DemonS Posted July 11, 2018 Posted July 11, 2018 Конфиг сети. Влан100, в нем сидит радиус-сервер (192.168.0.5) и линк на циску (192.168.0.12). ip циски находится в vrf MGMT. c4948#show version Скрытый текст c4948#show version Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-ENTSERVICESK9-M), Version 15.0(2)SG8, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2013 by Cisco Systems, Inc. Compiled Mon 02-Dec-13 17:11 by prod_rel_team Image text-base: 0x10000000, data-base: 0x123ACE64 ROM: 12.2(31r)SGA7 Pod Revision 0, Force Revision 31, Gill Revision 20 c4948 uptime is 13 hours, 22 minutes System returned to ROM by reload System restarted at 19:24:57 MSK Tue Jul 10 2018 System image file is "bootflash:cat4500-entservicesk9-mz.150-2.SG8.bin" Last reload reason: Reload command cisco WS-C4948-10GE (MPC8540) processor (revision 5) with 262144K bytes of memory. Processor board ID FOX1243GWZL MPC8540 CPU at 667Mhz, Fixed Module Last reset from Reload 2 Virtual Ethernet interfaces 48 Gigabit Ethernet interfaces 2 Ten Gigabit Ethernet interfaces 511K bytes of non-volatile configuration memory. c4948#ping vrf MGMT 192.168.0.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.0.5, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms c4948#sho running-config brief Скрытый текст c4948#sho running-config brief Building configuration... Current configuration : 4181 bytes ! ! Last configuration change at 20:08:10 MSK Tue Jul 10 2018 by admin ! version 15.0 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption service compress-config service unsupported-transceiver ! hostname c4948 ! boot-start-marker boot system flash bootflash:cat4500-entservicesk9-mz.150-2.SG8.bin boot-end-marker ! enable password 7 06070B2C4540 ! username admin password 7 104F0D140C19 ! ! aaa new-model ! ! aaa authentication login default group radius local aaa authorization exec default group radius if-authenticated ! ! ! aaa session-id common clock timezone MSK 3 ip subnet-zero ip domain-name freebit.net.ua ip name-server 192.168.0.5 ip vrf MGMT ! ip vrf mgmtVrf ! ! ! ! password encryption aes ! crypto pki trustpoint TP-self-signed-1243 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1243 revocation-check none rsakeypair TP-self-signed-1243 ! ! crypto pki certificate chain TP-self-signed-1243 certificate self-signed 01 power redundancy-mode redundant ! ! ! archive log config logging enable path tftp://192.168.0.5/$H-$T.txt write-memory ! spanning-tree mode pvst spanning-tree extend system-id no spanning-tree vlan 100 ! vlan internal allocation policy ascending vlan dot1q tag native ! ip tftp source-interface Vlan100 ip ssh source-interface Vlan100 ip ssh version 2 ! ! interface Loopback0 no ip address ! interface Port-channel1 no ip address ! interface FastEthernet1 description mgmtport ip vrf forwarding mgmtVrf ip address 192.168.10.1 255.255.255.0 speed auto duplex auto ! interface GigabitEthernet1/1 ! ---------------------------------------- ! interface GigabitEthernet1/48 description mgmt_access_port switchport access vlan 100 switchport mode access ! interface TenGigabitEthernet1/49 shutdown ! interface TenGigabitEthernet1/50 shutdown ! interface Vlan1 no ip address ! interface Vlan100 description mgmt_interface ip vrf forwarding MGMT ip address 192.168.0.12 255.255.254.0 ! no ip http server ip http secure-server ! ! ! ip radius source-interface Vlan100 ! ! radius-server attribute 6 on-for-login-auth radius-server dead-criteria tries 100 radius-server host 192.168.0.5 auth-port 1814 acct-port 1815 timeout 2 retransmit 2 key 7 095F4A5848023638022609 radius-server deadtime 1 ! control-plane ! ! line con 0 stopbits 1 speed 115200 line vty 0 4 exec-timeout 60 0 transport input ssh line vty 5 15 exec-timeout 0 0 transport input ssh ! ntp clock-period 17180946 ntp peer vrf MGMT 192.168.0.8 end При сохранении конфига - на тфтп он сохраняется, доступ через ssh есть. При попытке авторизации ("debug radius"): Скрытый текст Jul 11 05:58:25.559: RADIUS/ENCODE(00000004): ask "Password: " Jul 11 05:58:26.879: RADIUS/ENCODE(00000004):Orig. component type = EXEC Jul 11 05:58:26.879: RADIUS: AAA Unsupported Attr: interface [170] 4 Jul 11 05:58:26.879: RADIUS: 74 74 [ tt] Jul 11 05:58:26.879: RADIUS(00000004): Config NAS IP: 192.168.0.12 Jul 11 05:58:26.879: RADIUS/ENCODE(00000004): acct_session_id: 4 Jul 11 05:58:26.879: RADIUS(00000004): sending Jul 11 05:58:26.879: RADIUS(00000004): Send Access-Request to 192.168.0.5:1814 id 1645/4, len 90 Jul 11 05:58:26.879: RADIUS: authenticator BA D6 97 61 C6 92 7C F4 - 8B 5A D5 E0 12 2C 47 34 Jul 11 05:58:26.879: RADIUS: User-Name [1] 6 "user" Jul 11 05:58:26.879: RADIUS: User-Password [2] 18 * Jul 11 05:58:26.879: RADIUS: NAS-Port [5] 6 2 Jul 11 05:58:26.879: RADIUS: NAS-Port-Id [87] 6 "tty2" Jul 11 05:58:26.879: RADIUS: