用 TACACS+ 配置 PPP 回呼

简介

本文档显示了路由器和AAA服务器使用TACACS+进行点对点协议(PPP)回拨的配置示例。包括两个使用AAA服务器或Windows 2000客户端指定的回拨号码的示例。

• 使用本地身份验证和回调执行初始测试(删除aaa new-model命令)。如果回叫不能与本地身份验证一起使用，则它不能与TACACS+一起使用。有关如何使用本地身份验证的示例，请参阅配置路由器与Windows PC之间的MS回拨。

• 使用TACACS+执行进一步的PPP身份验证测试，无需回叫。如果用户身份验证失败和/或授权没有回拨，则身份验证和授权不能与回拨配合使用。

• 回叫的本地身份验证和使用TACACS+的PPP身份验证工作之后，请将来自路由器上本地用户的信息（例如回叫拨号字符串）添加到服务器上的用户配置文件中。

注意：这些测试中的客户端是照常设置的Windows 2000 Professional客户端DUN，用于建立PPP连接，Microsoft回叫设置是“Ask me during dialing the server offer”。 Cisco IOS®软件版本11.3.2.T及更高版本支持Microsoft Callback。

先决条件

要求

本文档没有任何特定的要求。

使用的组件

本文档中的信息基于以下软件和硬件版本：

• 思科IOS软件版本12.1(7)AA

• 思科安全ACS UNIX 2.3(2)

• 适用于Windows 3.3的Cisco Secure ACS

• TACACS免费软件后台程序4.0(3)

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始（默认）配置。如果您使用的是真实网络，请确保您已经了解所有命令的潜在影响。

规则

有关文件规则的更多信息请参见“ Cisco技术提示规则”。

配置

本部分提供有关如何配置本文档所述功能的信息。

注意：要查找有关本文档中所用命令的其他信息，请使用命令查找工具(仅限注册客户)。

网络图

本文档使用此图所示的网络设置。

带有服务器指定号码的 PPP 回拨

服务器配置

以下是使用AAA服务器指定的电话号码的PPP回拨的AAA服务器配置。

服务器设置- Cisco Secure ACS for Windows

• 要为用户和组启用LCP选项，请转到Interface Configuration屏幕，选择TACACS+ (Cisco IOS)，并确保为User和Group选中PPP IP和PPP LCP选项。

• 可以在组或用户设置中配置回叫。

  • 配置回叫组：在“组设置”屏幕中的“回叫”下，选择使用Windows数据库回叫设置（在较早版本的ACS中，此选项称为“使用Microsoft NT回叫设置”）的选项。然后选中PPP IP和PPP LCP选项。选择Callback line，并在空白字段中键入84007。

    对于作为组成员的用户，请转到User Setup屏幕并在Callback下选择Use group setting。单击 Submit+ Restart。

  • 配置回叫的单个用户：在“用户设置”屏幕的“回叫”下，选择使用此号码的回叫并在空白字段中键入84007。然后选中PPP IP和PPP LCP选项。单击 Submit+ Restart。

服务器设置- Cisco Secure UNIX

<coachella>/export/home/brownr> ViewProfile -p 9900 -u callback_user
User Profile Information
user = callback_user{
profile_id = 113
profile_cycle = 15
member = ccie_study
password = chap "********"
service=ppp {
protocol=ip {
}
protocol=lcp {
set callback-dialstring=84007
}
}

}

服务器设置- TACACS+免费软件

user = callback_user {
chap= cleartext "chapuser"
service = ppp protocol = lcp {
callback-dialstring=84007
}
service = ppp protocol = ip {
}
}

带有用户指定号码的 PPP 回拨

本文档前面部分中的示例是在预定义号码（在AAA服务器中指定）回叫的示例。回拨还可以使用回拨号码在用户指定的号码上完成，并在AAA服务器中指定为null。这会导致路由器要求用户提供回拨号码。应在指定本地回调的情况下完成初始测试。请参阅接入服务器和PC之间的异步PPP回拨示例，并注意“callback-dialstring”指定为引号(“”)。

这些测试中的客户端是Windows 2000 Professional客户端，按常规设置进行PPP连接，而Microsoft Callback设置为“在以下号码后回叫”。

注意：显示的网络图和路由器配置适用于此处讨论的回叫配置。

服务器配置

此处显示了使用用户指定的电话号码的PPP回拨的AAA服务器配置。

服务器设置- Cisco Secure for Windows

• 要为用户和组启用LCP选项，请转到Interface Configuration屏幕，选择TACACS+ (Cisco IOS)，并确保为User和Group选中PPP IP和PPP LCP选项。

• 可以在组或用户设置中配置回叫。

  • 配置回叫组：在“组设置”屏幕的回叫下，选择“拨号客户端”指定回叫号码的选项。然后选中PPP IP和PPP LCP选项。

    对于作为组成员的用户，请转到User Setup屏幕并在Callback下选择Use group setting。单击 Submit+ Restart。

  • 配置回叫的单个用户：在“用户设置”屏幕的“回叫”下，选择“拨号客户端”选项指定回叫号码。然后选中PPP IP和PPP LCP选项。单击 Submit+ Restart。

服务器设置- Cisco Secure UNIX

<coachella>ViewProfile -p 9900 -u callback_user
User Profile Information
user = callback_user{
profile_id = 113
profile_cycle = 15
member = ccie_study
password = chap "********"
service=ppp {
protocol=ip {
}
protocol=lcp {
set callback-dialstring=""
}
}

}

服务器设置- TACACS+免费软件

user = callback_user {
chap= cleartext "chapuser"
service = ppp protocol = lcp {
callback-dialstring=""
}
service = ppp protocol = ip {
}
}

路由器配置

AS5200

maui-nas-01#show run
Building configuration...

