디버깅 RADIUS, PAP 및 CHAP의 일반적인 문제

다운로드 옵션

  • PDF     (241.3 KB)
    다양한 디바이스에서 Adobe Reader로 보기
  • ePub     (86.2 KB)
    iPhone, iPad, Android, Sony Reader 또는 Windows Phone의 다양한 앱에서 보기
  • Mobi (Kindle)     (80.5 KB)
    Kindle 디바이스에서 보기 또는 다양한 디바이스의 Kindle 앱에서 보기
업데이트:2006년 1월 19일
문서 ID:13862

편견 없는 언어

본 제품에 대한 문서 세트는 편견 없는 언어를 사용하기 위해 노력합니다. 본 설명서 세트의 목적상, 편견 없는 언어는 나이, 장애, 성별, 인종 정체성, 민족 정체성, 성적 지향성, 사회 경제적 지위 및 교차성에 기초한 차별을 의미하지 않는 언어로 정의됩니다. 제품 소프트웨어의 사용자 인터페이스에서 하드코딩된 언어, RFP 설명서에 기초한 언어 또는 참조된 서드파티 제품에서 사용하는 언어로 인해 설명서에 예외가 있을 수 있습니다. 시스코에서 어떤 방식으로 포용적인 언어를 사용하고 있는지 자세히 알아보세요.

이 번역에 관하여

Cisco는 전 세계 사용자에게 다양한 언어로 지원 콘텐츠를 제공하기 위해 기계 번역 기술과 수작업 번역을 병행하여 이 문서를 번역했습니다. 아무리 품질이 높은 기계 번역이라도 전문 번역가의 번역 결과물만큼 정확하지는 않습니다. Cisco Systems, Inc.는 이 같은 번역에 대해 어떠한 책임도 지지 않으며 항상 원본 영문 문서(링크 제공됨)를 참조할 것을 권장합니다.

소개

이 문서에서는 PAP(Password Authentication Protocol) 또는 CHAP(Challenge Handshake Authentication Protocol)를 사용할 때 RADIUS에 대한 일반적인 디버깅 문제를 살펴봅니다. Microsoft Windows 95, Windows NT, Windows 98 및 Windows 2000에 대한 공통 PC 설정은 물론, 좋은 디버깅 및 잘못된 디버깅 구성과 예도 제공됩니다.

시작하기 전에

표기 규칙

문서 표기 규칙에 대한 자세한 내용은 Cisco 기술 팁 표기 규칙을 참조하십시오.

사전 요구 사항

이 문서에 대한 특정 요건이 없습니다.

사용되는 구성 요소

이 문서의 정보는 Cisco IOS® Software 릴리스 11.2 이상을 기반으로 합니다.

이 문서의 정보는 특정 랩 환경의 디바이스를 토대로 작성되었습니다.이 문서에 사용된 모든 디바이스는 초기화된(기본) 컨피그레이션으로 시작되었습니다.라이브 네트워크에서 작업하는 경우, 사용하기 전에 모든 명령의 잠재적인 영향을 이해해야 합니다.

일반 PC 설정

Windows 95

아래 지침에 따릅니다.

  1. Dialup Networking(전화 접속 네트워킹) 창에서 연결 이름을 선택한 다음 File(파일) > Properties(속성)를 선택합니다.

  2. Server Type(서버 유형) 탭에서 Type of Dial-up Server(전화 접속 서버 유형) 아래의 Require Encrypted Password(암호화된 비밀번호 필요) 상자가 선택되어 있는지 확인합니다.

    • 이 확인란을 선택하면 PC가 CHAP 인증만 수락함을 의미합니다.

    • 이 확인란을 선택하지 않으면 PC에서 PAP 또는 CHAP 인증을 수락함을 의미합니다.

Windows NT

아래 지침에 따릅니다.

  1. Dial-Up Networking(전화 접속 네트워킹) 창에서 연결 이름을 선택한 다음 File(파일) > Properties(속성)를 선택합니다.

  2. Security(보안) 탭에서 설정을 확인합니다.

    • 일반 텍스트 상자를 포함한 모든 인증 수락하는 경우 PC에서 PAP 또는 CHAP를 수락함을 의미합니다.

    • 암호화된 인증만 허용 상자를 선택하면 PC는 CHAP 인증만 허용합니다.

Windows 98

아래 지침에 따릅니다.

  1. 전화 접속 네트워킹 창에서 연결 이름을 선택한 다음 속성을 선택합니다.

  2. Server Types(서버 유형) 탭에서 Advanced Options(고급 옵션) 영역의 설정을 선택합니다.

    • Require encrypted password(암호화된 비밀번호 필요) 상자를 선택하지 않으면 PC에서 PAP 또는 CHAP 인증을 수락함을 의미합니다.

    • Require encrypted password(암호화된 비밀번호 필요) 상자가 선택되어 있으면 PC는 CHAP 인증만 수락합니다.

Windows 2000

아래 지침에 따릅니다.

  1. 네트워크 및 전화 접속 연결에서 연결 이름을 선택한 다음 속성을 선택합니다.

