h: As1 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
3d22h: TAC+: (3602788894) AUTHOR/START processed
3d22h: TAC+: (3602788894): received author response status = PASS_ADD
3d22h: TAC+: Closing TCP/IP 0x17054C connection to 171.68.118.101/49
3d22h: AAA/AUTHOR (3602788894): Post authorization status = PASS_ADD
3d22h: AAA/AUTHOR/FSM As1: We can start IPCP
3d22h: As1 IPCP: O CONFREQ [Closed] id 10 len 10
3d22h: As1 IPCP: Address 10.31.1.5 (0x03060A1F0105)
3d22h: As1 IPCP: I CONFACK [REQsent] id 10 len 10
3d22h: As1 IPCP: Address 10.31.1.5 (0x03060A1F0105)
3d22h: As1 IPCP: I CONFREQ [ACKrcvd] id 1 len 34
3d22h: As1 IPCP: Address 0.0.0.0 (0x030600000000)
3d22h: As1 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
3d22h: As1 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
3d22h: As1 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
3d22h: As1 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
3d22h: AAA/AUTHOR/IPCP As1: Start. Her address 0.0.0.0, 
we want 0.0.0.0
3d22h: AAA/AUTHOR/IPCP As1: Processing AV service=ppp
3d22h: AAA/AUTHOR/IPCP As1: Processing AV protocol=ip
3d22h: AAA/AUTHOR/IPCP As1: Authorization succeeded
3d22h: AAA/AUTHOR/IPCP As1: Done. Her address 0.0.0.0, 
we want 0.0.0.0
3d22h: As1 IPCP: Using pool 'async'
3d22h: As1 IPCP: Pool returned 15.15.15.15
3d22h: As1 IPCP: O CONFREJ [ACKrcvd] id 1 len 22
3d22h: As1 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
3d22h: As1 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
3d22h: As1 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
3d22h: As1 IPCP: I CONFREQ [ACKrcvd] id 2 len 16
3d22h: As1 IPCP: Address 0.0.0.0 (0x030600000000)
3d22h: As1 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
3d22h: AAA/AUTHOR/IPCP As1: Start. Her address 0.0.0.0, 
we want 15.15.15.15
3d22h: AAA/AUTHOR/IPCP As1: Processing AV service=ppp
3d22h: AAA/AUTHOR/IPCP As1: Processing AV protocol=ip
3d22h: AAA/AUTHOR/IPCP As1: Authorization succeeded
3d22h: AAA/AUTHOR/IPCP As1: Done. Her address 0.0.0.0, 
we want 15.15.15.15
3d22h: As1 IPCP: O CONFNAK [ACKrcvd] id 2 len 16
3d22h: As1 IPCP: Address 15.15.15.15 (0x03060F0F0F0F)
3d22h: As1 IPCP: PrimaryDNS 171.68.118.103 (0x8106AB447667)
3d22h: As1 IPCP: I CONFREQ [ACKrcvd] id 3 len 16
3d22h: As1 IPCP: Address 15.15.15.15 (0x03060F0F0F0F)
3d22h: As1 IPCP: PrimaryDNS 171.68.118.103 (0x8106AB447667)
3d22h: AAA/AUTHOR/IPCP As1: Start. Her address 15.15.15.15, 
we want 15.15.15.15
3d22h: AAA/AUTHOR/IPCP: Async1: (3654974050): user='papuser'
3d22h: AAA/AUTHOR/IPCP: Async1: (3654974050): send AV service=ppp
3d22h: AAA/AUTHOR/IPCP: Async1: (3654974050): send AV protocol=ip
3d22h: AAA/AUTHOR/IPCP: Async1: (3654974050): send AV addr*15.15.15.15
3d22h: AAA/AUTHOR/IPCP: Async1: (3654974050): Method=TACACS+
3d22h: AAA/AUTHOR/TAC+: (3654974050): user=papuser
3d22h: AAA/AUTHOR/TAC+: (3654974050): send AV service=ppp
3d22h: AAA/AUTHOR/TAC+: (3654974050): send AV protocol=ip
3d22h: AAA/AUTHOR/TAC+: (3654974050): send AV addr*15.15.15.15
3d22h: TAC+: Opening TCP/IP to 171.68.118.101/49 timeout=5
3d22h: TAC+: Opened TCP/IP handle 0x16EF4C to 171.68.118.101/49
3d22h: TAC+: Opened 171.68.118.101 index=1
3d22h: TAC+: 171.68.118.101 (3654974050) AUTHOR/START queued
3d22h: TAC+: (3654974050) AUTHOR/START processed
3d22h: TAC+: (3654974050): received author response status = PASS_ADD
3d22h: TAC+: Closing TCP/IP 0x16EF4C connection to 171.68.118.101/49
3d22h: AAA/AUTHOR (3654974050): Post authorization status = PASS_ADD
3d22h: AAA/AUTHOR/IPCP As1: Processing AV service=ppp
3d22h: AAA/AUTHOR/IPCP As1: Processing AV protocol=ip
3d22h: AAA/AUTHOR/IPCP As1: Processing AV addr*15.15.15.15
3d22h: AAA/AUTHOR/IPCP As1: Authorization succeeded
3d22h: AAA/AUTHOR/IPCP As1: Done. Her address 15.15.15.15, 
we want 15.15.15.15
3d22h: As1 IPCP: O CONFACK [ACKrcvd] id 3 len 16
3d22h: As1 IPCP: Address 15.15.15.15 (0x03060F0F0F0F)
3d22h: As1 IPCP: PrimaryDNS 171.68.118.103 (0x8106AB447667)
3d22h: As1 IPCP: State is Open
3d22h: As1 IPCP: Install route to 15.15.15.15
rtpkrb#
Konfiguration - TACACS+ und CHAP 
Current configuration:
!
version 11.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname rtpkrb
!
aaa new-model
!