Current configuration : 2882 bytes
!
version 12.1
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname maui-nas-01
!
logging buffered 4096 debugging
no logging console guaranteed
no logging console

!--- Basic AAA configuration using TACACS+ as the primary method, !--- local if the ERROR is received during negotiation. !--- Disable AAA authentication and authorization on console port.

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login NO_AUTHEN none
aaa authentication ppp default if-needed group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization exec NO_AUTHOR none
aaa authorization network default group tacacs+ local
enable secret <snipped>
!
username admin password <snipped>
spe 1/0 1/23
firmware location feature_card_flash
spe 2/0 2/4
!
resource-pool disable
!
clock timezone CST -6
clock summer-time CST recurring
modem recovery action none
ip subnet-zero
no ip source-route
no ip finger
no ip domain-lookup
ip name-server 172.22.53.210
!
no ip bootp server
isdn switch-type primary-ni
! 

!--- Chat scripts "offhook" and "CALLBACK" !--- used intuitively to go offhook and callback clients.

chat-script CALLBACK ABORT ERROR ABORT BUSY "" "AT" 
OK "ATDT \T" TIMEOUT 30 CONNECT \c
chat-script offhook "" "ATH1" OK \c
!
controller T1 0
framing esf
clock source line primary
linecode b8zs
pri-group timeslots 1-24
!
interface Ethernet0
ip address 172.22.53.101 255.255.255.0
no ip route-cache
no ip mroute-cache
no cdp enable
!
interface Serial0:23
no ip address
encapsulation ppp
no ip route-cache
isdn switch-type primary-ni
isdn incoming-voice modem
isdn bchan-number-order ascending
no cdp enable
!
interface Group-Async1
ip unnumbered Ethernet0
encapsulation ppp
no ip route-cache
ip tcp header-compression passive
no ip mroute-cache
async mode interactive
peer default ip address pool IP_POOL
no cdp enable

!--- Allows "group-async 1" to accept PPP callback requests from clients. !--- Use Challenge Authentication Protocol (CHAP) for authentication !--- on incoming calls.

ppp callback accept
ppp authentication chap callin
group-range 1 48
!
ip local pool IP_POOL 172.22.53.141 172.22.53.148
ip default-gateway 172.22.53.1
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 172.22.53.1
!
no cdp run
tacacs-server host 172.22.53.201 key <snipped>
!
line con 0
authorization exec NO_AUTHOR
login authentication NO_AUTHEN
transport input none
line 1 48

!--- Specifies chat scripts used during callback to clients.

script modem-off-hook offhook
script callback CALLBACK
modem InOut
transport preferred none
transport input all
transport output none
autoselect during-login
autoselect ppp
callback forced-wait 5
line aux 0
line vty 0 4
!
ntp server 172.22.53.1
end

验证

当前没有可用于此配置的验证过程。

故障排除

本部分提供的信息可用于对配置进行故障排除。

故障排除命令

注意：在发出debug命令之前，请参阅有关Debug命令的重要信息。

• debug aaa authentication - 显示有关 AAA 身份验证的信息。

• debug aaa authorization - 显示有关 AAA 授权的信息。

• debug callback— 显示路由器使用调制解调器和对话脚本在终端线路上回拨时的回拨事件。

• debug chat -显示网络接入服务器(NAS)和PC之间发送的字符。聊天脚本是定义数据终端设备 (DTE)-DTE 或 DTE-数据通信设备 (DCE) 设备之间的握手的一组期望发送的字符串对。

• debug modem - 显示接入服务器上的调制解调器线路活动情况。

• debug ppp negotiation — 显示在 PPP 启动期间传输的 PPP 数据包，在此启动期间将协商 PPP 选项。

• debug ppp authentication— 显示身份验证协议消息，包括质询身份验证协议(CHAP)数据包交换和口令身份验证协议(PAP)交换。

• debug tacacs+ -显示与TACACS+相关的详细调试信息。

调试输出示例

此图中的各个阶段对应于此图之后显示的实际debug输出。请注意，由于空间方面的考虑，某些输出已分为两行。

第 1 阶段

maui-nas-01#debug aaa authentication
maui-nas-01#debug aaa authorization

maui-nas-01#show debug
General OS:
AAA Authentication debugging is on
AAA Authorization debugging is on

!--- AAA negotiation begins, aborted because PPP is autoselected.

