Jump to content
Sign in to follow this  
Sternenkind

aaa new-model

Recommended Posts

Moin!

Kann mir einer sagen, warum die Interneteinwahl bei mir mit no aaa new-model geht

und mit

aaa new-model

aaa authentication login clientauth local

aaa authorization network groupauthor local

aaa authentication ppp default local

aaa authorization network default if-authenticated

 

nicht?

 

Was ist an aaa für den Dialer anders als ohne?

 

Google hilft mir irgendwie nicht...

Da find ich configs von Leuten, bei denen das genau so ausschaut aber funktioniert *dummschau*

 

 

Find das ja so toll, weil ich den Router damit ans Active Directory gekoppelt hab, aber wenn das Internet dabei nicht geht, ist der Sinn auch zweifelhaft

 

Danke für Tipps :)

Share this post


Link to post
Share on other sites

Hola,

 

Authentication, Authorization und Accounting (AAA) beeinflusst natürlich den Dialer. Da durch AAA new-m Methoden für (A)(A)(A) festgelegt werden, sprich wo wird nach dem PW gefragt, welche Rechte hat der User (Authorization) und wo werden loggin Messages (einfach gesagt) gespeichert. Bei der Einwahl ins Inet zieht hier aaa authentication ppp local

 

=> es muss also global username und pw definiert sein sowie unter dem dialer.

 

und

 

aaa authorization network groupauthor local

 

was ist unter der methode groupauthor definiert?

 

 

Ciao

Share this post


Link to post
Share on other sites

Pfff....

Wat n Aufwand, ich will doch nur, dass mein Dialer ins Internet geht :D

 

Das will ich halt fürs VPN

 

Die Config ändert sich derzeit ständig weil crypo nicht tut und bis aufs aaa new model hab ich mich an http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml

gehalten wobei ich die VPN Clients so nicht benutzen will, da ich hier VPN mit Windows Bordmitteln mache

 

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname shandy

!

boot-start-marker

boot-end-marker

!

memory-size iomem 5

no logging buffered

enable secret xxx

!

no aaa new-model

ip subnet-zero

!

!

ip dhcp excluded-address 192.168.1.1

!

!

ip domain name IT-Blankensee.de

ip inspect name myfw cuseeme timeout 3600

ip inspect name myfw ftp timeout 3600

ip inspect name myfw rcmd timeout 3600

ip inspect name myfw realaudio timeout 3600

ip inspect name myfw smtp timeout 3600

ip inspect name myfw tftp timeout 30

ip inspect name myfw udp timeout 15

ip inspect name myfw tcp timeout 3600

ip inspect name myfw h323 timeout 3600

ip inspect name myfw http

ip ips po max-events 100

ip ssh version 2

vpdn enable

!

vpdn-group 1

request-dialin

protocol pppoe

ip mtu adjust

!

vpdn-group 2

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 2

!

no ftp-server write-enable

isdn switch-type basic-net3

!

!

username xxx

!

!

!

crypto keyring spokes

pre-shared-key address 0.0.0.0 0.0.0.0 key xxx

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group testgroup

key xxx

dns 192.168.1.34

wins 192.168.1.34

domain IT-Blankensee.de

pool ippool

!

crypto isakmp profile l2l

keyring spokes

match identity address 0.0.0.0

!

crypto isakmp profile vpnclient

match identity group testgroup

client authentication list clientauth

isakmp authorization list groupauthor

client configuration address respond

!

crypto ipsec transform-set strong esp-3des esp-sha-hmac

!

crypto dynamic-map dynvpn 5

set transform-set strong

set isakmp-profile vpnclient

crypto dynamic-map dynvpn 10

set transform-set strong

set isakmp-profile l2l

!

!

crypto map vpn 10 ipsec-isakmp dynamic dynvpn

Share this post


Link to post
Share on other sites

!

!

!

interface Ethernet0

description CRWS Generated text. Please do not delete this:192.168.1.1-255.255.255.0

ip address 192.168.1.1 255.255.255.0

ip mtu 1456

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface BRI0

description connected to T-Online

ip address negotiated

ip access-group 111 in

ip mtu 1492

ip nat outside

ip inspect myfw in

ip virtual-reassembly

encapsulation ppp

dialer string 0191011

dialer hold-queue 10

dialer-group 2

isdn switch-type basic-net3

isdn answer1 4982860

no cdp enable

ppp authentication pap callin

ppp pap sent-username xxx

ppp ipcp dns request

ppp ipcp wins request

!

interface ATM0

no ip address

load-interval 30

atm vc-per-vp 64

no atm ilmi-keepalive

dsl operating-mode auto

pvc 1/32

encapsulation aal5snap

pppoe-client dial-pool-number 1

!