  2. Security(보안) 탭에서 Advanced(고급) > Settings(설정) > Allow these protocols(다음 프로토콜 허용) 영역의 설정을 선택합니다.

    • Unencrypted password (PAP)(암호화되지 않은 비밀번호(PAP)) 상자를 선택하면 PC가 PAP를 수락합니다.

    • Challenge Handshake Authentication Protocol (CHAP)(챌린지 핸드셰이크 인증 프로토콜(CHAP)) 상자를 선택하면 PC는 RFC 1994에 따라 CHAP를 수락합니다.

    • Microsoft CHAP(MS-CHAP) 상자를 선택하면 PC는 MS-CHAP 버전 1을 수락하고 RFC 1994에 따라 CHAP를 승인하지 않습니다.

구성 및 디버그 예

RADIUS 및 PAP

구성 - RADIUS 및 PAP 
Current configuration:
!
version 11.2
service timestamps debug uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname rtpkrb
!
aaa new-model
!

!--- The following four command lines are specific to !--- Cisco IOS 11.2 and later, up until 11.3.3.T. !--- See below this configuration for commands !--- for other Cisco IOS releases.

!
aaa authentication login default radius local
aaa authentication ppp default if-needed radius local
aaa authorization exec radius if-authenticated
aaa authorization network radius if-authenticated
!
enable secret 5 $1$pkX.$JdAySRE1SbdbDe7bj0wyt0
enable password ww
!
username john password 0 doe
username cse password 0 csecse
ip host rtpkrb 10.31.1.5
ip domain-name RTP.CISCO.COM
ip name-server 171.68.118.103
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0
ip address 10.31.1.5 255.255.0.0
no mop enabled
!
interface Serial0
no ip address
no ip mroute-cache
shutdown
!
interface Serial1
no ip address
shutdown
!
interface Async1
ip unnumbered Ethernet0
encapsulation ppp
async mode dedicated
peer default ip address pool async
no cdp enable
ppp authentication pap
!
ip local pool async 15.15.15.15
ip classless
ip route 0.0.0.0 0.0.0.0 10.31.1.1
!
snmp-server community public RW
snmp-server host 171.68.118.100 traps public
radius-server host 171.68.118.101 auth-port 1645 acct-port 1646
radius-server key cisco
!
line con 0
line 1
session-timeout 20 
exec-timeout 20 0
password ww
autoselect during-login
autoselect ppp
modem InOut
transport input all
stopbits 1
speed 38400
flowcontrol hardware
line 2
modem InOut
speed 38400
flowcontrol hardware
line 3 16
line aux 0
line vty 0 4
exec-timeout 0 0
password ww
!
end

기타 Cisco IOS 릴리스에 대한 명령

참고: 이 명령을 사용하려면 위의 컨피그레이션에서 강조 표시된 명령을 제거하고 Cisco IOS 릴리스에 따라 이 명령을 에 붙여넣습니다.

Cisco IOS 11.3.3.T - 12.0.5.T

aaa authen login default radius local
aaa authen ppp default if-needed radius local
aaa authorization exec default radius if-authenticated
aaa authorization network default radius if-authenticated

Cisco IOS 12.0.5.T 이상

aaa authen login default group radius local
aaa authen ppp default if-needed group radius local
aaa authorization exec default group radius if-authenticated
aaa authorization network default group radius if-authenticated

샘플 디버그 - RADIUS 및 PAP

참고: 디버그 출력에서 굵은 텍스트는 디버그의 문제를 강조 표시합니다.일반 텍스트는 올바른 디버그를 나타냅니다.

rtpkrb#
rtpkrb#sho deb
General OS:
AAA Authentication debugging is on
AAA Authorization debugging is on
PPP:
PPP authentication debugging is on
PPP protocol negotiation debugging is on
Radius protocol debugging is on
rtpkrb#
4d02h: As1 LCP: I CONFREQ [Closed] id 0 len 20
4d02h: As1 LCP: ACCM 0x00000000 (0x020600000000)
4d02h: As1 LCP: MagicNumber 0x00001F67 (0x050600001F67)
4d02h: As1 LCP: PFC (0x0702)
4d02h: As1 LCP: ACFC (0x0802)
4d02h: As1 LCP: Lower layer not up, discarding packet
%LINK-3-UPDOWN: Interface Async1, changed state to up
4d02h: As1 PPP: Treating connection as a dedicated line
4d02h: As1 PPP: Phase is ESTABLISHING, Active Open
4d02h: As1 LCP: O CONFREQ [Closed] id 85 len 24
4d02h: As1 LCP: ACCM 0x000A0000 (0x0206000A0000)
4d02h: As1 LCP: AuthProto PAP (0x0304C023)
4d02h: As1 LCP: MagicNumber 0xF54252D5 (0x0506F54252D5)
4d02h: As1 LCP: PFC (0x0702)
4d02h: As1 LCP: ACFC (0x0802)


PC insists on doing chap ('accept encrypted authentication only'), 
   but router is set up for pap:
As1 LCP: I CONFNAK [REQsent] id 98 len 12
As1 LCP: AuthProto 0xC123 (0x0308C12301000001)
As1 LCP: O CONFREQ [REQsent] id 99 len 24
As1 LCP: ACCM 0x000A0000 (0x0206000A0000)
As1 LCP: AuthProto PAP (0x0304C023)
As1 LCP: MagicNumber 0xF54D1AF8 (0x0506F54D1AF8)
As1 LCP: PFC (0x0702)
As1 LCP: ACFC (0x0802)
As1 LCP: I CONFREJ [REQsent] id 99 len 8
As1 LCP: AuthProto PAP (0x0304C023)
As1 PPP: Closing connection because remote won't authenticate

