TACACS+로 PPP 콜백 구성

소개

이 문서에서는 TACACS+로 PPP(Point-to-Point Protocol) 콜백을 수행하는 라우터 및 AAA 서버의 컨피그레이션 예를 보여줍니다. AAA 서버 또는 Windows 2000 클라이언트에서 지정한 콜백 번호를 사용하는 두 가지 예가 포함되어 있습니다.

• 로컬 인증 및 콜백으로 초기 테스트를 수행합니다(aaa new-model 명령 제거). 콜백이 로컬 인증과 작동하지 않을 경우 TACACS+와 작동하지 않습니다. 로컬 인증 사용 방법에 대한 예는 라우터와 Windows PC 간의 MS 콜백 구성을 참조하십시오.

• 콜백 없이 TACACS+로 추가 PPP 인증 테스트를 수행합니다. 사용자가 콜백 없이 인증 및/또는 권한 부여에 실패할 경우 인증 및 권한 부여가 콜백과 함께 작동하지 않습니다.

• 콜백에 대한 로컬 인증 및 TACACS+를 통한 PPP 인증이 작동하면 라우터의 로컬 사용자(예: 콜백 다이얼 문자열)의 정보를 서버의 사용자 프로필에 추가합니다.

참고: 이러한 테스트의 클라이언트는 PPP 연결을 위해 평소와 같이 설정된 Windows 2000 Professional 클라이언트(DUN)이며, Microsoft Callback 설정은 "서버가 제공하는 경우 전화 걸기 중에 확인"입니다. Microsoft 콜백은 Cisco IOS® Software 릴리스 11.3.2.T 이상에서 지원됩니다.

사전 요구 사항

요구 사항

이 문서에 대한 특정 요건이 없습니다.

사용되는 구성 요소

이 문서의 정보는 다음 소프트웨어 및 하드웨어 버전을 기반으로 합니다.

• Cisco IOS Software 릴리스 12.1(7)AA

• Cisco Secure ACS UNIX 2.3(2)

• Windows 3.3용 Cisco Secure ACS

• TACACS Freeware Daemon 4.0(3)

이 문서의 정보는 특정 랩 환경의 디바이스를 토대로 작성되었습니다. 이 문서에 사용된 모든 디바이스는 초기화된(기본) 컨피그레이션으로 시작되었습니다. 현재 네트워크가 작동 중인 경우, 모든 명령어의 잠재적인 영향을 미리 숙지하시기 바랍니다.

표기 규칙

문서 규칙에 대한 자세한 내용은 Cisco 기술 팁 표기 규칙을 참조하십시오.

구성

이 섹션에는 이 문서에서 설명하는 기능을 구성하기 위한 정보가 표시됩니다.

참고: 이 문서에 사용된 명령에 대한 추가 정보를 보려면 명령 조회 도구(등록된 고객만 해당)를 사용하십시오.

네트워크 다이어그램

이 문서에서는 이 다이어그램에 나와 있는 네트워크 설정을 사용합니다.

서버 지정 번호의 PPP 콜백

서버 컨피그레이션

다음은 AAA 서버에서 지정한 전화 번호로 PPP 콜백을 위한 AAA 서버 컨피그레이션입니다.

서버 설정 - Windows용 Cisco Secure ACS

• 사용자 및 그룹에 대한 LCP 옵션을 활성화하려면 인터페이스 구성 화면으로 이동하여 TACACS+(Cisco IOS)를 선택하고, 사용자 및 그룹에 대해 PPP IP 및 PPP LCP 옵션이 선택되어 있는지 확인합니다^.

• 콜백은 그룹 또는 사용자 설정에서 구성할 수 있습니다.

  • 콜백을 위한 그룹 구성: [그룹 설정] 화면의 [콜백]에서 Windows 데이터베이스 콜백 설정 사용 옵션을 선택합니다(이전 버전의 ACS에서는 이 옵션을 "Microsoft NT 콜백 설정 사용"이라고 함). 그런 다음 PPP IP 및 PPP LCP의 옵션을 확인합니다. 콜백 라인을 선택하고 빈 필드에 84007을 입력합니다.

    그룹의 구성원인 사용자의 경우 [사용자 설정] 화면으로 이동하여 [콜백] 아래에서 [그룹 설정 사용]을 선택합니다. Submit(제출) + Restart(재시작)를 클릭합니다.

  • 콜백을 위한 개별 사용자 구성: User Setup(사용자 설정) 화면의 Callback(콜백)에서 이 번호를 사용하여 Callback(콜백)을 선택하고 빈 필드에 84007을 입력합니다. 그런 다음 PPP IP 및 PPP LCP에 대한 옵션을 확인합니다. Submit + Restart를 클릭합니다.

서버 설치 - Cisco Secure UNIX

<coachella>/export/home/brownr> ViewProfile -p 9900 -u callback_user
User Profile Information
user = callback_user{
profile_id = 113
profile_cycle = 15
member = ccie_study
password = chap "********"
service=ppp {
protocol=ip {
}
protocol=lcp {
set callback-dialstring=84007
}
}

}

서버 설정 - TACACS+ 프리웨어

user = callback_user {
chap= cleartext "chapuser"
service = ppp protocol = lcp {
callback-dialstring=84007
}
service = ppp protocol = ip {
}
}

사용자 지정 번호의 PPP 콜백

이 문서의 앞부분에서는 AAA 서버에 지정된 미리 정의된 번호로 콜백하는 예를 보여 줍니다. 콜백은 콜백 번호를 사용하여 사용자가 지정한 번호에서 수행할 수도 있으며 AAA 서버에서 null로 지정됩니다. 그러면 라우터가 사용자에게 콜백 번호를 묻습니다. 초기 테스트는 지정된 로컬 콜백으로 수행해야 합니다. 액세스 서버와 PC 예제 간의 비동기 PPP 콜백을 참조하고 "callback-dialstring"이 따옴표("")로 지정됩니다.