!

interface Virtual-Template2

ip unnumbered Ethernet0

peer default ip address pool mypool

ppp pfc local request

ppp pfc remote apply

ppp acfc local request

ppp acfc remote apply

ppp encrypt mppe 128

ppp authentication ms-chap-v2

ppp ipcp dns 192.168.1.34

!

interface Dialer1

ip address negotiated

ip access-group 111 in

ip mtu 1492

ip nat outside

ip inspect myfw out

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer remote-name redback

dialer-group 1

ppp authentication pap chap callin

ppp chap hostname xxx

ppp chap password xxx

ppp ipcp dns request

ppp ipcp wins request

crypto map vpn

!

ip local pool mypool 192.168.2.1 192.168.2.254

ip local pool ippool 192.168.255.1 192.168.255.254

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 194.25.134.0 255.255.255.0 BRI0

!

ip http server

no ip http secure-server

!

ip nat inside source route-map bri interface BRI0 overload

ip nat inside source route-map dial interface Dialer1 overload

!

logging 192.168.1.2

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 23 permit 192.168.1.0 0.0.0.255

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

access-list 103 permit tcp any any eq pop3

access-list 103 permit tcp any any eq smtp

access-list 104 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 110 remark NAT

access-list 110 permit ip 192.168.1.0 0.0.0.255 any

access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 111 permit icmp any any administratively-prohibited

access-list 111 permit icmp any any echo

access-list 111 permit icmp any any echo-reply

access-list 111 permit icmp any any packet-too-big

access-list 111 permit icmp any any time-exceeded

access-list 111 permit icmp any any traceroute

access-list 111 permit icmp any any unreachable

access-list 111 permit udp any eq bootps any eq bootpc

access-list 111 permit udp any eq bootps any eq bootps

access-list 111 permit udp any eq domain any

access-list 111 permit esp any any

access-list 111 permit tcp any any established

access-list 111 permit tcp any any eq 1723

access-list 111 permit udp any any eq isakmp

access-list 111 permit udp any any eq 10000

access-list 111 permit udp any any eq netbios-ns

access-list 111 permit udp any any eq netbios-dgm

access-list 111 permit gre any any

access-list 111 deny ip any any

access-list 111 permit tcp any any eq 22

access-list 111 permit udp any any eq non500-isakmp

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip list 103

!

route-map dial permit 10

match ip address 110

match interface Dialer1

!

route-map bri permit 10

match ip address 110

match interface BRI0

!

!

control-plane

!

!

line con 0

exec-timeout 120 0

no modem enable

stopbits 1

line aux 0

line vty 0 4

exec-timeout 120 0

login local

length 0

transport preferred ssh

transport input ssh

transport output telnet ssh

!

scheduler max-task-time 5000

no rcapi server

!

!

end

Share this post


Link to post
Share on other sites

Hola,

 

 

was sagt den debug aaa authentication, wenn du dich einwählst.

 

Wenn AAA aktiviert wird werden alle authentication und authorization methoden auf local gesetzt (ausser natürlich enable). Vielleicht versucht dein Router die Gegenstelle bei der Einwahl über die VPN methode zu authentifizieren?!

 

Ciao

Share this post


Link to post
Share on other sites

Das der nur auf Konsole die Messages anzeigt ist doof...

*konsolekabelsuch* *fluch*

Virtuellem PC auf meinem Domaincontroller Com2 abgenommen

Router dran gebaut...

mstsc...

 

shandy>copy tftp://192.168.1.2/

*Jan 27 18:00:33.838: %DIALER-6-BIND: Interface Vi2 bound to profile Di1

*Jan 27 18:00:33.838: AAA/BIND(0000001C): Bind i/f Virtual-Access2

*Jan 27 18:00:33.846: Vi2 PPP: No remote authentication for call-out

*Jan 27 18:00:33.846: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state t

o up

*Jan 27 18:00:34.302: AAA/AUTHEN/PPP (0000001C): Pick method list 'default'

*Jan 27 18:00:34.366: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1

*Jan 27 18:00:34.370: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state t

o down060127gutkeller.txt run

shandy>copy tftp://192.168.1.2/060127gutkeller.txt running c

*Jan 27 18:00:56.742: %DIALER-6-BIND: Interface Vi2 bound to profile Di1

*Jan 27 18:00:56.742: AAA/BIND(0000001D): Bind i/f Virtual-Access2

*Jan 27 18:00:56.746: Vi2 PPP: No remote authentication for call-out

*Jan 27 18:00:56.746: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state t

o up

*Jan 27 18:00:57.238: AAA/AUTHEN/PPP (0000001D): Pick method list 'default'

*Jan 27 18:00:57.302: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1on

f

*Jan 27 18:00:57.306: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state

Share this post


Link to post
Share on other sites

Hola,

 

wenn du terminal monitor via telnet eingibst, dann siehst du die debugging informationen.