Aug 1 09:23:53.320 CST: AAA: parse name=tty6 idb type=10 tty=6
Aug 1 09:23:53.320 CST: AAA: name=tty6 flags=0x11 type=4 shelf=0 slot=0
  adapter=0 port=6 channel=0
Aug 1 09:23:53.324 CST: AAA: parse name=Serial0:4 idb type=12 tty=-1
Aug 1 09:23:53.328 CST: AAA: name=Serial0:4 flags=0x51 type=1 shelf=0 slot=0 
  adapter=0 port=0 channel=4
Aug 1 09:23:53.332 CST: AAA/MEMORY: create_user (0x2A0AA0) user='' ruser='' 
  port='tty6' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1
Aug 1 09:23:53.336 CST: AAA/AUTHEN/START (2776623843): port='tty6' list=''
  action=LOGIN service=LOGIN
Aug 1 09:23:53.340 CST: AAA/AUTHEN/START (2776623843): using "default" list
Aug 1 09:23:53.344 CST: AAA/AUTHEN/START (2776623843): Method=tacacs+ (tacacs+)
Aug 1 09:23:53.348 CST: TAC+: send AUTHEN/START packet ver=192 id=2776623843
Aug 1 09:23:53.572 CST: TAC+: ver=192 id=2776623843 received AUTHEN
  status = GETUSER
Aug 1 09:23:53.576 CST: AAA/AUTHEN (2776623843): status = GETUSER
Aug 1 09:23:55.548 CST: AAA/AUTHEN/ABORT: (2776623843) because Autoselected.
Aug 1 09:23:55.552 CST: TAC+: send abort reason=Autoselected
Aug 1 09:23:55.668 CST: AAA/MEMORY: free_user (0x2A0AA0) user='' ruser=''
  port='tty6'rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1
Aug 1 09:23:58.124 CST: %LINK-3-UPDOWN: Interface Async6, changed state to up
Aug 1 09:23:58.148 CST: As6 AAA/AUTHOR/FSM: (0): LCP succeeds trivially
Aug 1 09:23:58.912 CST: AAA: parse name=Async6 idb type=10 tty=6
Aug 1 09:23:58.916 CST: AAA: name=Async6 flags=0x11 type=4 shelf=0 slot=0
  adapter=0 port=6 channel=0
Aug 1 09:23:58.916 CST: AAA: parse name=Serial0:4 idb type=12 tty=-1
Aug 1 09:23:58.920 CST: AAA: name=Serial0:4 flags=0x51 type=1 shelf=0 slot=0 
  adapter=0 port=0 channel=4

!--- AAA Authentication start packet is sent to AAA server.

Aug 1 09:23:58.924 CST: AAA/MEMORY: create_user (0x2984EC)
  user='callback_user'ruser='' port='Async6' rem_addr='async/81560' 
  authen_type=CHAP service=PPP priv=1
Aug 1 09:23:58.932 CST: AAA/AUTHEN/START (3527356355): port='Async6' list=''
  action=LOGIN service=PPP
Aug 1 09:23:58.936 CST: AAA/AUTHEN/START (3527356355): using "default" list
Aug 1 09:23:58.936 CST: AAA/AUTHEN (3527356355): status = UNKNOWN
Aug 1 09:23:58.940 CST: AAA/AUTHEN/START (3527356355): Method=tacacs+ (tacacs+)

!--- Receive PASS from AAA server.

Aug 1 09:23:58.944 CST: TAC+: send AUTHEN/START packet ver=193 id=3527356355
Aug 1 09:23:59.172 CST: TAC+: ver=193 id=3527356355 received AUTHEN
  status = PASS
Aug 1 09:23:59.172 CST: AAA/AUTHEN (3527356355): status = PASS

!--- AAA Authorization request sent to AAA server for LCP.

Aug 1 09:23:59.180 CST: As6 AAA/AUTHOR/LCP: Authorize LCP
Aug 1 09:23:59.184 CST: As6 AAA/AUTHOR/LCP (1701401119): Port='Async6'
  list='' service=NET
Aug 1 09:23:59.188 CST: AAA/AUTHOR/LCP: As6 (1701401119) user='callback_user'
Aug 1 09:23:59.192 CST: As6 AAA/AUTHOR/LCP (1701401119): send AV service=ppp
Aug 1 09:23:59.196 CST: As6 AAA/AUTHOR/LCP (1701401119): send AV protocol=lcp
Aug 1 09:23:59.196 CST: As6 AAA/AUTHOR/LCP (1701401119): found list "default"
Aug 1 09:23:59.200 CST: As6 AAA/AUTHOR/LCP (1701401119):
  Method=tacacs+ (tacacs+)

!--- Receive PASS from AAA server, set the callback dialstring !--- via the "callback-dialstring" Attribute Value Pair.

Aug 1 09:23:59.204 CST: AAA/AUTHOR/TAC+: (1701401119): user=callback_user
Aug 1 09:23:59.208 CST: AAA/AUTHOR/TAC+: (1701401119): send AV service=ppp
Aug 1 09:23:59.212 CST: AAA/AUTHOR/TAC+: (1701401119): send AV protocol=lcp
Aug 1 09:23:59.440 CST: TAC+: (1701401119): received author response status 
  = PASS_ADD
Aug 1 09:23:59.448 CST: As6 AAA/AUTHOR (1701401119): Post authorization status 
  = PASS_ADD
Aug 1 09:23:59.452 CST: As6 AAA/AUTHOR/LCP: Processing AV service=ppp
Aug 1 09:23:59.456 CST: As6 AAA/AUTHOR/LCP: Processing AV protocol=lcp
Aug 1 09:23:59.456 CST: As6 AAA/AUTHOR/LCP: Processing AV
  callback-dialstring=81550

第 2 阶段

maui-nas-01#debug aaa authentication
maui-nas-01#debug aaa authorization

maui-nas-01#show debug
General OS:
AAA Authentication debugging is on
AAA Authorization debugging is on

!--- AAA negotiation begins, aborted because PPP is autoselected.