4d02h: As1 LCP: I CONFACK [REQsent] id 85 len 24
4d02h: As1 LCP: ACCM 0x000A0000 (0x0206000A0000)
4d02h: As1 LCP: AuthProto PAP (0x0304C023)
4d02h: As1 LCP: MagicNumber 0xF54252D5 (0x0506F54252D5)
4d02h: As1 LCP: PFC (0x0702)
4d02h: As1 LCP: ACFC (0x0802)
4d02h: As1 LCP: I CONFREQ [ACKrcvd] id 0 len 20
4d02h: As1 LCP: ACCM 0x00000000 (0x020600000000)
4d02h: As1 LCP: MagicNumber 0x00001F67 (0x050600001F67)
4d02h: As1 LCP: PFC (0x0702)
4d02h: As1 LCP: ACFC (0x0802)
4d02h: As1 LCP: O CONFACK [ACKrcvd] id 0 len 20
4d02h: As1 LCP: ACCM 0x00000000 (0x020600000000)
4d02h: As1 LCP: MagicNumber 0x00001F67 (0x050600001F67)
4d02h: As1 LCP: PFC (0x0702)
4d02h: As1 LCP: ACFC (0x0802)
4d02h: As1 LCP: State is Open
4d02h: As1 PPP: Phase is AUTHENTICATING, by this end
4d02h: As1 PAP: I AUTH-REQ id 14 len 19 from "ddunlap"
4d02h: As1 PAP: Authenticating peer ddunlap
4d02h: AAA/AUTHEN: create_user (0x15AD58) user='ddunlap' ruser='' 
   port='Async1' rem_addr='async' authen_type=PAP service=PPP priv=1
4d02h: AAA/AUTHEN/START (1953436918): port='Async1' list='' 
   action=LOGIN service=PPP
4d02h: AAA/AUTHEN/START (1953436918): using "default" list
4d02h: AAA/AUTHEN (1953436918): status = UNKNOWN
4d02h: AAA/AUTHEN/START (1953436918): Method=RADIUS
4d02h: RADIUS: Initial Transmit id 7 171.68.118.101:1645, 
   Access-Request, len 77
4d02h: Attribute 4 6 0A1F0105
4d02h: Attribute 5 6 00000001
4d02h: Attribute 61 6 00000000
4d02h: Attribute 1 9 6464756E
4d02h: Attribute 2 18 7882E0A5
4d02h: Attribute 6 6 00000002
4d02h: Attribute 7 6 00000001


Radius server is down - produces ERROR - since user is not 
   in local database, failover to local FAILs
As1 PAP: I AUTH-REQ id 16 len 19 from "ddunlap"
As1 AUTH: Duplicate authentication request id=16 already in progress
As1 PAP: I AUTH-REQ id 17 len 19 from "ddunlap"
As1 AUTH: Duplicate authentication request id=17 already in progress
RADIUS: Retransmit id 9
As1 PAP: I AUTH-REQ id 18 len 19 from "ddunlap"
As1 AUTH: Duplicate authentication request id=18 already in progress
As1 PAP: I AUTH-REQ id 19 len 19 from "ddunlap"
As1 AUTH: Duplicate authentication request id=19 already in progress
As1 PAP: I AUTH-REQ id 20 len 19 from "ddunlap"
As1 AUTH: Duplicate authentication request id=20 already in progress
RADIUS: Retransmit id 9
As1 PAP: I AUTH-REQ id 21 len 19 from "ddunlap"
As1 AUTH: Duplicate authentication request id=21 already in progress
As1 PAP: I AUTH-REQ id 22 len 19 from "ddunlap"
As1 AUTH: Duplicate authentication request id=22 already in progress
RADIUS: Retransmit id 9
As1 PAP: I AUTH-REQ id 23 len 19 from "ddunlap"
As1 AUTH: Duplicate authentication request id=23 already in progress
As1 LCP: I TERMREQ [Open] id 1 len 8 (0x000002CE)
As1 LCP: O TERMACK [Open] id 1 len 4
As1 PPP: Phase is TERMINATING
RADIUS: No response for id 9
%RADIUS-3-ALLDEADSERVER: No active radius servers found. Id 9.
RADIUS: No response from server
AAA/AUTHEN (3025998849): status = ERROR
AAA/AUTHEN/START (3025998849): Method=LOCAL
AAA/AUTHEN (3025998849): status = FAIL


Key in router does not match that of server:
RADIUS: Received from id 21 171.68.118.101:1645, Access-Reject, len 20
RADIUS: Reply for 21 fails decrypt