이 테스트의 클라이언트는 PPP 연결을 위해 평소와 같이 설정된 Windows 2000 Professional 클라이언트였으며, Microsoft Callback은 "아래 번호로 다시 전화 주십시오."로 설정되었습니다.

참고: 표시되는 네트워크 다이어그램 및 라우터 컨피그레이션은 여기에서 설명하는 콜백 컨피그레이션에 적용됩니다.

서버 컨피그레이션

다음은 사용자가 지정한 전화 번호를 사용하는 PPP 콜백에 대한 AAA 서버 컨피그레이션입니다.

서버 설치 - Windows용 Cisco Secure

• 사용자 및 그룹에 대한 LCP 옵션을 활성화하려면 인터페이스 구성 화면으로 이동하여 TACACS+(Cisco IOS)를 선택하고, 사용자 및 그룹에 대해 PPP IP 및 PPP LCP 옵션이 선택되어 있는지 확인합니다^.

• 콜백은 그룹 또는 사용자 설정에서 구성할 수 있습니다.

  • 콜백을 위한 그룹 구성: Group Setup(그룹 설정) 화면의 Callback(콜백)에서 콜백 번호를 지정하는 전화 접속 클라이언트에 대한 옵션을 선택합니다. 그런 다음 PPP IP 및 PPP LCP의 옵션을 확인합니다.

    그룹의 구성원인 사용자의 경우 [사용자 설정] 화면으로 이동하여 [콜백] 아래에서 [그룹 설정 사용]을 선택합니다. Submit(제출) + Restart(재시작)를 클릭합니다.

  • 콜백을 위한 개별 사용자 구성: User Setup(사용자 설정) 화면의 Callback(콜백)에서 콜백 클라이언트에서 콜백 번호를 지정하는 옵션을 선택합니다. 그런 다음 PPP IP 및 PPP LCP의 옵션을 확인합니다. Submit + Restart를 클릭합니다.

서버 설치 - Cisco Secure UNIX

<coachella>ViewProfile -p 9900 -u callback_user
User Profile Information
user = callback_user{
profile_id = 113
profile_cycle = 15
member = ccie_study
password = chap "********"
service=ppp {
protocol=ip {
}
protocol=lcp {
set callback-dialstring=""
}
}

}

서버 설정 - TACACS+ 프리웨어

user = callback_user {
chap= cleartext "chapuser"
service = ppp protocol = lcp {
callback-dialstring=""
}
service = ppp protocol = ip {
}
}

라우터 컨피그레이션

AS5200

maui-nas-01#show run
Building configuration...

Current configuration : 2882 bytes
!
version 12.1
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname maui-nas-01
!
logging buffered 4096 debugging
no logging console guaranteed
no logging console

!--- Basic AAA configuration using TACACS+ as the primary method, !--- local if the ERROR is received during negotiation. !--- Disable AAA authentication and authorization on console port.

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login NO_AUTHEN none
aaa authentication ppp default if-needed group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization exec NO_AUTHOR none
aaa authorization network default group tacacs+ local
enable secret <snipped>
!
username admin password <snipped>
spe 1/0 1/23
firmware location feature_card_flash
spe 2/0 2/4
!
resource-pool disable
!
clock timezone CST -6
clock summer-time CST recurring
modem recovery action none
ip subnet-zero
no ip source-route
no ip finger
no ip domain-lookup
ip name-server 172.22.53.210
!
no ip bootp server
isdn switch-type primary-ni
! 

!--- Chat scripts "offhook" and "CALLBACK" !--- used intuitively to go offhook and callback clients.

chat-script CALLBACK ABORT ERROR ABORT BUSY "" "AT" 
OK "ATDT \T" TIMEOUT 30 CONNECT \c
chat-script offhook "" "ATH1" OK \c
!
controller T1 0
framing esf
clock source line primary
linecode b8zs
pri-group timeslots 1-24
!
interface Ethernet0
ip address 172.22.53.101 255.255.255.0
no ip route-cache
no ip mroute-cache
no cdp enable
!
interface Serial0:23
no ip address
encapsulation ppp
no ip route-cache
isdn switch-type primary-ni
isdn incoming-voice modem
isdn bchan-number-order ascending
no cdp enable
!
interface Group-Async1
ip unnumbered Ethernet0
encapsulation ppp
no ip route-cache
ip tcp header-compression passive
no ip mroute-cache
async mode interactive
peer default ip address pool IP_POOL
no cdp enable

!--- Allows "group-async 1" to accept PPP callback requests from clients. !--- Use Challenge Authentication Protocol (CHAP) for authentication !--- on incoming calls.

ppp callback accept
ppp authentication chap callin
group-range 1 48
!
ip local pool IP_POOL 172.22.53.141 172.22.53.148
ip default-gateway 172.22.53.1
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 172.22.53.1
!
no cdp run
tacacs-server host 172.22.53.201 key <snipped>
!
line con 0
authorization exec NO_AUTHOR
login authentication NO_AUTHEN
transport input none
line 1 48

!--- Specifies chat scripts used during callback to clients.

script modem-off-hook offhook
script callback CALLBACK
modem InOut
transport preferred none
transport input all
transport output none
autoselect during-login
autoselect ppp
callback forced-wait 5
line aux 0
line vty 0 4
!
ntp server 172.22.53.1
end

다음을 확인합니다.