NAS-Port-Type [61] 6 Virtual [5] Jul 11 05:58:26.879: RADIUS: Calling-Station-Id [31] 16 "192.168.0.252" Jul 11 05:58:26.879: RADIUS: Service-Type [6] 6 Login [1] Jul 11 05:58:26.879: RADIUS: NAS-IP-Address [4] 6 192.168.0.12 Jul 11 05:58:26.879: RADIUS(00000004): Started 2 sec timeout Jul 11 05:58:28.892: RADIUS(00000004): Request timed out Jul 11 05:58:28.892: RADIUS: Retransmit to (192.168.0.5:1814,1815) for id 1645/4 Jul 11 05:58:28.892: RADIUS(00000004): Started 2 sec timeout Jul 11 05:58:30.680: RADIUS(00000004): Request timed out Jul 11 05:58:30.680: RADIUS: Retransmit to (192.168.0.5:1814,1815) for id 1645/4 Jul 11 05:58:30.680: RADIUS(00000004): Started 2 sec timeout Jul 11 05:58:32.572: RADIUS(00000004): Request timed out Jul 11 05:58:32.572: RADIUS: No response from (192.168.0.5:1814,1815) for id 1645/4 Jul 11 05:58:32.572: RADIUS/DECODE: parse response no app start; FAIL Jul 11 05:58:32.572: RADIUS/DECODE: parse response; FAIL Никаких пакетов при этом на 192.168.0.5 не прилетает. Подскажите, уважаемые гуру, в чем может быть дело? Вставить ник Quote
alibek Posted July 11, 2018 Posted July 11, 2018 А почему не TACACS? По опыту, он работает гораздо лучше и удобнее. Вставить ник Quote
YuryD Posted July 11, 2018 Posted July 11, 2018 А чего порты немного нестандартные у радиуса ? у меня обычно 1812/1813 Вставить ник Quote
VolanD666 Posted July 11, 2018 Posted July 11, 2018 (edited) В настройках радиуса вроде надо указывать vrf. Edited July 11, 2018 by VolanD666 Вставить ник Quote
stalker86 Posted July 11, 2018 Posted July 11, 2018 ip radius source-interface vlan100 vrf MGMT Вставить ник Quote
DemonS Posted July 11, 2018 Author Posted July 11, 2018 24 минуты назад, stalker86 сказал: ip radius source-interface vlan100 vrf MGMT К сожалению, указание vrf ничего не меняет. Тоже самое. 55 минут назад, YuryD сказал: А чего порты немного нестандартные у радиуса ? у меня обычно 1812/1813 А на тех портах у меня другой инстанс радиуса висит. Кстати, по умолчанию циска ипользует порты 1645, 1646. Вставить ник Quote
StSphinx Posted July 11, 2018 Posted July 11, 2018 aaa group server radius radiusServerGroup server-private 192.168.0.12 auth-port 1812 acct-port 1813 key 7 RADIUS_KEY ip vrf forwarding MGMT ip radius source-interface Loopback20 примерно так у меня работает. Ну и соотв. настройки aaa. Вставить ник Quote
DemonS Posted July 11, 2018 Author Posted July 11, 2018 (edited) Добавлю. включил debug ip packet. Jul 11 08:03:13.057: RADIUS: Retransmit to (192.168.0.5:1814,1815) for id 1645/10 Jul 11 08:03:13.057: IP: s=0.0.0.0 (local), d=192.168.0.5, len 119, local feature, Local Clustering(8), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE Jul 11 08:03:13.057: IP: s=0.0.0.0 (local), d=192.168.0.5, len 119, unroutable Написано unroutable. Почему? c4948#sho ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set c4948#sho ip route vr c4948#sho ip route vrf MGMT Routing Table: MGMT Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 192.168.0/23 is subnetted, 1 subnets C 192.168.0.0 is directly connected, Vlan100 c4948# Edited July 11, 2018 by DemonS Вставить ник Quote
StSphinx Posted July 11, 2018 Posted July 11, 2018 7 минут назад, DemonS сказал: Добавлю. включил debug ip packet. Jul 11 08:03:13.057: RADIUS: Retransmit to (172.16.100.5:1814,1815) for id 1645/10 Jul 11 08:03:13.057: IP: s=0.0.0.0 (local), d=172.16.100.5, len 119, local feature, Local Clustering(8), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE Jul 11 08:03:13.057: IP: s=0.0.0.0 (local), d=172.16.100.5, len 119, unroutable Написано unroutable. Почему? А это вообще из другой песни. Вполне возможно что нет destination в route table для 172.16.100.5 Вставить ник Quote
DemonS Posted July 11, 2018 Author Posted July 11, 2018 (edited) 2 минуты назад, StSphinx сказал: А это вообще из другой песни. Вполне возможно что нет destination в route table для 172.16.100.5 Думаете, циска ищет в основной таблице вместо vrf? (172.16.100.5 читать, как 192.168.0.5, спалил все таки ip-шки...) 12 минут назад, StSphinx сказал: aaa group server radius radiusServerGroup server-private 192.168.0.12 auth-port 1812 acct-port 1813 key 7 RADIUS_KEY ip vrf forwarding MGMT ip radius source-interface Loopback20 примерно так у меня работает. Ну и соотв. настройки aaa. Сделал так же. Заработало. Всем спасибо! Edited July 11, 2018 by DemonS Вставить ник Quote
StSphinx Posted July 11, 2018 Posted July 11, 2018 1 минуту назад, DemonS сказал: Думаете, циска ищет в основной таблице вместо vrf? Она ищет destination в той таблице, к которой принадлежит интерфейс, с которого принят пакет. Вставить ник Quote
DemonS Posted July 11, 2018 Author Posted July 11, 2018 Вот интересную статью нашел. Вставить ник Quote
.png.5d2afa2996cc6a85d0f2c09b92dd0a28.png)
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.