!--- The following four lines of the configuration !--- are specific to Cisco IOS 11.2 and later, until 11.3.3.T. !--- See below this configuration !--- for commands for other Cisco IOS releases.

!
aaa authentication login default tacacs+ local
aaa authentication ppp default if-needed tacacs+ local
aaa authorization exec tacacs+ if-authenticated
aaa authorization network tacacs+ if-authenticated
enable secret 5 $1$pkX.$JdAySRE1SbdbDe7bj0wyt0
enable password ww
!
username john password 0 doe
username cse password 0 csecse
ip host rtpkrb 10.31.1.5
ip name-server 171.68.118.103
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0
ip address 10.31.1.5 255.255.0.0
no mop enabled
!
interface Serial0
no ip address
no ip mroute-cache
shutdown
!
interface Serial1
no ip address
shutdown
!
interface Async1
ip unnumbered Ethernet0
encapsulation ppp
async mode dedicated
peer default ip address pool async
no cdp enable
ppp authentication chap
!
ip local pool async 15.15.15.15
ip classless
ip route 0.0.0.0 0.0.0.0 10.31.1.1
!
tacacs-server host 171.68.118.101
tacacs-server key cisco
snmp-server community public RW
snmp-server host 171.68.118.100 traps public
!
line con 0
line 1
session-timeout 20 
exec-timeout 20 0
password ww
autoselect during-login
autoselect ppp
modem InOut
transport input all
stopbits 1
speed 38400
flowcontrol hardware
line 2
modem InOut
speed 38400
flowcontrol hardware
line 3 16
line aux 0
line vty 0 4
password ww
!
end

Befehle für andere Cisco IOS-Versionen

Hinweis: Hinweis: Um diese Befehle zu verwenden, entfernen Sie fett formatierte Befehle aus der Konfiguration und fügen diese Befehle gemäß der Cisco IOS-Version ein.

Cisco IOS 11.3.3.T bis 12.0.5.T 

aaa authen login default tacacs+ local
aaa authen ppp default if-needed tacacs+ local
aaa authorization exec default tacacs+ if-authenticated
aaa authorization network default tacacs+ if-authenticated

Cisco IOS 12.0.5.T und höher 

aaa authen login default group tacacs+ local
aaa authen ppp default if-needed group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization network default group tacacs+ if-authenticated

Beispieldebugging - TACACS+ und CHAP

Hinweis: In der Debugausgabe wird der fett formatierte Text auf Probleme beim Debuggen hinweisen. Einfacher Text weist auf eine gute Fehlersuche hin.