현재 이 설정에 사용 가능한 확인 절차는 없습니다.

문제 해결

이 섹션에서는 설정 문제 해결에 사용할 수 있는 정보를 제공합니다.

트러블슈팅 명령

참고: debug 명령을 실행하기 전에 Debug 명령에 대한 중요 정보를 참조하십시오.

• debug aaa authentication(aaa 인증 디버그) - AAA 인증에 대한 정보를 표시합니다.

• debug aaa authorization(aaa 권한 부여 디버그) - AAA 권한 부여에 대한 정보를 표시합니다.

• debug callback(디버그 콜백) - 라우터가 모뎀 및 채팅 스크립트를 사용하여 터미널 회선에서 콜백하는 경우의 콜백 이벤트를 표시합니다.

• debug chat(디버그 채팅) - NAS(Network Access Server)와 PC 간에 전송되는 문자를 표시합니다. 채팅-스크립트는 DTE(Data Terminal Equipment)-DTE 또는 DTE-DCE(Data Communications Equipment) 디바이스 간의 핸드셰이킹을 정의하는 예상 전송 문자열 쌍 집합입니다.

• debug modem - 액세스 서버의 모뎀 회선 활동을 표시합니다.

• debug ppp negotiation - PPP 시작 중에 전송된 PPP 패킷을 표시합니다. 여기서 PPP 옵션이 협상됩니다.

• debug ppp authentication(디버그 ppp 인증) - CHAP(Challenge Authentication Protocol) 패킷 교환 및 PAP(Password Authentication Protocol) 교환을 비롯한 인증 프로토콜 메시지를 표시합니다.

• debug tacacs+ - TACACS+와 관련된 자세한 디버깅 정보를 표시합니다.

디버그 출력 샘플

이 다이어그램의 개별 단계는 이 다이어그램 뒤에 표시되는 실제 디버그 출력에 해당합니다. 일부 출력은 간격 고려 사항으로 인해 두 줄로 줄바꿈되었습니다.

1단계

maui-nas-01#debug aaa authentication
maui-nas-01#debug aaa authorization

maui-nas-01#show debug
General OS:
AAA Authentication debugging is on
AAA Authorization debugging is on

!--- AAA negotiation begins, aborted because PPP is autoselected.

Aug 1 09:23:53.320 CST: AAA: parse name=tty6 idb type=10 tty=6
Aug 1 09:23:53.320 CST: AAA: name=tty6 flags=0x11 type=4 shelf=0 slot=0
  adapter=0 port=6 channel=0
Aug 1 09:23:53.324 CST: AAA: parse name=Serial0:4 idb type=12 tty=-1
Aug 1 09:23:53.328 CST: AAA: name=Serial0:4 flags=0x51 type=1 shelf=0 slot=0 
  adapter=0 port=0 channel=4
Aug 1 09:23:53.332 CST: AAA/MEMORY: create_user (0x2A0AA0) user='' ruser='' 
  port='tty6' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1
Aug 1 09:23:53.336 CST: AAA/AUTHEN/START (2776623843): port='tty6' list=''
  action=LOGIN service=LOGIN
Aug 1 09:23:53.340 CST: AAA/AUTHEN/START (2776623843): using "default" list
Aug 1 09:23:53.344 CST: AAA/AUTHEN/START (2776623843): Method=tacacs+ (tacacs+)
Aug 1 09:23:53.348 CST: TAC+: send AUTHEN/START packet ver=192 id=2776623843
Aug 1 09:23:53.572 CST: TAC+: ver=192 id=2776623843 received AUTHEN
  status = GETUSER
Aug 1 09:23:53.576 CST: AAA/AUTHEN (2776623843): status = GETUSER
Aug 1 09:23:55.548 CST: AAA/AUTHEN/ABORT: (2776623843) because Autoselected.
Aug 1 09:23:55.552 CST: TAC+: send abort reason=Autoselected
Aug 1 09:23:55.668 CST: AAA/MEMORY: free_user (0x2A0AA0) user='' ruser=''
  port='tty6'rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1
Aug 1 09:23:58.124 CST: %LINK-3-UPDOWN: Interface Async6, changed state to up
Aug 1 09:23:58.148 CST: As6 AAA/AUTHOR/FSM: (0): LCP succeeds trivially
Aug 1 09:23:58.912 CST: AAA: parse name=Async6 idb type=10 tty=6
Aug 1 09:23:58.916 CST: AAA: name=Async6 flags=0x11 type=4 shelf=0 slot=0
  adapter=0 port=6 channel=0
Aug 1 09:23:58.916 CST: AAA: parse name=Serial0:4 idb type=12 tty=-1
Aug 1 09:23:58.920 CST: AAA: name=Serial0:4 flags=0x51 type=1 shelf=0 slot=0 
  adapter=0 port=0 channel=4

!--- AAA Authentication start packet is sent to AAA server.