NT client sends 'DOMAIN\user' and Radius server expects 'user':
RADIUS: Received from id 11 171.68.118.101:1645, Access-Reject, len 20
AAA/AUTHEN (1406749115): status = FAIL
As1 PAP: O AUTH-NAK id 25 len 32 msg is "Password validation failure"
As1 PPP: Phase is TERMINATING
As1 LCP: O TERMREQ [Open] id 108 len 4
AAA/AUTHEN: free_user (0xDA520) user='CISCO\ddunlap' ruser='' 
   port='Async1' rem_addr='async' authen_type=PAP service=PPP priv=1


Radius server refuses user because user user enters bad password, 
   or both userid & password are bad:
RADIUS: Received from id 12 171.68.118.101:1645, Access-Reject, len 20
AAA/AUTHEN (733718529): status = FAIL
As1 PAP: O AUTH-NAK id 26 len 32 msg is "Password validation failure"
As1 PPP: Phase is TERMINATING
As1 LCP: O TERMREQ [Open] id 111 len 4
AAA/AUTHEN: free_user (0x15B030) user='ddunlap' ruser='' 
   ='Async1' rem_addr='async' authen_type=PAP service=PPP priv=1


User passes authentication (i.e. username/password is good) 
   but fails authorization (profile not set up for Service-Type=Framed &
   Framed-Protocol=PPP):
RADIUS: Received from id 13 171.68.118.101:1645, Access-Accept, len 20
RADIUS: saved authorization data for user 15AD58 at 15ADF0
AAA/AUTHEN (56862281): status = PASS
AAA/AUTHOR/LCP As1: Authorize LCP
AAA/AUTHOR/LCP: Async1: (959162008): user='cse'
AAA/AUTHOR/LCP: Async1: (959162008): send AV service=ppp
AAA/AUTHOR/LCP: Async1: (959162008): send AV protocol=lcp
AAA/AUTHOR/LCP: Async1: (959162008): Method=RADIUS
RADIUS: no appropriate authorization type for user.
AAA/AUTHOR (959162008): Post authorization status = FAIL
AAA/AUTHOR/LCP As1: Denied
AAA/AUTHEN: free_user (0x15AD58) user='cse' ruser='' 
   port='Async1' rem_addr='async' authen_type=PAP service=PPP priv=1
As1 PAP: O AUTH-NAK id 27 len 25 msg is "Authorization failed"

4d02h: RADIUS: Received from id 7 171.68.118.101:1645, Access-Accept, len 32
4d02h: Attribute 6 6 00000002
4d02h: Attribute 7 6 00000001
4d02h: RADIUS: saved authorization data for user 15AD58 at 16C7F4
4d02h: AAA/AUTHEN (1953436918): status = PASS
4d02h: AAA/AUTHOR/LCP As1: Authorize LCP
4d02h: AAA/AUTHOR/LCP: Async1: (2587233868): user='ddunlap'
4d02h: AAA/AUTHOR/LCP: Async1: (2587233868): send AV service=ppp
4d02h: AAA/AUTHOR/LCP: Async1: (2587233868): send AV protocol=lcp
4d02h: AAA/AUTHOR/LCP: Async1: (2587233868): Method=RADIUS
4d02h: AAA/AUTHOR (2587233868): Post authorization status = PASS_REPL
4d02h: AAA/AUTHOR/LCP As1: Processing AV service=ppp
4d02h: As1 PAP: O AUTH-ACK id 14 len 5
4d02h: As1 PPP: Phase is UP
4d02h: AAA/AUTHOR/FSM As1: (0): Can we start IPCP?
4d02h: AAA/AUTHOR/FSM: Async1: (423372862): user='ddunlap'
4d02h: AAA/AUTHOR/FSM: Async1: (423372862): send AV service=ppp
4d02h: AAA/AUTHOR/FSM: Async1: (423372862): send AV protocol=ip
4d02h: AAA/AUTHOR/FSM: Async1: (423372862): Method=RADIUS
4d02h: AAA/AUTHOR (423372862): Post authorization status = PASS_REPL
4d02h: AAA/AUTHOR/FSM As1: We can start IPCP
4d02h: As1 IPCP: O CONFREQ [Closed] id 17 len 10
4d02h: As1 IPCP: Address 10.31.1.5 (0x03060A1F0105)
4d02h: As1 IPCP: I CONFREQ [REQsent] id 1 len 34
4d02h: As1 IPCP: Address 0.0.0.0 (0x030600000000)
4d02h: As1 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
4d02h: As1 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
4d02h: As1 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
4d02h: As1 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
4d02h: AAA/AUTHOR/IPCP As1: Start. Her address 0.0.0.0, we want 0.0.0.0
4d02h: AAA/AUTHOR/IPCP As1: Processing AV service=ppp
4d02h: AAA/AUTHOR/IPCP As1: Authorization succeeded
4d02h: AAA/AUTHOR/IPCP As1: Done. Her address 0.0.0.0, we want 0.0.0.0
4d02h: As1 IPCP: Using pool 'async'
4d02h: As1 IPCP: Pool returned 15.15.15.15
4d02h: As1 IPCP: O CONFREJ [REQsent] id 1 len 22
4d02h: As1 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
4d02h: As1 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
4d02h: As1 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
4d02h: As1 IPCP: I CONFACK [REQsent] id 17 len 10
4d02h: As1 IPCP: Address 10.31.1.5 (0x03060A1F0105)
%LINEPROTO-5-UPDOWN: Line protocol on Interface Async1, changed state to up
4d02h: As1 IPCP: I CONFREQ [ACKrcvd] id 2 len 16
4d02h: As1 IPCP: Address 0.0.0.0 (0x030600000000)
4d02h: As1 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
4d02h: AAA/AUTHOR/IPCP As1: Start. Her address 0.0.0.0, we want 15.15.15.15
4d02h: AAA/AUTHOR/IPCP As1: Processing AV service=ppp
4d02h: AAA/AUTHOR/IPCP As1: Authorization succeeded
4d02h: AAA/AUTHOR/IPCP As1: Done. Her address 0.0.0.0, we want 15.15.15.15
4d02h: As1 IPCP: O CONFNAK [ACKrcvd] id 2 len 16
4d02h: As1 IPCP: Address 15.15.15.15 (0x03060F0F0F0F)
4d02h: As1 IPCP: PrimaryDNS 171.68.118.103 (0x8106AB447667)
4d02h: As1 IPCP: I CONFREQ [ACKrcvd] id 3 len 16
4d02h: As1 IPCP: Address 15.15.15.15 (0x03060F0F0F0F)
4d02h: As1 IPCP: PrimaryDNS 171.68.118.103 (0x8106AB447667)
4d02h: AAA/AUTHOR/IPCP As1: Start. Her address 15.15.15.15, we want 15.15.15.15
4d02h: AAA/AUTHOR/IPCP: Async1: (4204275250): user='ddunlap'
4d02h: AAA/AUTHOR/IPCP: Async1: (4204275250): send AV service=ppp
4d02h: AAA/AUTHOR/IPCP: Async1: (4204275250): send AV protocol=ip
4d02h: AAA/AUTHOR/IPCP: Async1: (4204275250): send AV addr*15.15.15.15
4d02h: AAA/AUTHOR/IPCP: Async1: (4204275250): Method=RADIUS
4d02h: AAA/AUTHOR (4204275250): Post authorization status = PASS_REPL
4d02h: AAA/AUTHOR/IPCP As1: Reject 15.15.15.15, using 15.15.15.15
4d02h: AAA/AUTHOR/IPCP As1: Processing AV service=ppp
4d02h: AAA/AUTHOR/IPCP As1: Processing AV addr*15.15.15.15
4d02h: AAA/AUTHOR/IPCP As1: Authorization succeeded
4d02h: AAA/AUTHOR/IPCP As1: Done. Her address 15.15.15.15, we want 15.15.15.15
4d02h: As1 IPCP: O CONFACK [ACKrcvd] id 3 len 16
4d02h: As1 IPCP: Address 15.15.15.15 (0x03060F0F0F0F)
4d02h: As1 IPCP: PrimaryDNS 171.68.118.103 (0x8106AB447667)
4d02h: As1 IPCP: State is Open
4d02h: As1 IPCP: Install route to 15.15.15.15
rtpkrb#