General OS:
TACACS access control debugging is on
AAA Authentication debugging is on
AAA Authorization debugging is on
PPP:
PPP authentication debugging is on
PPP protocol negotiation debugging is on
rtpkrb#
3d22h: As1 LCP: I CONFREQ [Closed] id 0 len 20
3d22h: As1 LCP: ACCM 0x00000000 (0x020600000000)
3d22h: As1 LCP: MagicNumber 0x000042C5 (0x0506000042C5)
3d22h: As1 LCP: PFC (0x0702)
3d22h: As1 LCP: ACFC (0x0802)
3d22h: As1 LCP: Lower layer not up, discarding packet
3d22h: %LINK-3-UPDOWN: Interface Async1, changed state to up
3d22h: As1 PPP: Treating connection as a dedicated line
3d22h: As1 PPP: Phase is ESTABLISHING, Active Open
3d22h: As1 LCP: O CONFREQ [Closed] id 12 len 25
3d22h: As1 LCP: ACCM 0x000A0000 (0x0206000A0000)
3d22h: As1 LCP: AuthProto CHAP (0x0305C22305)
3d22h: As1 LCP: MagicNumber 0xF45D776F (0x0506F45D776F)
3d22h: As1 LCP: PFC (0x0702)
3d22h: As1 LCP: ACFC (0x0802)
3d22h: As1 LCP: I CONFACK [REQsent] id 12 len 25
3d22h: As1 LCP: ACCM 0x000A0000 (0x0206000A0000)
3d22h: As1 LCP: AuthProto CHAP (0x0305C22305)
3d22h: As1 LCP: MagicNumber 0xF45D776F (0x0506F45D776F)
3d22h: As1 LCP: PFC (0x0702)
3d22h: As1 LCP: ACFC (0x0802)
3d22h: As1 LCP: I CONFREQ [ACKrcvd] id 0 len 20
3d22h: As1 LCP: ACCM 0x00000000 (0x020600000000)
3d22h: As1 LCP: MagicNumber 0x000042C5 (0x0506000042C5)
3d22h: As1 LCP: PFC (0x0702)
3d22h: As1 LCP: ACFC (0x0802)
3d22h: As1 LCP: O CONFACK [ACKrcvd] id 0 len 20
3d22h: As1 LCP: ACCM 0x00000000 (0x020600000000)
3d22h: As1 LCP: MagicNumber 0x000042C5 (0x0506000042C5)
3d22h: As1 LCP: PFC (0x0702)
3d22h: As1 LCP: ACFC (0x0802)
3d22h: As1 LCP: State is Open
3d22h: As1 PPP: Phase is AUTHENTICATING, by this end
3d22h: As1 CHAP: O CHALLENGE id 3 len 27 from "rtpkrb"
3d22h: As1 CHAP: I RESPONSE id 3 len 29 from "chapuser"
3d22h: AAA/AUTHEN: create_user (0x15B394) user='chapuser' 
ruser='' port='Async1' rem_addr='async' authen_type=CHAP 
service=PPP priv=1
3d22h: AAA/AUTHEN/START (2183639772): port='Async1' list='' 
action=LOGIN service=PPP
3d22h: AAA/AUTHEN/START (2183639772): using "default" list
3d22h: AAA/AUTHEN (2183639772): status = UNKNOWN
3d22h: AAA/AUTHEN/START (2183639772): Method=TACACS+
3d22h: TAC+: send AUTHEN/START packet ver=193 id=2183639772
3d22h: TAC+: Using default tacacs server list.
3d22h: TAC+: Opening TCP/IP to 171.68.118.101/49 timeout=5


!--- The TAC+ server is down, producing an error. !--- Since the user is not in the local database, !--- the failover to local fails.

TAC+: TCP/IP open to 171.68.118.101/49 failed -- 
Connection refused by remote host
AAA/AUTHEN (2546660185): status = ERROR
AAA/AUTHEN/START (2546660185): Method=LOCAL
AAA/AUTHEN (2546660185): status = FAIL
As1 CHAP: Unable to validate Response. Username chapuser: Authentication failure

3d22h: TAC+: Opened TCP/IP handle 0x17054C to 171.68.118.101/49
3d22h: TAC+: 171.68.118.101 (2183639772) AUTHEN/START/LOGIN/CHAP queued
3d22h: TAC+: (2183639772) AUTHEN/START/LOGIN/CHAP processed


!--- The key in the router does not match that of the server.