Aug 1 09:23:58.924 CST: AAA/MEMORY: create_user (0x2984EC)
  user='callback_user'ruser='' port='Async6' rem_addr='async/81560' 
  authen_type=CHAP service=PPP priv=1
Aug 1 09:23:58.932 CST: AAA/AUTHEN/START (3527356355): port='Async6' list=''
  action=LOGIN service=PPP
Aug 1 09:23:58.936 CST: AAA/AUTHEN/START (3527356355): using "default" list
Aug 1 09:23:58.936 CST: AAA/AUTHEN (3527356355): status = UNKNOWN
Aug 1 09:23:58.940 CST: AAA/AUTHEN/START (3527356355): Method=tacacs+ (tacacs+)

!--- Receive PASS from AAA server.

Aug 1 09:23:58.944 CST: TAC+: send AUTHEN/START packet ver=193 id=3527356355
Aug 1 09:23:59.172 CST: TAC+: ver=193 id=3527356355 received AUTHEN
  status = PASS
Aug 1 09:23:59.172 CST: AAA/AUTHEN (3527356355): status = PASS

!--- AAA Authorization request sent to AAA server for LCP.

Aug 1 09:23:59.180 CST: As6 AAA/AUTHOR/LCP: Authorize LCP
Aug 1 09:23:59.184 CST: As6 AAA/AUTHOR/LCP (1701401119): Port='Async6'
  list='' service=NET
Aug 1 09:23:59.188 CST: AAA/AUTHOR/LCP: As6 (1701401119) user='callback_user'
Aug 1 09:23:59.192 CST: As6 AAA/AUTHOR/LCP (1701401119): send AV service=ppp
Aug 1 09:23:59.196 CST: As6 AAA/AUTHOR/LCP (1701401119): send AV protocol=lcp
Aug 1 09:23:59.196 CST: As6 AAA/AUTHOR/LCP (1701401119): found list "default"
Aug 1 09:23:59.200 CST: As6 AAA/AUTHOR/LCP (1701401119):
  Method=tacacs+ (tacacs+)

!--- Receive PASS from AAA server, set the callback dialstring !--- via the "callback-dialstring" Attribute Value Pair.

Aug 1 09:23:59.204 CST: AAA/AUTHOR/TAC+: (1701401119): user=callback_user
Aug 1 09:23:59.208 CST: AAA/AUTHOR/TAC+: (1701401119): send AV service=ppp
Aug 1 09:23:59.212 CST: AAA/AUTHOR/TAC+: (1701401119): send AV protocol=lcp
Aug 1 09:23:59.440 CST: TAC+: (1701401119): received author response status 
  = PASS_ADD
Aug 1 09:23:59.448 CST: As6 AAA/AUTHOR (1701401119): Post authorization status 
  = PASS_ADD
Aug 1 09:23:59.452 CST: As6 AAA/AUTHOR/LCP: Processing AV service=ppp
Aug 1 09:23:59.456 CST: As6 AAA/AUTHOR/LCP: Processing AV protocol=lcp
Aug 1 09:23:59.456 CST: As6 AAA/AUTHOR/LCP: Processing AV
  callback-dialstring=81550

2단계

maui-nas-01#debug aaa authentication
maui-nas-01#debug aaa authorization

maui-nas-01#show debug
General OS:
AAA Authentication debugging is on
AAA Authorization debugging is on

!--- AAA negotiation begins, aborted because PPP is autoselected.

Aug 1 09:23:53.320 CST: AAA: parse name=tty6 idb type=10 tty=6
Aug 1 09:23:53.320 CST: AAA: name=tty6 flags=0x11 type=4 shelf=0 slot=0
  adapter=0 port=6 channel=0
Aug 1 09:23:53.324 CST: AAA: parse name=Serial0:4 idb type=12 tty=-1
Aug 1 09:23:53.328 CST: AAA: name=Serial0:4 flags=0x51 type=1 shelf=0 slot=0 
  adapter=0 port=0 channel=4
Aug 1 09:23:53.332 CST: AAA/MEMORY: create_user (0x2A0AA0) user='' ruser='' 
  port='tty6' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1
Aug 1 09:23:53.336 CST: AAA/AUTHEN/START (2776623843): port='tty6' list=''
  action=LOGIN service=LOGIN
Aug 1 09:23:53.340 CST: AAA/AUTHEN/START (2776623843): using "default" list
Aug 1 09:23:53.344 CST: AAA/AUTHEN/START (2776623843): Method=tacacs+ (tacacs+)
Aug 1 09:23:53.348 CST: TAC+: send AUTHEN/START packet ver=192 id=2776623843
Aug 1 09:23:53.572 CST: TAC+: ver=192 id=2776623843 received AUTHEN
  status = GETUSER
Aug 1 09:23:53.576 CST: AAA/AUTHEN (2776623843): status = GETUSER
Aug 1 09:23:55.548 CST: AAA/AUTHEN/ABORT: (2776623843) because Autoselected.
Aug 1 09:23:55.552 CST: TAC+: send abort reason=Autoselected
Aug 1 09:23:55.668 CST: AAA/MEMORY: free_user (0x2A0AA0) user='' ruser=''
  port='tty6'rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1
Aug 1 09:23:58.124 CST: %LINK-3-UPDOWN: Interface Async6, changed state to up
Aug 1 09:23:58.148 CST: As6 AAA/AUTHOR/FSM: (0): LCP succeeds trivially
Aug 1 09:23:58.912 CST: AAA: parse name=Async6 idb type=10 tty=6
Aug 1 09:23:58.916 CST: AAA: name=Async6 flags=0x11 type=4 shelf=0 slot=0
  adapter=0 port=6 channel=0
Aug 1 09:23:58.916 CST: AAA: parse name=Serial0:4 idb type=12 tty=-1
Aug 1 09:23:58.920 CST: AAA: name=Serial0:4 flags=0x51 type=1 shelf=0 slot=0 
  adapter=0 port=0 channel=4

!--- AAA Authentication start packet is sent to AAA server.