Aug 1 09:23:53.320 CST: AAA: parse name=tty6 idb type=10 tty=6
Aug 1 09:23:53.320 CST: AAA: name=tty6 flags=0x11 type=4 shelf=0 slot=0
  adapter=0 port=6 channel=0
Aug 1 09:23:53.324 CST: AAA: parse name=Serial0:4 idb type=12 tty=-1
Aug 1 09:23:53.328 CST: AAA: name=Serial0:4 flags=0x51 type=1 shelf=0 slot=0 
  adapter=0 port=0 channel=4
Aug 1 09:23:53.332 CST: AAA/MEMORY: create_user (0x2A0AA0) user='' ruser='' 
  port='tty6' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1
Aug 1 09:23:53.336 CST: AAA/AUTHEN/START (2776623843): port='tty6' list=''
  action=LOGIN service=LOGIN
Aug 1 09:23:53.340 CST: AAA/AUTHEN/START (2776623843): using "default" list
Aug 1 09:23:53.344 CST: AAA/AUTHEN/START (2776623843): Method=tacacs+ (tacacs+)
Aug 1 09:23:53.348 CST: TAC+: send AUTHEN/START packet ver=192 id=2776623843
Aug 1 09:23:53.572 CST: TAC+: ver=192 id=2776623843 received AUTHEN
  status = GETUSER
Aug 1 09:23:53.576 CST: AAA/AUTHEN (2776623843): status = GETUSER
Aug 1 09:23:55.548 CST: AAA/AUTHEN/ABORT: (2776623843) because Autoselected.
Aug 1 09:23:55.552 CST: TAC+: send abort reason=Autoselected
Aug 1 09:23:55.668 CST: AAA/MEMORY: free_user (0x2A0AA0) user='' ruser=''
  port='tty6'rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1
Aug 1 09:23:58.124 CST: %LINK-3-UPDOWN: Interface Async6, changed state to up
Aug 1 09:23:58.148 CST: As6 AAA/AUTHOR/FSM: (0): LCP succeeds trivially
Aug 1 09:23:58.912 CST: AAA: parse name=Async6 idb type=10 tty=6
Aug 1 09:23:58.916 CST: AAA: name=Async6 flags=0x11 type=4 shelf=0 slot=0
  adapter=0 port=6 channel=0
Aug 1 09:23:58.916 CST: AAA: parse name=Serial0:4 idb type=12 tty=-1
Aug 1 09:23:58.920 CST: AAA: name=Serial0:4 flags=0x51 type=1 shelf=0 slot=0 
  adapter=0 port=0 channel=4

!--- AAA Authentication start packet is sent to AAA server.

Aug 1 09:23:58.924 CST: AAA/MEMORY: create_user (0x2984EC)
  user='callback_user'ruser='' port='Async6' rem_addr='async/81560' 
  authen_type=CHAP service=PPP priv=1
Aug 1 09:23:58.932 CST: AAA/AUTHEN/START (3527356355): port='Async6' list=''
  action=LOGIN service=PPP
Aug 1 09:23:58.936 CST: AAA/AUTHEN/START (3527356355): using "default" list
Aug 1 09:23:58.936 CST: AAA/AUTHEN (3527356355): status = UNKNOWN
Aug 1 09:23:58.940 CST: AAA/AUTHEN/START (3527356355): Method=tacacs+ (tacacs+)

!--- Receive PASS from AAA Server.

Aug 1 09:23:58.944 CST: TAC+: send AUTHEN/START packet ver=193 id=3527356355
Aug 1 09:23:59.172 CST: TAC+: ver=193 id=3527356355 received AUTHEN
  status = PASS
Aug 1 09:23:59.172 CST: AAA/AUTHEN (3527356355): status = PASS

!--- AAA Authorization request sent to AAA server for LCP.

Aug 1 09:23:59.180 CST: As6 AAA/AUTHOR/LCP: Authorize LCP
Aug 1 09:23:59.184 CST: As6 AAA/AUTHOR/LCP (1701401119): Port='Async6'
  list='' service=NET
Aug 1 09:23:59.188 CST: AAA/AUTHOR/LCP: As6 (1701401119) user='callback_user'
Aug 1 09:23:59.192 CST: As6 AAA/AUTHOR/LCP (1701401119): send AV service=ppp
Aug 1 09:23:59.196 CST: As6 AAA/AUTHOR/LCP (1701401119): send AV protocol=lcp
Aug 1 09:23:59.196 CST: As6 AAA/AUTHOR/LCP (1701401119): found list "default"
Aug 1 09:23:59.200 CST: As6 AAA/AUTHOR/LCP (1701401119):
  Method=tacacs+ (tacacs+)

!--- Receive PASS from AAA Server, set the callback dialstring !--- via the "callback-dialstring" Attribute Value Pair.

Aug 1 09:23:59.204 CST: AAA/AUTHOR/TAC+: (1701401119): user=callback_user
Aug 1 09:23:59.208 CST: AAA/AUTHOR/TAC+: (1701401119): send AV service=ppp
Aug 1 09:23:59.212 CST: AAA/AUTHOR/TAC+: (1701401119): send AV protocol=lcp
Aug 1 09:23:59.440 CST: TAC+: (1701401119): received author response status 
  = PASS_ADD
Aug 1 09:23:59.448 CST: As6 AAA/AUTHOR (1701401119): Post authorization status 
  = PASS_ADD
Aug 1 09:23:59.452 CST: As6 AAA/AUTHOR/LCP: Processing AV service=ppp
Aug 1 09:23:59.456 CST: As6 AAA/AUTHOR/LCP: Processing AV protocol=lcp
Aug 1 09:23:59.456 CST: As6 AAA/AUTHOR/LCP: Processing AV
  callback-dialstring=81550

第 3 阶段

maui-nas-01#show debug
General OS:
Modem control/process activation debugging is on
PPP:
PPP protocol negotiation debugging is on
Chat Scripts:
Chat scripts activity debugging is on
Callback:
Callback activity debugging is on

Aug 1 09:33:38.862 CST: As7 MCB: User callback_user Callback Number
  - Server 81550
Aug 1 09:33:38.870 CST: Async7 PPP: O MCB Request(1) id 1 len 7
Aug 1 09:33:38.874 CST: Async7 MCB: O 1 1 0 7 3 3 0 
Aug 1 09:33:38.874 CST: As7 MCB: O Request Id 1 Callback Type
  Server-Num delay 0
Aug 1 09:33:38.878 CST: As7 PPP: Phase is CBCP
Aug 1 09:33:39.018 CST: Async7 PPP: I MCB Response(2) id 1 len 7
Aug 1 09:33:39.022 CST: Async7 MCB: I 2 1 0 7 3 3 C 
Aug 1 09:33:39.026 CST: As7 MCB: Received response
Aug 1 09:33:39.026 CST: As7 MCB: Response CBK-Server-Num 3 3 12
Aug 1 09:33:39.034 CST: Async7 PPP: O MCB Ack(3) id 2 len 7
Aug 1 09:33:39.034 CST: Async7 MCB: O 3 2 0 7 3 3 C 
Aug 1 09:33:39.038 CST: As7 MCB: O Ack Id 2 Callback Type Server-Num delay 12
Aug 1 09:33:39.042 CST: As7 MCB: Negotiated MCB with peer

!--- NAS sends LCP Terminate Request from client.