RADIUS 및 CHAP

구성 - RADIUS 및 CHAP 
Current configuration:
!
version 11.2
service timestamps debug uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname rtpkrb
!
aaa new-model
!

!--- The following four command lines are specific to !--- Cisco IOS 11.2 and later, up until 11.3.3.T. !--- See below this configuration for commands !--- for other Cisco IOS releases.

!
aaa authentication login default radius local
aaa authentication ppp default if-needed radius local
aaa authorization exec radius if-authenticated
aaa authorization network radius if-authenticated
!
enable secret 5 $1$pkX.$JdAySRE1SbdbDe7bj0wyt0
enable password ww
!
username john password 0 doe
username cse password 0 csecse
ip host rtpkrb 10.31.1.5
ip name-server 171.68.118.103
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0
ip address 10.31.1.5 255.255.0.0
no mop enabled
!
interface Serial0
no ip address
no ip mroute-cache
shutdown
!
interface Serial1
no ip address
shutdown
!
interface Async1
ip unnumbered Ethernet0
encapsulation ppp
async mode dedicated
peer default ip address pool async
no cdp enable
ppp authentication chap
!
ip local pool async 15.15.15.15
ip classless
ip route 0.0.0.0 0.0.0.0 10.31.1.1
!
snmp-server community public RW
snmp-server host 171.68.118.100 traps public
radius-server host 171.68.118.101 auth-port 1645 acct-port 1646
radius-server key cisco
!
line con 0
line 1
session-timeout 20 
exec-timeout 20 0
password ww
autoselect during-login
autoselect ppp
modem InOut
transport input all
stopbits 1
speed 38400
flowcontrol hardware
line 2
modem InOut
speed 38400
flowcontrol hardware
line 3 16
line aux 0
line vty 0 4
exec-timeout 0 0
password ww
!
end

기타 Cisco IOS 릴리스에 대한 명령

참고: 이 명령을 사용하려면 위의 컨피그레이션에서 강조 표시된 명령을 제거하고 Cisco IOS 릴리스에 따라 이 명령을 에 붙여넣습니다.