TAC+: received bad AUTHEN packet: length = 68, expected 67857
TAC+: Invalid AUTHEN/START packet (check keys)
AAA/AUTHEN (1771887965): status = ERROR

3d22h: TAC+: ver=192 id=2183639772 received AUTHEN status = GETPASS
3d22h: TAC+: Closing TCP/IP 0x17054C connection to 171.68.118.101/49
3d22h: TAC+: Opening TCP/IP to 171.68.118.101/49 timeout=5
3d22h: TAC+: Opened TCP/IP handle 0x16EF4C to 171.68.118.101/49
3d22h: TAC+: Opened 171.68.118.101 index=1
3d22h: AAA/AUTHEN: create_user (0x170940) user='chapuser' ruser='' 
port='Async1' rem_addr='async' authen_type=CHAP service=PPP priv=1
3d22h: TAC+: rev0 inbound chap for id=2183639772 using id=166703029
3d22h: TAC+: 171.68.118.101 (166703029) AUTHEN/START/SENDPASS/CHAP queued
3d22h: TAC+: (166703029) AUTHEN/START/SENDPASS/CHAP processed


!--- The NT client sends the "DOMAIN\user" !--- and the TAC+ server expects "user".

TAC+: ver=192 id=3373385106 received AUTHEN status = FAIL
TAC+: rev0 inbound chap FAIL for id=2082151566
AAA/AUTHEN: free_user (0x170940) user='CISCO\chapuser' ruser='' 
port='Async1' rem_addr='async' authen_type=CHAP service=PPP priv=1


!--- The TAC+ server refuses the user !--- because the user is set up for PAP. !--- The user enters a bad password, !--- or both the username and password are bad.

TAC+: ver=192 id=1989464562 received AUTHEN status = PASS
TAC+: rev0 inbound chap SENDPASS status=PASS for id=3657266965
TAC+: rev0 inbound chap MD5 compare FAILED
AAA/AUTHEN: free_user (0x170940) user='chapuser' ruser='' 
port='Async1' rem_addr='async' authen_type=CHAP service=PPP priv=1
TAC+: Closing TCP/IP 0x16EF4C connection to 171.68.118.101/49
AAA/AUTHEN (2082151566): status = FAIL
As1 CHAP: Unable to validate Response. Username papuser: Authentication failure

3d22h: TAC+: ver=192 id=166703029 received AUTHEN status = PASS
3d22h: TAC+: rev0 inbound chap SENDPASS status=PASS for id=2183639772
3d22h: TAC+: rev0 inbound chap MD5 compare OK
3d22h: AAA/AUTHEN: free_user (0x170940) user='chapuser' ruser='' 
port='Async1' rem_addr='async' authen_type=CHAP service=PPP priv=1
3d22h: TAC+: Closing TCP/IP 0x16EF4C connection to 171.68.118.101/49
3d22h: AAA/AUTHEN (2183639772): status = PASS
3d22h: AAA/AUTHOR/LCP As1: Authorize LCP
3d22h: AAA/AUTHOR/LCP: Async1: (683360936): user='chapuser'
3d22h: AAA/AUTHOR/LCP: Async1: (683360936): send AV service=ppp
3d22h: AAA/AUTHOR/LCP: Async1: (683360936): send AV protocol=lcp
3d22h: AAA/AUTHOR/LCP: Async1: (683360936): Method=TACACS+
3d22h: AAA/AUTHOR/TAC+: (683360936): user=chapuser
3d22h: AAA/AUTHOR/TAC+: (683360936): send AV service=ppp
3d22h: AAA/AUTHOR/TAC+: (683360936): send AV protocol=lcp
3d22h: TAC+: Opening TCP/IP to 171.68.118.101/49 timeout=5
3d22h: TAC+: Opened TCP/IP handle 0x16C1F8 to 171.68.118.101/49
3d22h: TAC+: Opened 171.68.118.101 index=1
3d22h: TAC+: 171.68.118.101 (683360936) AUTHOR/START queued
3d22h: TAC+: (683360936) AUTHOR/START processed


!--- The user passes authentication !--- (the username/password is good) !--- but fails authorization !--- (the profile is not set up to authorize PPP).