 

debug aaa auth

füge mal debug ppp authentication hinzu.

 

Ciao

Share this post


Link to post
Share on other sites

Loading 060127keller.txt from 192.168.1.2 (via Ethernet0): !!

[OK - 6528 bytes]

A pre-shared key for address mask 0.0.0.0 0.0.0.0 already exists!

A key already exists for group testgroup

% Profile already contains this keyring% Already found same 'match identity' statement in this profile% Already found same 'match identity' statement in this profile

% pvc already member of PPPoE dialer pool

%Remote-name redback is already configured on interface Di1.

*Jan 27 20:35:04.245: Vi2 PPP: Authorization NOT required

*Jan 27 20:35:04.245: Vi2 PPP: No remote authentication for call-out

*Jan 27 20:35:05.273: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down

login local

^

% Invalid input detected at '^' marker.

 

6528 bytes copied in 7.296 secs (895 bytes/sec)

shandy#

*Jan 27 20:35:06.389: AAA/AUTHEN/PPP (0000001F): Pick method list 'default'

*Jan 27 20:35:06.513: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1

*Jan 27 20:35:06.517: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down

*Jan 27 20:35:06.557: %SYS-5-CONFIG_I: Configured from tftp://192.168.1.2/060127keller.txt by hauke on vty0 (192.168.1.2)

*Jan 27 20:35:29.473: %DIALER-6-BIND: Interface Vi2 bound to profile Di1

*Jan 27 20:35:29.477: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up

*Jan 27 20:35:29.477: AAA/BIND(00000021): Bind i/f Virtual-Access2

*Jan 27 20:35:29.477: Vi2 PPP: Using dialer call direction

*Jan 27 20:35:29.477: Vi2 PPP: Treating connection as a callout

*Jan 27 20:35:29.477: Vi2 PPP: Authorization NOT required

*Jan 27 20:35:29.477: Vi2 PPP: No remote authentication for call-out

*Jan 27 20:35:29.961: AAA/AUTHEN/PPP (00000021): Pick method list 'default'

*Jan 27 20:35:30.021: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1

*Jan 27 20:35:30.025: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down

shandy#copy tftp://192.168.1.2/060127keller.txt running-config

*Jan 27 20:35:52.249: %DIALER-6-BIND: Interface Vi2 bound to profile Di1

*Jan 27 20:35:52.253: AAA/BIND(00000022): Bind i/f Virtual-Access2

*Jan 27 20:35:52.253: Vi2 PPP: Using dialer call direction

*Jan 27 20:35:52.253: Vi2 PPP: Treating connection as a callout

*Jan 27 20:35:52.253: Vi2 PPP: Authorization NOT required

*Jan 27 20:35:52.253: Vi2 PPP: No remote authentication for call-out

*Jan 27 20:35:52.257: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up

*Jan 27 20:35:52.761: AAA/AUTHEN/PPP (00000022): Pick method list 'default'

*Jan 27 20:35:52.825: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1

*Jan 27 20:35:52.829: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down

*Jan 27 20:36:15.029: %DIALER-6-BIND: Interface Vi2 bound to profile Di1

*Jan 27 20:36:15.029: AAA/BIND(00000023): Bind i/f Virtual-Access2

*Jan 27 20:36:15.029: Vi2 PPP: Using dialer call direction

*Jan 27 20:36:15.029: Vi2 PPP: Treating connection as a callout

*Jan 27 20:36:15.029: Vi2 PPP: Authorization NOT required

*Jan 27 20:36:15.029: Vi2 PPP: No remote authentication for call-out

*Jan 27 20:36:15.033: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up

*Jan 27 20:36:15.541: AAA/AUTHEN/PPP (00000023): Pick method list 'default'

*Jan 27 20:36:15.601: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1

*Jan 27 20:36:15.605: %LINK-3-U$7 20:35:29.473: %DIALER-6-BIND: Interface Vi2 bound to profile Di1

Share this post


Link to post
Share on other sites
Der letzte Beitrag zu diesem Thema ist mehr als 180 Tage alt. Bitte überlege Dir, ob es nicht sinnvoller ist ein neues Thema zu erstellen.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

Werbepartner:



×
×
  • Create New...