Cisco IOS 11.3.3.T - 12.0.5.T 

aaa authen login default radius local
aaa authen ppp default if-needed radius local
aaa authorization exec default radius if-authenticated
aaa authorization network default radius if-authenticated

Cisco IOS 12.0.5.T 이상 

aaa authen login default group radius local 
aaa authen ppp default if-needed group radius local 
aaa authorization exec default group radius if-authenticated 
aaa authorization network default group radius if-authenticated

샘플 디버그 - RADIUS 및 CHAP

참고: 디버그 출력에서 굵은 기울임꼴 텍스트는 디버그의 문제를 강조 표시합니다.일반 텍스트는 올바른 디버그를 나타냅니다.

rtpkrb#show debug
General OS:
AAA Authentication debugging is on
AAA Authorization debugging is on
PPP:
PPP authentication debugging is on
PPP protocol negotiation debugging is on
Radius protocol debugging is on
rtpkrb#
4d02h: As1 LCP: I CONFREQ [Closed] id 0 len 20
4d02h: As1 LCP: ACCM 0x00000000 (0x020600000000)
4d02h: As1 LCP: MagicNumber 0x0000405F (0x05060000405F)
4d02h: As1 LCP: PFC (0x0702)
4d02h: As1 LCP: ACFC (0x0802)
4d02h: As1 LCP: Lower layer not up, discarding packet
%LINK-3-UPDOWN: Interface Async1, changed state to up
4d02h: As1 PPP: Treating connection as a dedicated line
4d02h: As1 PPP: Phase is ESTABLISHING, Active Open
4d02h: As1 LCP: O CONFREQ [Closed] id 87 len 25
4d02h: As1 LCP: ACCM 0x000A0000 (0x0206000A0000)
4d02h: As1 LCP: AuthProto CHAP (0x0305C22305)
4d02h: As1 LCP: MagicNumber 0xF5445B55 (0x0506F5445B55)
4d02h: As1 LCP: PFC (0x0702)
4d02h: As1 LCP: ACFC (0x0802)
4d02h: As1 LCP: I CONFACK [REQsent] id 87 len 25
4d02h: As1 LCP: ACCM 0x000A0000 (0x0206000A0000)
4d02h: As1 LCP: AuthProto CHAP (0x0305C22305)
4d02h: As1 LCP: MagicNumber 0xF5445B55 (0x0506F5445B55)
4d02h: As1 LCP: PFC (0x0702)
4d02h: As1 LCP: ACFC (0x0802)
4d02h: As1 LCP: I CONFREQ [ACKrcvd] id 0 len 20
4d02h: As1 LCP: ACCM 0x00000000 (0x020600000000)
4d02h: As1 LCP: MagicNumber 0x0000405F (0x05060000405F)
4d02h: As1 LCP: PFC (0x0702)
4d02h: As1 LCP: ACFC (0x0802)
4d02h: As1 LCP: O CONFACK [ACKrcvd] id 0 len 20
4d02h: As1 LCP: ACCM 0x00000000 (0x020600000000)
4d02h: As1 LCP: MagicNumber 0x0000405F (0x05060000405F)
4d02h: As1 LCP: PFC (0x0702)
4d02h: As1 LCP: ACFC (0x0802)
4d02h: As1 LCP: State is Open
4d02h: As1 PPP: Phase is AUTHENTICATING, by this end
4d02h: As1 CHAP: O CHALLENGE id 11 len 27 from "rtpkrb"
4d02h: As1 CHAP: I RESPONSE id 11 len 28 from "chapadd"
4d02h: AAA/AUTHEN: create_user (0x15AD58) user='chapadd' ruser='' 
   port='Async1' rem_addr='async' authen_type=CHAP service=PPP priv=1
4d02h: AAA/AUTHEN/START (575703226): port='Async1' list='' 
   action=LOGIN service=PPP
4d02h: AAA/AUTHEN/START (575703226): using "default" list
4d02h: AAA/AUTHEN (575703226): status = UNKNOWN
4d02h: AAA/AUTHEN/START (575703226): Method=RADIUS
4d02h: RADIUS: Initial Transmit id 8 171.68.118.101:1645, 
   Access-Request, len 78
4d02h: Attribute 4 6 0A1F0105
4d02h: Attribute 5 6 00000001
4d02h: Attribute 61 6 00000000
4d02h: Attribute 1 9 63686170
4d02h: Attribute 3 19 0B895D57
4d02h: Attribute 6 6 00000002
4d02h: Attribute 7 6 00000001