TAC+: (3803447096): received author response status = FAIL
TAC+: Closing TCP/IP 0x16C2A4 connection to 171.68.118.101/49
AAA/AUTHOR (3803447096): Post authorization status = FAIL
AAA/AUTHOR/LCP As1: Denied
AAA/AUTHEN: free_user (0x15B2E8) user='noauth' ruser='' port='Async1' 
rem_addr='async' authen_type=CHAP service=PPP priv=1
As1 CHAP: O FAILURE id 9 len 24 msg is "Authorization failed"

3d22h: TAC+: (683360936): received author response status = PASS_ADD
3d22h: TAC+: Closing TCP/IP 0x16C1F8 connection to 171.68.118.101/49
3d22h: AAA/AUTHOR (683360936): Post authorization status = PASS_ADD
3d22h: As1 CHAP: O SUCCESS id 3 len 4
3d22h: As1 PPP: Phase is UP
3d22h: AAA/AUTHOR/FSM As1: (0): Can we start IPCP?
3d22h: AAA/AUTHOR/FSM: Async1: (977509495): user='chapuser'
3d22h: AAA/AUTHOR/FSM: Async1: (977509495): send AV service=ppp
3d22h: AAA/AUTHOR/FSM: Async1: (977509495): send AV protocol=ip
3d22h: AAA/AUTHOR/FSM: Async1: (977509495): Method=TACACS+
3d22h: AAA/AUTHOR/TAC+: (977509495): user=chapuser
3d22h: AAA/AUTHOR/TAC+: (977509495): send AV service=ppp
3d22h: AAA/AUTHOR/TAC+: (977509495): send AV protocol=ip
3d22h: TAC+: Opening TCP/IP to 171.68.118.101/49 timeout=5
3d22h: TAC+: Opened TCP/IP handle 0x16EF4C to 171.68.118.101/49
3d22h: TAC+: Opened 171.68.118.101 index=1
3d22h: TAC+: 171.68.118.101 (977509495) AUTHOR/START queued
3d22h: As1 IPCP: I CONFREQ [Closed] id 1 len 34
3d22h: As1 IPCP: Address 0.0.0.0 (0x030600000000)
3d22h: As1 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
3d22h: As1 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
3d22h: As1 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
3d22h: As1 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
3d22h: TAC+: (977509495) AUTHOR/START processed
3d22h: TAC+: (977509495): received author response status = PASS_ADD
3d22h: TAC+: Closing TCP/IP 0x16EF4C connection to 171.68.118.101/49
3d22h: AAA/AUTHOR (977509495): Post authorization status = PASS_ADD
3d22h: AAA/AUTHOR/FSM As1: We can start IPCP
3d22h: As1 IPCP: O CONFREQ [Closed] id 8 len 10
3d22h: As1 IPCP: Address 10.31.1.5 (0x03060A1F0105)
3d22h: As1 IPCP: I CONFACK [REQsent] id 8 len 10
3d22h: As1 IPCP: Address 10.31.1.5 (0x03060A1F0105)
3d22h: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async1, 
changed state to up
3d22h: As1 IPCP: I CONFREQ [ACKrcvd] id 1 len 34
3d22h: As1 IPCP: Address 0.0.0.0 (0x030600000000)
3d22h: As1 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
3d22h: As1 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
3d22h: As1 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
3d22h: As1 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
3d22h: AAA/AUTHOR/IPCP As1: Start. Her address 0.0.0.0, 
we want 0.0.0.0
3d22h: AAA/AUTHOR/IPCP As1: Processing AV service=ppp
3d22h: AAA/AUTHOR/IPCP As1: Processing AV protocol=ip
3d22h: AAA/AUTHOR/IPCP As1: Authorization succeeded
3d22h: AAA/AUTHOR/IPCP As1: Done. Her address 0.0.0.0, 
we want 0.0.0.0
3d22h: As1 IPCP: Using pool 'async'
3d22h: As1 IPCP: Pool returned 15.15.15.15
3d22h: As1 IPCP: O CONFREJ [ACKrcvd] id 1 len 22
3d22h: As1 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
3d22h: As1 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
3d22h: As1 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