Aug 1 09:23:58.924 CST: AAA/MEMORY: create_user (0x2984EC)
  user='callback_user'ruser='' port='Async6' rem_addr='async/81560' 
  authen_type=CHAP service=PPP priv=1
Aug 1 09:23:58.932 CST: AAA/AUTHEN/START (3527356355): port='Async6' list=''
  action=LOGIN service=PPP
Aug 1 09:23:58.936 CST: AAA/AUTHEN/START (3527356355): using "default" list
Aug 1 09:23:58.936 CST: AAA/AUTHEN (3527356355): status = UNKNOWN
Aug 1 09:23:58.940 CST: AAA/AUTHEN/START (3527356355): Method=tacacs+ (tacacs+)

!--- Receive PASS from AAA Server.

Aug 1 09:23:58.944 CST: TAC+: send AUTHEN/START packet ver=193 id=3527356355
Aug 1 09:23:59.172 CST: TAC+: ver=193 id=3527356355 received AUTHEN
  status = PASS
Aug 1 09:23:59.172 CST: AAA/AUTHEN (3527356355): status = PASS

!--- AAA Authorization request sent to AAA server for LCP.

Aug 1 09:23:59.180 CST: As6 AAA/AUTHOR/LCP: Authorize LCP
Aug 1 09:23:59.184 CST: As6 AAA/AUTHOR/LCP (1701401119): Port='Async6'
  list='' service=NET
Aug 1 09:23:59.188 CST: AAA/AUTHOR/LCP: As6 (1701401119) user='callback_user'
Aug 1 09:23:59.192 CST: As6 AAA/AUTHOR/LCP (1701401119): send AV service=ppp
Aug 1 09:23:59.196 CST: As6 AAA/AUTHOR/LCP (1701401119): send AV protocol=lcp
Aug 1 09:23:59.196 CST: As6 AAA/AUTHOR/LCP (1701401119): found list "default"
Aug 1 09:23:59.200 CST: As6 AAA/AUTHOR/LCP (1701401119):
  Method=tacacs+ (tacacs+)

!--- Receive PASS from AAA Server, set the callback dialstring !--- via the "callback-dialstring" Attribute Value Pair.

Aug 1 09:23:59.204 CST: AAA/AUTHOR/TAC+: (1701401119): user=callback_user
Aug 1 09:23:59.208 CST: AAA/AUTHOR/TAC+: (1701401119): send AV service=ppp
Aug 1 09:23:59.212 CST: AAA/AUTHOR/TAC+: (1701401119): send AV protocol=lcp
Aug 1 09:23:59.440 CST: TAC+: (1701401119): received author response status 
  = PASS_ADD
Aug 1 09:23:59.448 CST: As6 AAA/AUTHOR (1701401119): Post authorization status 
  = PASS_ADD
Aug 1 09:23:59.452 CST: As6 AAA/AUTHOR/LCP: Processing AV service=ppp
Aug 1 09:23:59.456 CST: As6 AAA/AUTHOR/LCP: Processing AV protocol=lcp
Aug 1 09:23:59.456 CST: As6 AAA/AUTHOR/LCP: Processing AV
  callback-dialstring=81550

3단계

maui-nas-01#show debug
General OS:
Modem control/process activation debugging is on
PPP:
PPP protocol negotiation debugging is on
Chat Scripts:
Chat scripts activity debugging is on
Callback:
Callback activity debugging is on

Aug 1 09:33:38.862 CST: As7 MCB: User callback_user Callback Number
  - Server 81550
Aug 1 09:33:38.870 CST: Async7 PPP: O MCB Request(1) id 1 len 7
Aug 1 09:33:38.874 CST: Async7 MCB: O 1 1 0 7 3 3 0 
Aug 1 09:33:38.874 CST: As7 MCB: O Request Id 1 Callback Type
  Server-Num delay 0
Aug 1 09:33:38.878 CST: As7 PPP: Phase is CBCP
Aug 1 09:33:39.018 CST: Async7 PPP: I MCB Response(2) id 1 len 7
Aug 1 09:33:39.022 CST: Async7 MCB: I 2 1 0 7 3 3 C 
Aug 1 09:33:39.026 CST: As7 MCB: Received response
Aug 1 09:33:39.026 CST: As7 MCB: Response CBK-Server-Num 3 3 12
Aug 1 09:33:39.034 CST: Async7 PPP: O MCB Ack(3) id 2 len 7
Aug 1 09:33:39.034 CST: Async7 MCB: O 3 2 0 7 3 3 C 
Aug 1 09:33:39.038 CST: As7 MCB: O Ack Id 2 Callback Type Server-Num delay 12
Aug 1 09:33:39.042 CST: As7 MCB: Negotiated MCB with peer

!--- NAS sends LCP Terminate Request from client.

Aug 1 09:33:39.182 CST: As7 LCP: I TERMREQ [Open] id 6 len 16
  (0x566260A7003CCD7400000000)

!--- NAS receives Terminate Acknowledge from client.