Radius server is down - produces ERROR - since user is not 
   in local database, failover to local FAILs:
As1 CHAP: I RESPONSE id 12 len 28 from "chapadd"
As1 AUTH: Duplicate authentication request id=12 already in progress
As1 CHAP: I RESPONSE id 12 len 28 from "chapadd"
As1 AUTH: Duplicate authentication request id=12 already in progress
RADIUS: Retransmit id 15
As1 CHAP: I RESPONSE id 12 len 28 from "chapadd"
As1 AUTH: Duplicate authentication request id=12 already in progress
As1 CHAP: I RESPONSE id 12 len 28 from "chapadd"
As1 AUTH: Duplicate authentication request id=12 already in progress
As1 CHAP: I RESPONSE id 12 len 28 from "chapadd"
As1 AUTH: Duplicate authentication request id=12 already in progress
RADIUS: Retransmit id 15
As1 CHAP: I RESPONSE id 12 len 28 from "chapadd"
As1 AUTH: Duplicate authentication request id=12 already in progress
As1 CHAP: I RESPONSE id 12 len 28 from "chapadd"
As1 AUTH: Duplicate authentication request id=12 already in progress
RADIUS: Retransmit id 15
As1 CHAP: I RESPONSE id 12 len 28 from "chapadd"
As1 AUTH: Duplicate authentication request id=12 already in progress
As1 LCP: I TERMREQ [Open] id 1 len 8 (0x000002CE)
As1 LCP: O TERMACK [Open] id 1 len 4
As1 PPP: Phase is TERMINATING
RADIUS: id 15, requester hung up.
RADIUS: No response for id 15
RADIUS: No response from server
AAA/AUTHEN (1866705040): status = ERROR
AAA/AUTHEN/START (1866705040): Method=LOCAL
AAA/AUTHEN (1866705040): status = FAIL
As1 CHAP: Unable to validate Response. Username chapadd: Authentication failure
As1 CHAP: O FAILURE id 12 len 26 msg is "Authentication failure"
AAA/AUTHEN: free_user (0x1716B8) user='chapadd' ruser='' 
   port='Async1' rem_addr='async' authen_type=CHAP service=PPP priv=1


Key in router does not match that of server:
RADIUS: Received from id 21 171.68.118.101:1645, Access-Reject, len 20
RADIUS: Reply for 21 fails decrypt

NT client sends 'DOMAIN\user' and Radius server expects 'user':
RADIUS: Received from id 16 171.68.118.101:1645, Access-Reject, len 20
AAA/AUTHEN (2974782384): status = FAIL
As1 CHAP: Unable to validate Response. Username CISCO\chapadd: 
   Authentication failure
As1 CHAP: O FAILURE id 13 len 26 msg is "Authentication failure"
As1 PPP: Phase is TERMINATING
As1 LCP: O TERMREQ [Open] id 131 len 4
AAA/AUTHEN: free_user (0x171700) user='CISCO\chapadd' ruser='' 
   port='Async1' rem_addr='async' authen_type=CHAP service=PPP priv=1


Radius server refuses user because user is set up for pap, 
   user enters bad password, or both userid & password are bad:
RADIUS: Received from id 17 171.68.118.101:1645, Access-Reject, len 20
AAA/AUTHEN (3898168391): status = FAIL
As1 CHAP: Unable to validate Response. Username ddunlap: Authentication failure
As1 CHAP: O FAILURE id 14 len 26 msg is "Authentication failure"
As1 PPP: Phase is TERMINATING
As1 LCP: O TERMREQ [Open] id 134 len 4
AAA/AUTHEN: free_user (0x1716B8) user='ddunlap' ruser='' 
   port='Async1' rem_addr='async' authen_type=CHAP service=PPP priv=1

User PASSes authentication (i.e. username/password is good) 
   but FAILs authorization (profile not set up for Service-Type=Framed &
Framed-Protocol=PPP):
RADIUS: Received from id 19 171.68.118.101:1645, Access-Accept, len 20
AAA/AUTHEN (2006894701): status = PASS
AAA/AUTHOR/LCP As1: Authorize LCP
AAA/AUTHOR/LCP: Async1: (2370106832): user='noauth'
AAA/AUTHOR/LCP: Async1: (2370106832): send AV service=ppp
AAA/AUTHOR/LCP: Async1: (2370106832): send AV protocol=lcp
AAA/AUTHOR/LCP: Async1: (2370106832): Method=RADIUS
RADIUS: no appropriate authorization type for user.
AAA/AUTHOR (2370106832): Post authorization status = FAIL
AAA/AUTHOR/LCP As1: Denied