3d22h: As1 IPCP: I CONFREQ [ACKrcvd] id 2 len 16
3d22h: As1 IPCP: Address 0.0.0.0 (0x030600000000)
3d22h: As1 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
3d22h: AAA/AUTHOR/IPCP As1: Start. Her address 0.0.0.0, 
we want 15.15.15.15
3d22h: AAA/AUTHOR/IPCP As1: Processing AV service=ppp
3d22h: AAA/AUTHOR/IPCP As1: Processing AV protocol=ip
3d22h: AAA/AUTHOR/IPCP As1: Authorization succeeded
3d22h: AAA/AUTHOR/IPCP As1: Done. Her address 0.0.0.0, 
we want 15.15.15.15
3d22h: As1 IPCP: O CONFNAK [ACKrcvd] id 2 len 16
3d22h: As1 IPCP: Address 15.15.15.15 (0x03060F0F0F0F)
3d22h: As1 IPCP: PrimaryDNS 171.68.118.103 (0x8106AB447667)
3d22h: As1 IPCP: I CONFREQ [ACKrcvd] id 3 len 16
3d22h: As1 IPCP: Address 15.15.15.15 (0x03060F0F0F0F)
3d22h: As1 IPCP: PrimaryDNS 171.68.118.103 (0x8106AB447667)
3d22h: AAA/AUTHOR/IPCP As1: Start. Her address 15.15.15.15, 
we want 15.15.15.15
3d22h: AAA/AUTHOR/IPCP: Async1: (3918374858): user='chapuser'
3d22h: AAA/AUTHOR/IPCP: Async1: (3918374858): send AV service=ppp
3d22h: AAA/AUTHOR/IPCP: Async1: (3918374858): send AV protocol=ip
3d22h: AAA/AUTHOR/IPCP: Async1: (3918374858): send AV addr*15.15.15.15
3d22h: AAA/AUTHOR/IPCP: Async1: (3918374858): Method=TACACS+
3d22h: AAA/AUTHOR/TAC+: (3918374858): user=chapuser
3d22h: AAA/AUTHOR/TAC+: (3918374858): send AV service=ppp
3d22h: AAA/AUTHOR/TAC+: (3918374858): send AV protocol=ip
3d22h: AAA/AUTHOR/TAC+: (3918374858): send AV addr*15.15.15.15
3d22h: TAC+: Opening TCP/IP to 171.68.118.101/49 timeout=5
3d22h: TAC+: Opened TCP/IP handle 0x16C9E0 to 171.68.118.101/49
3d22h: TAC+: Opened 171.68.118.101 index=1
3d22h: TAC+: 171.68.118.101 (3918374858) AUTHOR/START queued
3d22h: TAC+: (3918374858) AUTHOR/START processed
3d22h: TAC+: (3918374858): received author response status = PASS_ADD
3d22h: TAC+: Closing TCP/IP 0x16C9E0 connection to 171.68.118.101/49
3d22h: AAA/AUTHOR (3918374858): Post authorization status = PASS_ADD
3d22h: AAA/AUTHOR/IPCP As1: Processing AV service=ppp
3d22h: AAA/AUTHOR/IPCP As1: Processing AV protocol=ip
3d22h: AAA/AUTHOR/IPCP As1: Processing AV addr*15.15.15.15
3d22h: AAA/AUTHOR/IPCP As1: Authorization succeeded
3d22h: AAA/AUTHOR/IPCP As1: Done. Her address 15.15.15.15, 
we want 15.15.15.15
3d22h: As1 IPCP: O CONFACK [ACKrcvd] id 3 len 16
3d22h: As1 IPCP: Address 15.15.15.15 (0x03060F0F0F0F)
3d22h: As1 IPCP: PrimaryDNS 171.68.118.103 (0x8106AB447667)
3d22h: As1 IPCP: State is Open
3d22h: As1 IPCP: Install route to 15.15.15.15
rtpkrb#

Debug-Befehle

Diese Debugbefehle wurden verwendet, um die Beispieldebugausgabe in diesem Dokument zu erstellen.

Hinweis: Bevor Sie Debugbefehle ausgeben, informieren Sie sich unter Wichtige Informationen über Debug-Befehle.

  • debug aaa authentication: Zeigt Informationen zur AAA-Authentifizierung an.

  • debug aaa authorization: Zeigt Informationen über die AAA-Autorisierung an.

  • debug tacacs+: Zeigt detaillierte Debuginformationen zu TACACS+ an.

  • debug ppp negotiation: Zeigt PPP-Pakete an, die während des PPP-Starts übertragen werden und über die PPP-Optionen ausgehandelt werden.

Zugehörige Informationen

Revisionsverlauf

Überarbeitung Veröffentlichungsdatum Kommentare
1.0
19-Jan-2006
Erstveröffentlichung

War dieses Dokument hilfreich?

FeedbackFeedback

Cisco kontaktieren

Dieses Dokument gilt für folgende Produkte.