Aug 1 09:33:39.186 CST: As7 LCP: O TERMACK [Open] id 6 len 4
Aug 1 09:33:39.190 CST: As7 MCB: Peer terminating the link
Aug 1 09:33:39.194 CST: As7 MCB: Link terminated by peer, Callback Needed
Aug 1 09:33:39.198 CST: As7 MCB: Initiate Callback for callback_user
  at 81550 using Async
Aug 1 09:33:39.202 CST: As7 MCB: Async-callback in progress
Aug 1 09:33:39.206 CST: As7 PPP: Phase is TERMINATING

!--- NAS disconnects and initiates offhook and CALLBACK chat scripts.

Aug 1 09:33:39.210 CST: TTY7 Callback PPP process creation
Aug 1 09:33:39.218 CST: TTY7 Callback process initiated, user: dialstring 81550
Aug 1 09:33:40.110 CST: %ISDN-6-DISCONNECT: Interface Serial0:5 disconnected 
  from unknown , call lasted 19 seconds
Aug 1 09:33:40.294 CST: TTY7: Async Int reset: Dropping DTR
Aug 1 09:33:41.210 CST: As7 LCP: TIMEout: State TERMsent
Aug 1 09:33:41.210 CST: As7 LCP: State is Closed
Aug 1 09:33:41.214 CST: As7 PPP: Phase is DOWN
Aug 1 09:33:41.218 CST: As7 PPP: Phase is ESTABLISHING, Passive Open
Aug 1 09:33:41.226 CST: As7 LCP: State is Listen
Aug 1 09:33:42.298 CST: %LINK-5-CHANGED: Interface Async7,
  changed state to reset
Aug 1 09:33:42.318 CST: As7 LCP: State is Closed
Aug 1 09:33:42.318 CST: As7 PPP: Phase is DOWN
Aug 1 09:33:45.302 CST: As7 IPCP: Remove route to 172.22.53.147
Aug 1 09:33:45.306 CST: TTY7 Callback forced wait = 5 seconds
Aug 1 09:33:47.302 CST: %LINK-3-UPDOWN: Interface Async7, changed state to down
Aug 1 09:33:47.322 CST: As7 LCP: State is Closed
Aug 1 09:33:50.310 CST: CHAT7: Matched chat script offhook to string offhook
Aug 1 09:33:50.314 CST: CHAT7: Asserting DTR
Aug 1 09:33:50.318 CST: CHAT7: Chat script offhook started
Aug 1 09:33:50.322 CST: CHAT7: Sending string: ATH1
Aug 1 09:33:50.322 CST: CHAT7: Expecting string: OK
Aug 1 09:33:50.634 CST: CHAT7: Completed match for expect: OK
Aug 1 09:33:50.638 CST: CHAT7: Sending string: \c
Aug 1 09:33:50.638 CST: CHAT7: Chat script offhook finished, status = Success
Aug 1 09:33:50.642 CST: CHAT7: Matched chat script CALLBACK to string CALLBACK
Aug 1 09:33:50.650 CST: CHAT7: Asserting DTR
Aug 1 09:33:50.650 CST: CHAT7: Chat script CALLBACK started
Aug 1 09:33:50.654 CST: CHAT7: Sending string: AT
Aug 1 09:33:50.658 CST: CHAT7: Expecting string: OK
Aug 1 09:33:50.686 CST: CHAT7: Completed match for expect: OK
Aug 1 09:33:50.686 CST: CHAT7: Sending string: ATDT \T<81550>
Aug 1 09:33:50.694 CST: CHAT7: Expecting string: CONNECT
Aug 1 09:34:04.051 CST: %ISDN-6-CONNECT: Interface Serial0:0 is now
  connected to 81550 
Aug 1 09:34:17.543 CST: CHAT7: Completed match for expect: CONNECT
Aug 1 09:34:17.547 CST: CHAT7: Sending string: \c
Aug 1 09:34:17.547 CST: CHAT7: Chat script CALLBACK finished, status = Success

4단계

maui-nas-01#debug aaa authentication
maui-nas-01#debug aaa authorization
maui-nas-01#debug ppp authentication

maui-nas-01#show debug
General OS:
AAA Authentication debugging is on
AAA Authorization debugging is on
PPP:
PPP authentication debugging is on
PPP protocol negotiation debugging is on

!--- AAA/ PPP negotiation begins.