Aug 1 09:33:39.182 CST: As7 LCP: I TERMREQ [Open] id 6 len 16
  (0x566260A7003CCD7400000000)

!--- NAS receives Terminate Acknowledge from client.

Aug 1 09:33:39.186 CST: As7 LCP: O TERMACK [Open] id 6 len 4
Aug 1 09:33:39.190 CST: As7 MCB: Peer terminating the link
Aug 1 09:33:39.194 CST: As7 MCB: Link terminated by peer, Callback Needed
Aug 1 09:33:39.198 CST: As7 MCB: Initiate Callback for callback_user
  at 81550 using Async
Aug 1 09:33:39.202 CST: As7 MCB: Async-callback in progress
Aug 1 09:33:39.206 CST: As7 PPP: Phase is TERMINATING

!--- NAS disconnects and initiates offhook and CALLBACK chat scripts.

Aug 1 09:33:39.210 CST: TTY7 Callback PPP process creation
Aug 1 09:33:39.218 CST: TTY7 Callback process initiated, user: dialstring 81550
Aug 1 09:33:40.110 CST: %ISDN-6-DISCONNECT: Interface Serial0:5 disconnected 
  from unknown , call lasted 19 seconds
Aug 1 09:33:40.294 CST: TTY7: Async Int reset: Dropping DTR
Aug 1 09:33:41.210 CST: As7 LCP: TIMEout: State TERMsent
Aug 1 09:33:41.210 CST: As7 LCP: State is Closed
Aug 1 09:33:41.214 CST: As7 PPP: Phase is DOWN
Aug 1 09:33:41.218 CST: As7 PPP: Phase is ESTABLISHING, Passive Open
Aug 1 09:33:41.226 CST: As7 LCP: State is Listen
Aug 1 09:33:42.298 CST: %LINK-5-CHANGED: Interface Async7,
  changed state to reset
Aug 1 09:33:42.318 CST: As7 LCP: State is Closed
Aug 1 09:33:42.318 CST: As7 PPP: Phase is DOWN
Aug 1 09:33:45.302 CST: As7 IPCP: Remove route to 172.22.53.147
Aug 1 09:33:45.306 CST: TTY7 Callback forced wait = 5 seconds
Aug 1 09:33:47.302 CST: %LINK-3-UPDOWN: Interface Async7, changed state to down
Aug 1 09:33:47.322 CST: As7 LCP: State is Closed
Aug 1 09:33:50.310 CST: CHAT7: Matched chat script offhook to string offhook
Aug 1 09:33:50.314 CST: CHAT7: Asserting DTR
Aug 1 09:33:50.318 CST: CHAT7: Chat script offhook started
Aug 1 09:33:50.322 CST: CHAT7: Sending string: ATH1
Aug 1 09:33:50.322 CST: CHAT7: Expecting string: OK
Aug 1 09:33:50.634 CST: CHAT7: Completed match for expect: OK
Aug 1 09:33:50.638 CST: CHAT7: Sending string: \c
Aug 1 09:33:50.638 CST: CHAT7: Chat script offhook finished, status = Success
Aug 1 09:33:50.642 CST: CHAT7: Matched chat script CALLBACK to string CALLBACK
Aug 1 09:33:50.650 CST: CHAT7: Asserting DTR
Aug 1 09:33:50.650 CST: CHAT7: Chat script CALLBACK started
Aug 1 09:33:50.654 CST: CHAT7: Sending string: AT
Aug 1 09:33:50.658 CST: CHAT7: Expecting string: OK
Aug 1 09:33:50.686 CST: CHAT7: Completed match for expect: OK
Aug 1 09:33:50.686 CST: CHAT7: Sending string: ATDT \T<81550>
Aug 1 09:33:50.694 CST: CHAT7: Expecting string: CONNECT
Aug 1 09:34:04.051 CST: %ISDN-6-CONNECT: Interface Serial0:0 is now
  connected to 81550 
Aug 1 09:34:17.543 CST: CHAT7: Completed match for expect: CONNECT
Aug 1 09:34:17.547 CST: CHAT7: Sending string: \c
Aug 1 09:34:17.547 CST: CHAT7: Chat script CALLBACK finished, status = Success

第 4 阶段

maui-nas-01#debug aaa authentication
maui-nas-01#debug aaa authorization
maui-nas-01#debug ppp authentication

maui-nas-01#show debug
General OS:
AAA Authentication debugging is on
AAA Authorization debugging is on
PPP:
PPP authentication debugging is on
PPP protocol negotiation debugging is on

!--- AAA/ PPP negotiation begins.