4d02h: RADIUS: Received from id 8 171.68.118.101:1645, Access-Accept, len 32
4d02h: Attribute 6 6 00000002
4d02h: Attribute 7 6 00000001
4d02h: AAA/AUTHEN (575703226): status = PASS
4d02h: AAA/AUTHOR/LCP As1: Authorize LCP
4d02h: AAA/AUTHOR/LCP: Async1: (4143416222): user='chapadd'
4d02h: AAA/AUTHOR/LCP: Async1: (4143416222): send AV service=ppp
4d02h: AAA/AUTHOR/LCP: Async1: (4143416222): send AV protocol=lcp
4d02h: AAA/AUTHOR/LCP: Async1: (4143416222): Method=RADIUS
4d02h: AAA/AUTHOR (4143416222): Post authorization status = PASS_REPL
4d02h: AAA/AUTHOR/LCP As1: Processing AV service=ppp
4d02h: As1 CHAP: O SUCCESS id 11 len 4
4d02h: As1 PPP: Phase is UP
4d02h: AAA/AUTHOR/FSM As1: (0): Can we start IPCP?
4d02h: AAA/AUTHOR/FSM: Async1: (1916451991): user='chapadd'
4d02h: AAA/AUTHOR/FSM: Async1: (1916451991): send AV service=ppp
4d02h: AAA/AUTHOR/FSM: Async1: (1916451991): send AV protocol=ip
4d02h: AAA/AUTHOR/FSM: Async1: (1916451991): Method=RADIUS
4d02h: AAA/AUTHOR (1916451991): Post authorization status = PASS_REPL
4d02h: AAA/AUTHOR/FSM As1: We can start IPCP
4d02h: As1 IPCP: O CONFREQ [Closed] id 19 len 10
4d02h: As1 IPCP: Address 10.31.1.5 (0x03060A1F0105)
4d02h: As1 IPCP: I CONFREQ [REQsent] id 1 len 34
4d02h: As1 IPCP: Address 0.0.0.0 (0x030600000000)
4d02h: As1 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
4d02h: As1 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
4d02h: As1 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
4d02h: As1 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
4d02h: AAA/AUTHOR/IPCP As1: Start. Her address 0.0.0.0, we want 0.0.0.0
4d02h: AAA/AUTHOR/IPCP As1: Processing AV service=ppp
4d02h: AAA/AUTHOR/IPCP As1: Authorization succeeded
4d02h: AAA/AUTHOR/IPCP As1: Done. Her address 0.0.0.0, we want 0.0.0.0
4d02h: As1 IPCP: Using pool 'async'
4d02h: As1 IPCP: Pool returned 15.15.15.15
4d02h: As1 IPCP: O CONFREJ [REQsent] id 1 len 22
4d02h: As1 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
4d02h: As1 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
4d02h: As1 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
4d02h: As1 IPCP: I CONFACK [REQsent] id 19 len 10
4d02h: As1 IPCP: Address 10.31.1.5 (0x03060A1F0105)
4d02h: As1 IPCP: I CONFREQ [ACKrcvd] id 2 len 16
4d02h: As1 IPCP: Address 0.0.0.0 (0x030600000000)
4d02h: As1 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
4d02h: AAA/AUTHOR/IPCP As1: Start. Her address 0.0.0.0, we want 15.15.15.15
4d02h: AAA/AUTHOR/IPCP As1: Processing AV service=ppp
4d02h: AAA/AUTHOR/IPCP As1: Authorization succeeded
4d02h: AAA/AUTHOR/IPCP As1: Done. Her address 0.0.0.0, we want 15.15.15.15
4d02h: As1 IPCP: O CONFNAK [ACKrcvd] id 2 len 16
4d02h: As1 IPCP: Address 15.15.15.15 (0x03060F0F0F0F)
4d02h: As1 IPCP: PrimaryDNS 171.68.118.103 (0x8106AB447667)
4d02h: As1 IPCP: I CONFREQ [ACKrcvd] id 3 len 16
4d02h: As1 IPCP: Address 15.15.15.15 (0x03060F0F0F0F)
4d02h: As1 IPCP: PrimaryDNS 171.68.118.103 (0x8106AB447667)
4d02h: AAA/AUTHOR/IPCP As1: Start. Her address 15.15.15.15, we want 15.15.15.15
4d02h: AAA/AUTHOR/IPCP: Async1: (1096193147): user='chapadd'
4d02h: AAA/AUTHOR/IPCP: Async1: (1096193147): send AV service=ppp
4d02h: AAA/AUTHOR/IPCP: Async1: (1096193147): send AV protocol=ip
4d02h: AAA/AUTHOR/IPCP: Async1: (1096193147): send AV addr*15.15.15.15
4d02h: AAA/AUTHOR/IPCP: Async1: (1096193147): Method=RADIUS
4d02h: AAA/AUTHOR (1096193147): Post authorization status = PASS_REPL
4d02h: AAA/AUTHOR/IPCP As1: Reject 15.15.15.15, using 15.15.15.15
4d02h: AAA/AUTHOR/IPCP As1: Processing AV service=ppp
4d02h: AAA/AUTHOR/IPCP As1: Processing AV addr*15.15.15.15
4d02h: AAA/AUTHOR/IPCP As1: Authorization succeeded
4d02h: AAA/AUTHOR/IPCP As1: Done. Her address 15.15.15.15, we want 15.15.15.15
4d02h: As1 IPCP: O CONFACK [ACKrcvd] id 3 len 16
4d02h: As1 IPCP: Address 15.15.15.15 (0x03060F0F0F0F)
4d02h: As1 IPCP: PrimaryDNS 171.68.118.103 (0x8106AB447667)
4d02h: As1 IPCP: State is Open
%LINEPROTO-5-UPDOWN: Line protocol on Interface Async1, changed state to up
4d02h: As1 IPCP: Install route to 15.15.15.15
rtpkrb#

디버그 명령

다음 debug 명령은 이 문서에서 샘플 디버그 출력을 생성하는 데 사용되었습니다.

참고: debug 명령을 실행하기 전에 디버그 명령에 대한 중요 정보를 참조하십시오.

  • debug aaa authentication - AAA 인증에 대한 정보를 표시합니다.

  • debug aaa authorization - AAA 권한 부여에 대한 정보를 표시합니다.

  • debug radius - RADIUS(Remote Authentication Dial-In User Server)와 관련된 자세한 디버깅 정보를 표시합니다.

  • debug ppp negotiation - PPP 시작 중에 전송된 PPP 패킷을 표시합니다. 여기서 PPP 옵션은 협상됩니다.

관련 정보

이 문서가 도움이 되셨습니까?

Feedback피드백

지원 문의

이 문서가 적용되는 제품