Aug 1 09:42:15.096 CST: TTY8: Callback starting PPP directly with
  valid auth info
Aug 1 09:42:15.104 CST: TTY8: destroy timer type 1
Aug 1 09:42:15.104 CST: TTY8: destroy timer type 0
Aug 1 09:42:15.160 CST: As8 LCP: I CONFREQ [Closed] id 0 len 47
Aug 1 09:42:15.164 CST: As8 LCP: ACCM 0x00000000 (0x020600000000)
Aug 1 09:42:15.168 CST: As8 LCP: MagicNumber 0x5FA259DE (0x05065FA259DE)
Aug 1 09:42:15.172 CST: As8 LCP: PFC (0x0702)
Aug 1 09:42:15.172 CST: As8 LCP: ACFC (0x0802)
Aug 1 09:42:15.176 CST: As8 LCP: MRRU 1614 (0x1104064E)
Aug 1 09:42:15.180 CST: As8 LCP: EndpointDisc 1 Local
Aug 1 09:42:15.184 CST: As8 LCP: (0x131701DC57FC8B1CEA4CCEA064C0D958)
Aug 1 09:42:15.188 CST: As8 LCP: (0x82667300000000)
Aug 1 09:42:15.192 CST: As8 LCP: Lower layer not up, Fast Starting
Aug 1 09:42:15.196 CST: As8 PPP: Treating connection as a callout
Aug 1 09:42:15.200 CST: As8 PPP: Phase is ESTABLISHING, Active Open
Aug 1 09:42:15.204 CST: AAA/MEMORY: dup_user (0x4DDDF8) user='callback_user' 
  ruser='' port='Async8' rem_addr='async/81560' authen_type=CHAP service=PPP
  priv=1 source='AAA dup lcp_reset'
Aug 1 09:42:15.212 CST: AAA/MEMORY: free_user (0x2F5418) user='callback_user'
  ruser='' port='Async8' rem_addr='async/81560' authen_type=CHAP service=PPP 
  priv=1
Aug 1 09:42:15.216 CST: As8 AAA/AUTHEN: Method=IF-NEEDED: no authentication 
  needed. user='callback_user' port='Async8' rem_addr='async/81560'
Aug 1 09:42:15.224 CST: As8 AAA/AUTHOR/FSM: (0): LCP succeeds trivially
Aug 1 09:42:15.228 CST: As8 LCP: O CONFREQ [Closed] id 2 len 20
Aug 1 09:42:15.232 CST: As8 LCP: ACCM 0x000A0000 (0x0206000A0000)
Aug 1 09:42:15.236 CST: As8 LCP: MagicNumber 0x6530AEA5 (0x05066530AEA5)
Aug 1 09:42:15.240 CST: As8 LCP: PFC (0x0702)
Aug 1 09:42:15.240 CST: As8 LCP: ACFC (0x0802)
Aug 1 09:42:15.248 CST: As8 LCP: O CONFREJ [REQsent] id 0 len 8
Aug 1 09:42:15.252 CST: As8 LCP: MRRU 1614 (0x1104064E)
Aug 1 09:42:15.260 CST: %LINK-3-UPDOWN: Interface Async8, changed state to up
Aug 1 09:42:15.368 CST: As8 LCP: I CONFACK [REQsent] id 2 len 20
Aug 1 09:42:15.372 CST: As8 LCP: ACCM 0x000A0000 (0x0206000A0000)
Aug 1 09:42:15.376 CST: As8 LCP: MagicNumber 0x6530AEA5 (0x05066530AEA5)
Aug 1 09:42:15.380 CST: As8 LCP: PFC (0x0702)
Aug 1 09:42:15.384 CST: As8 LCP: ACFC (0x0802)
Aug 1 09:42:15.404 CST: As8 LCP: I CONFREQ [ACKrcvd] id 1 len 43
Aug 1 09:42:15.408 CST: As8 LCP: ACCM 0x00000000 (0x020600000000)
Aug 1 09:42:15.412 CST: As8 LCP: MagicNumber 0x5FA259DE (0x05065FA259DE)
Aug 1 09:42:15.412 CST: As8 LCP: PFC (0x0702)
Aug 1 09:42:15.416 CST: As8 LCP: ACFC (0x0802)
Aug 1 09:42:15.420 CST: As8 LCP: EndpointDisc 1 Local
Aug 1 09:42:15.424 CST: As8 LCP: (0x131701DC57FC8B1CEA4CCEA064C0D958)
Aug 1 09:42:15.428 CST: As8 LCP: (0x82667300000000)
Aug 1 09:42:15.432 CST: As8 LCP: O CONFACK [ACKrcvd] id 1 len 43
Aug 1 09:42:15.436 CST: As8 LCP: ACCM 0x00000000 (0x020600000000)
Aug 1 09:42:15.440 CST: As8 LCP: MagicNumber 0x5FA259DE (0x05065FA259DE)
Aug 1 09:42:15.444 CST: As8 LCP: PFC (0x0702)
Aug 1 09:42:15.448 CST: As8 LCP: ACFC (0x0802)
Aug 1 09:42:15.452 CST: As8 LCP: EndpointDisc 1 Local
Aug 1 09:42:15.456 CST: As8 LCP: (0x131701DC57FC8B1CEA4CCEA064C0D958)
Aug 1 09:42:15.460 CST: As8 LCP: (0x82667300000000)
Aug 1 09:42:15.460 CST: As8 LCP: State is Open
Aug 1 09:42:15.468 CST: As8 AAA/AUTHOR/LCP: Authorize LCP
Aug 1 09:42:15.468 CST: As8 AAA/AUTHOR/LCP (2679858087): Port='Async8' list='' 
  service=NET
Aug 1 09:42:15.472 CST: AAA/AUTHOR/LCP: As8 (2679858087) user='callback_user'
Aug 1 09:42:15.476 CST: As8 AAA/AUTHOR/LCP (2679858087): send AV service=ppp
Aug 1 09:42:15.480 CST: As8 AAA/AUTHOR/LCP (2679858087): send AV protocol=lcp
Aug 1 09:42:15.484 CST: As8 AAA/AUTHOR/LCP (2679858087): found list "default"
Aug 1 09:42:15.488 CST: As8 AAA/AUTHOR/LCP (2679858087): Method=tacacs+ (tacacs+)
Aug 1 09:42:15.492 CST: AAA/AUTHOR/TAC+: (2679858087): user=callback_user
Aug 1 09:42:15.492 CST: AAA/AUTHOR/TAC+: (2679858087): send AV service=ppp
Aug 1 09:42:15.496 CST: AAA/AUTHOR/TAC+: (2679858087): send AV protocol=lcp