Aug 1 09:42:15.096 CST: TTY8: Callback starting PPP directly with
  valid auth info
Aug 1 09:42:15.104 CST: TTY8: destroy timer type 1
Aug 1 09:42:15.104 CST: TTY8: destroy timer type 0
Aug 1 09:42:15.160 CST: As8 LCP: I CONFREQ [Closed] id 0 len 47
Aug 1 09:42:15.164 CST: As8 LCP: ACCM 0x00000000 (0x020600000000)
Aug 1 09:42:15.168 CST: As8 LCP: MagicNumber 0x5FA259DE (0x05065FA259DE)
Aug 1 09:42:15.172 CST: As8 LCP: PFC (0x0702)
Aug 1 09:42:15.172 CST: As8 LCP: ACFC (0x0802)
Aug 1 09:42:15.176 CST: As8 LCP: MRRU 1614 (0x1104064E)
Aug 1 09:42:15.180 CST: As8 LCP: EndpointDisc 1 Local
Aug 1 09:42:15.184 CST: As8 LCP: (0x131701DC57FC8B1CEA4CCEA064C0D958)
Aug 1 09:42:15.188 CST: As8 LCP: (0x82667300000000)
Aug 1 09:42:15.192 CST: As8 LCP: Lower layer not up, Fast Starting
Aug 1 09:42:15.196 CST: As8 PPP: Treating connection as a callout
Aug 1 09:42:15.200 CST: As8 PPP: Phase is ESTABLISHING, Active Open
Aug 1 09:42:15.204 CST: AAA/MEMORY: dup_user (0x4DDDF8) user='callback_user' 
  ruser='' port='Async8' rem_addr='async/81560' authen_type=CHAP service=PPP
  priv=1 source='AAA dup lcp_reset'
Aug 1 09:42:15.212 CST: AAA/MEMORY: free_user (0x2F5418) user='callback_user'
  ruser='' port='Async8' rem_addr='async/81560' authen_type=CHAP service=PPP 
  priv=1
Aug 1 09:42:15.216 CST: As8 AAA/AUTHEN: Method=IF-NEEDED: no authentication 
  needed. user='callback_user' port='Async8' rem_addr='async/81560'
Aug 1 09:42:15.224 CST: As8 AAA/AUTHOR/FSM: (0): LCP succeeds trivially
Aug 1 09:42:15.228 CST: As8 LCP: O CONFREQ [Closed] id 2 len 20
Aug 1 09:42:15.232 CST: As8 LCP: ACCM 0x000A0000 (0x0206000A0000)
Aug 1 09:42:15.236 CST: As8 LCP: MagicNumber 0x6530AEA5 (0x05066530AEA5)
Aug 1 09:42:15.240 CST: As8 LCP: PFC (0x0702)
Aug 1 09:42:15.240 CST: As8 LCP: ACFC (0x0802)
Aug 1 09:42:15.248 CST: As8 LCP: O CONFREJ [REQsent] id 0 len 8
Aug 1 09:42:15.252 CST: As8 LCP: MRRU 1614 (0x1104064E)
Aug 1 09:42:15.260 CST: %LINK-3-UPDOWN: Interface Async8, changed state to up
Aug 1 09:42:15.368 CST: As8 LCP: I CONFACK [REQsent] id 2 len 20
Aug 1 09:42:15.372 CST: As8 LCP: ACCM 0x000A0000 (0x0206000A0000)
Aug 1 09:42:15.376 CST: As8 LCP: MagicNumber 0x6530AEA5 (0x05066530AEA5)
Aug 1 09:42:15.380 CST: As8 LCP: PFC (0x0702)
Aug 1 09:42:15.384 CST: As8 LCP: ACFC (0x0802)
Aug 1 09:42:15.404 CST: As8 LCP: I CONFREQ [ACKrcvd] id 1 len 43
Aug 1 09:42:15.408 CST: As8 LCP: ACCM 0x00000000 (0x020600000000)
Aug 1 09:42:15.412 CST: As8 LCP: MagicNumber 0x5FA259DE (0x05065FA259DE)
Aug 1 09:42:15.412 CST: As8 LCP: PFC (0x0702)
Aug 1 09:42:15.416 CST: As8 LCP: ACFC (0x0802)
Aug 1 09:42:15.420 CST: As8 LCP: EndpointDisc 1 Local
Aug 1 09:42:15.424 CST: As8 LCP: (0x131701DC57FC8B1CEA4CCEA064C0D958)
Aug 1 09:42:15.428 CST: As8 LCP: (0x82667300000000)
Aug 1 09:42:15.432 CST: As8 LCP: O CONFACK [ACKrcvd] id 1 len 43
Aug 1 09:42:15.436 CST: As8 LCP: ACCM 0x00000000 (0x020600000000)
Aug 1 09:42:15.440 CST: As8 LCP: MagicNumber 0x5FA259DE (0x05065FA259DE)
Aug 1 09:42:15.444 CST: As8 LCP: PFC (0x0702)
Aug 1 09:42:15.448 CST: As8 LCP: ACFC (0x0802)
Aug 1 09:42:15.452 CST: As8 LCP: EndpointDisc 1 Local
Aug 1 09:42:15.456 CST: As8 LCP: (0x131701DC57FC8B1CEA4CCEA064C0D958)
Aug 1 09:42:15.460 CST: As8 LCP: (0x82667300000000)
Aug 1 09:42:15.460 CST: As8 LCP: State is Open
Aug 1 09:42:15.468 CST: As8 AAA/AUTHOR/LCP: Authorize LCP
Aug 1 09:42:15.468 CST: As8 AAA/AUTHOR/LCP (2679858087): Port='Async8' list='' 
  service=NET
Aug 1 09:42:15.472 CST: AAA/AUTHOR/LCP: As8 (2679858087) user='callback_user'
Aug 1 09:42:15.476 CST: As8 AAA/AUTHOR/LCP (2679858087): send AV service=ppp
Aug 1 09:42:15.480 CST: As8 AAA/AUTHOR/LCP (2679858087): send AV protocol=lcp
Aug 1 09:42:15.484 CST: As8 AAA/AUTHOR/LCP (2679858087): found list "default"
Aug 1 09:42:15.488 CST: As8 AAA/AUTHOR/LCP (2679858087): Method=tacacs+ (tacacs+)
Aug 1 09:42:15.492 CST: AAA/AUTHOR/TAC+: (2679858087): user=callback_user
Aug 1 09:42:15.492 CST: AAA/AUTHOR/TAC+: (2679858087): send AV service=ppp
Aug 1 09:42:15.496 CST: AAA/AUTHOR/TAC+: (2679858087): send AV protocol=lcp
Aug 1 09:42:15.724 CST: TAC+: (2679858087): received author response status 
  = PASS_ADD
Aug 1 09:42:15.732 CST: As8 AAA/AUTHOR (2679858087): Post authorization status 
  = PASS_ADD
Aug 1 09:42:15.736 CST: As8 AAA/AUTHOR/LCP: Processing AV service=ppp
Aug 1 09:42:15.740 CST: As8 AAA/AUTHOR/LCP: Processing AV protocol=lcp
Aug 1 09:42:15.740 CST: As8 AAA/AUTHOR/LCP: Processing AV
  callback-dialstring=81550
Aug 1 09:42:15.748 CST: As8 PPP: Phase is UP
Aug 1 09:42:15.752 CST: As8 AAA/AUTHOR/FSM: (0): Can we start IPCP?
Aug 1 09:42:15.756 CST: As8 AAA/AUTHOR/FSM (3644410406): Port='Async8' list='' 
  service=NET
Aug 1 09:42:15.760 CST: AAA/AUTHOR/FSM: As8 (3644410406) user='callback_user'
Aug 1 09:42:15.764 CST: As8 AAA/AUTHOR/FSM (3644410406): send AV service=ppp
Aug 1 09:42:15.768 CST: As8 AAA/AUTHOR/FSM (3644410406): send AV protocol=ip
Aug 1 09:42:15.768 CST: As8 AAA/AUTHOR/FSM (3644410406): found list "default"
Aug 1 09:42:15.772 CST: As8 AAA/AUTHOR/FSM (3644410406): Method=tacacs+ (tacacs+)
Aug 1 09:42:15.776 CST: AAA/AUTHOR/TAC+: (3644410406): user=callback_user
Aug 1 09:42:15.780 CST: AAA/AUTHOR/TAC+: (3644410406): send AV service=ppp
Aug 1 09:42:15.784 CST: AAA/AUTHOR/TAC+: (3644410406): send AV protocol=ip
Aug 1 09:42:16.016 CST: TAC+: (3644410406): received author response status 
  = PASS_ADD
Aug 1 09:42:16.020 CST: As8 AAA/AUTHOR (3644410406): Post authorization status 
  = PASS_ADD
Aug 1 09:42:16.028 CST: As8 AAA/AUTHOR/FSM: We can start IPCP
Aug 1 09:42:16.032 CST: As8 IPCP: O CONFREQ [Closed] id 1 len 16
Aug 1 09:42:16.036 CST: As8 IPCP: CompressType VJ 15 slots (0x0206002D0F00)
Aug 1 09:42:16.040 CST: As8 IPCP: Address 172.22.53.101 (0x0306AC163565)
Aug 1 09:42:16.048 CST: As8 LCP: I IDENTIFY [Open] id 2 len 18 magic 
  0x5FA259DEMSRASV5.00
Aug 1 09:42:16.052 CST: As8 LCP: I IDENTIFY [Open] id 3 len 29 magic 
  0x5FA259DEMSRAS-1-RBROWN-LAPTOP
Aug 1 09:42:16.056 CST: As8 CCP: I CONFREQ [Not negotiated] id 4 len 10
Aug 1 09:42:16.060 CST: As8 CCP: MS-PPC supported bits 0x00000001
  (0x120600000001)
Aug 1 09:42:16.068 CST: As8 LCP: O PROTREJ [Open] id 3 len 16 protocol CCP
  (0x80FD0104000A120600000001)
Aug 1 09:42:16.080 CST: As8 IPCP: I CONFREQ [REQsent] id 5 len 40
Aug 1 09:42:16.084 CST: As8 IPCP: CompressType VJ 15 slots CompressSlotID
  (0x0206002D0F01)
Aug 1 09:42:16.088 CST: As8 IPCP: Address 0.0.0.0 (0x030600000000)
Aug 1 09:42:16.092 CST: As8 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
Aug 1 09:42:16.096 CST: As8 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
Aug 1 09:42:16.100 CST: As8 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
Aug 1 09:42:16.104 CST: As8 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
Aug 1 09:42:16.108 CST: As8 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we 
  want 172.22.53.148
Aug 1 09:42:16.112 CST: As8 AAA/AUTHOR/IPCP: Processing AV service=ppp
Aug 1 09:42:16.116 CST: As8 AAA/AUTHOR/IPCP: Processing AV protocol=ip
Aug 1 09:42:16.120 CST: As8 AAA/AUTHOR/IPCP: Authorization succeeded
Aug 1 09:42:16.120 CST: As8 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.0, we want 
  172.22.53.148
Aug 1 09:42:16.128 CST: As8 IPCP: O CONFREJ [REQsent] id 5 len 22
Aug 1 09:42:16.132 CST: As8 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
Aug 1 09:42:16.136 CST: As8 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
Aug 1 09:42:16.144 CST: As8 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
Aug 1 09:42:16.184 CST: As8 IPCP: I CONFACK [REQsent] id 1 len 16
Aug 1 09:42:16.188 CST: As8 IPCP: CompressType VJ 15 slots (0x0206002D0F00)
Aug 1 09:42:16.192 CST: As8 IPCP: Address 172.22.53.101 (0x0306AC163565)
Aug 1 09:42:16.680 CST: As8 IPCP: I CONFREQ [ACKrcvd] id 6 len 22
Aug 1 09:42:16.684 CST: As8 IPCP: CompressType VJ 15 slots CompressSlotID
  (0x0206002D0F01)
Aug 1 09:42:16.688 CST: As8 IPCP: Address 0.0.0.0 (0x030600000000)
Aug 1 09:42:16.692 CST: As8 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
Aug 1 09:42:16.696 CST: As8 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we 
  want 172.22.53.148
Aug 1 09:42:16.700 CST: As8 AAA/AUTHOR/IPCP: Processing AV service=ppp
Aug 1 09:42:16.704 CST: As8 AAA/AUTHOR/IPCP: Processing AV protocol=ip
Aug 1 09:42:16.708 CST: As8 AAA/AUTHOR/IPCP: Authorization succeeded
Aug 1 09:42:16.708 CST: As8 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.0, we 
  want 172.22.53.148
Aug 1 09:42:16.716 CST: As8 IPCP: O CONFNAK [ACKrcvd] id 6 len 16
Aug 1 09:42:16.720 CST: As8 IPCP: Address 172.22.53.148 (0x0306AC163594)
Aug 1 09:42:16.724 CST: As8 IPCP: PrimaryDNS 172.22.53.210 (0x8106AC1635D2)
Aug 1 09:42:16.748 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async8,
  changed state to up
Aug 1 09:42:16.852 CST: As8 IPCP: I CONFREQ [ACKrcvd] id 7 len 22
Aug 1 09:42:16.856 CST: As8 IPCP: CompressType VJ 15 slots CompressSlotID
  (0x0206002D0F01)
Aug 1 09:42:16.860 CST: As8 IPCP: Address 172.22.53.148 (0x0306AC163594)
Aug 1 09:42:16.864 CST: As8 IPCP: PrimaryDNS 172.22.53.210 (0x8106AC1635D2)
Aug 1 09:42:16.868 CST: As8 AAA/AUTHOR/IPCP: Start. Her address 172.22.53.148,
  we want 172.22.53.148
Aug 1 09:42:16.876 CST: As8 AAA/AUTHOR/IPCP (4022385425): Port='Async8'
  list=''service=NET
Aug 1 09:42:16.880 CST: AAA/AUTHOR/IPCP: As8 (4022385425) user='callback_user'
Aug 1 09:42:16.884 CST: As8 AAA/AUTHOR/IPCP (4022385425): send AV service=ppp
Aug 1 09:42:16.888 CST: As8 AAA/AUTHOR/IPCP (4022385425): send AV protocol=ip
Aug 1 09:42:16.892 CST: As8 AAA/AUTHOR/IPCP (4022385425):
  send AV addr*172.22.53.148
Aug 1 09:42:16.892 CST: As8 AAA/AUTHOR/IPCP (4022385425): found list "default"
Aug 1 09:42:16.896 CST: As8 AAA/AUTHOR/IPCP (4022385425): Method=tacacs+ (tacacs+)
Aug 1 09:42:16.900 CST: AAA/AUTHOR/TAC+: (4022385425): user=callback_user
Aug 1 09:42:16.904 CST: AAA/AUTHOR/TAC+: (4022385425): send AV service=ppp
Aug 1 09:42:16.908 CST: AAA/AUTHOR/TAC+: (4022385425): send AV protocol=ip
Aug 1 09:42:16.912 CST: AAA/AUTHOR/TAC+: (4022385425): 
  send AV addr*172.22.53.148
Aug 1 09:42:17.140 CST: TAC+: (4022385425): received author response status 
  = PASS_REPL
Aug 1 09:42:17.148 CST: As8 AAA/AUTHOR (4022385425): Post authorization status 
  = PASS_REPL
Aug 1 09:42:17.156 CST: As8 AAA/AUTHOR/IPCP: Reject 172.22.53.148,
  using 172.22.53.148
Aug 1 09:42:17.164 CST: As8 AAA/AUTHOR/IPCP: Processing AV service=ppp
Aug 1 09:42:17.164 CST: As8 AAA/AUTHOR/IPCP: Processing AV protocol=ip
Aug 1 09:42:17.168 CST: As8 AAA/AUTHOR/IPCP: Processing AV addr*172.22.53.148
Aug 1 09:42:17.172 CST: As8 AAA/AUTHOR/IPCP: Authorization succeeded
Aug 1 09:42:17.176 CST: As8 AAA/AUTHOR/IPCP: Done. Her address 172.22.53.148, 
  we want 172.22.53.148
Aug 1 09:42:17.180 CST: As8 IPCP: O CONFACK [ACKrcvd] id 7 len 22
Aug 1 09:42:17.184 CST: As8 IPCP: CompressType VJ 15 slots CompressSlotID
  (0x0206002D0F01)
Aug 1 09:42:17.192 CST: As8 IPCP: Address 172.22.53.148 (0x0306AC163594)
Aug 1 09:42:17.196 CST: As8 IPCP: PrimaryDNS 172.22.53.210 (0x8106AC1635D2)
Aug 1 09:42:17.200 CST: As8 IPCP: State is Open
Aug 1 09:42:17.220 CST: As8 IPCP: Install route to 172.22.53.148

相关信息

• Cisco Secure ACS for Windows 支持页
• TACACS+ 支持页
• IOS 文档中的 TACACS+
• 技术支持和文档 - Cisco Systems