Aug 1 09:42:15.724 CST: TAC+: (2679858087): received author response status 
  = PASS_ADD
Aug 1 09:42:15.732 CST: As8 AAA/AUTHOR (2679858087): Post authorization status 
  = PASS_ADD
Aug 1 09:42:15.736 CST: As8 AAA/AUTHOR/LCP: Processing AV service=ppp
Aug 1 09:42:15.740 CST: As8 AAA/AUTHOR/LCP: Processing AV protocol=lcp
Aug 1 09:42:15.740 CST: As8 AAA/AUTHOR/LCP: Processing AV
  callback-dialstring=81550
Aug 1 09:42:15.748 CST: As8 PPP: Phase is UP
Aug 1 09:42:15.752 CST: As8 AAA/AUTHOR/FSM: (0): Can we start IPCP?
Aug 1 09:42:15.756 CST: As8 AAA/AUTHOR/FSM (3644410406): Port='Async8' list='' 
  service=NET
Aug 1 09:42:15.760 CST: AAA/AUTHOR/FSM: As8 (3644410406) user='callback_user'
Aug 1 09:42:15.764 CST: As8 AAA/AUTHOR/FSM (3644410406): send AV service=ppp
Aug 1 09:42:15.768 CST: As8 AAA/AUTHOR/FSM (3644410406): send AV protocol=ip
Aug 1 09:42:15.768 CST: As8 AAA/AUTHOR/FSM (3644410406): found list "default"
Aug 1 09:42:15.772 CST: As8 AAA/AUTHOR/FSM (3644410406): Method=tacacs+ (tacacs+)
Aug 1 09:42:15.776 CST: AAA/AUTHOR/TAC+: (3644410406): user=callback_user
Aug 1 09:42:15.780 CST: AAA/AUTHOR/TAC+: (3644410406): send AV service=ppp
Aug 1 09:42:15.784 CST: AAA/AUTHOR/TAC+: (3644410406): send AV protocol=ip
Aug 1 09:42:16.016 CST: TAC+: (3644410406): received author response status 
  = PASS_ADD
Aug 1 09:42:16.020 CST: As8 AAA/AUTHOR (3644410406): Post authorization status 
  = PASS_ADD
Aug 1 09:42:16.028 CST: As8 AAA/AUTHOR/FSM: We can start IPCP
Aug 1 09:42:16.032 CST: As8 IPCP: O CONFREQ [Closed] id 1 len 16
Aug 1 09:42:16.036 CST: As8 IPCP: CompressType VJ 15 slots (0x0206002D0F00)
Aug 1 09:42:16.040 CST: As8 IPCP: Address 172.22.53.101 (0x0306AC163565)
Aug 1 09:42:16.048 CST: As8 LCP: I IDENTIFY [Open] id 2 len 18 magic 
  0x5FA259DEMSRASV5.00
Aug 1 09:42:16.052 CST: As8 LCP: I IDENTIFY [Open] id 3 len 29 magic 
  0x5FA259DEMSRAS-1-RBROWN-LAPTOP
Aug 1 09:42:16.056 CST: As8 CCP: I CONFREQ [Not negotiated] id 4 len 10
Aug 1 09:42:16.060 CST: As8 CCP: MS-PPC supported bits 0x00000001
  (0x120600000001)
Aug 1 09:42:16.068 CST: As8 LCP: O PROTREJ [Open] id 3 len 16 protocol CCP
  (0x80FD0104000A120600000001)
Aug 1 09:42:16.080 CST: As8 IPCP: I CONFREQ [REQsent] id 5 len 40
Aug 1 09:42:16.084 CST: As8 IPCP: CompressType VJ 15 slots CompressSlotID
  (0x0206002D0F01)
Aug 1 09:42:16.088 CST: As8 IPCP: Address 0.0.0.0 (0x030600000000)
Aug 1 09:42:16.092 CST: As8 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
Aug 1 09:42:16.096 CST: As8 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
Aug 1 09:42:16.100 CST: As8 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
Aug 1 09:42:16.104 CST: As8 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
Aug 1 09:42:16.108 CST: As8 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we 
  want 172.22.53.148
Aug 1 09:42:16.112 CST: As8 AAA/AUTHOR/IPCP: Processing AV service=ppp
Aug 1 09:42:16.116 CST: As8 AAA/AUTHOR/IPCP: Processing AV protocol=ip
Aug 1 09:42:16.120 CST: As8 AAA/AUTHOR/IPCP: Authorization succeeded
Aug 1 09:42:16.120 CST: As8 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.0, we want 
  172.22.53.148
Aug 1 09:42:16.128 CST: As8 IPCP: O CONFREJ [REQsent] id 5 len 22
Aug 1 09:42:16.132 CST: As8 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
Aug 1 09:42:16.136 CST: As8 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
Aug 1 09:42:16.144 CST: As8 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
Aug 1 09:42:16.184 CST: As8 IPCP: I CONFACK [REQsent] id 1 len 16
Aug 1 09:42:16.188 CST: As8 IPCP: CompressType VJ 15 slots (0x0206002D0F00)
Aug 1 09:42:16.192 CST: As8 IPCP: Address 172.22.53.101 (0x0306AC163565)
Aug 1 09:42:16.680 CST: As8 IPCP: I CONFREQ [ACKrcvd] id 6 len 22
Aug 1 09:42:16.684 CST: As8 IPCP: CompressType VJ 15 slots CompressSlotID
  (0x0206002D0F01)
Aug 1 09:42:16.688 CST: As8 IPCP: Address 0.0.0.0 (0x030600000000)
Aug 1 09:42:16.692 CST: As8 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
Aug 1 09:42:16.696 CST: As8 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we 
  want 172.22.53.148
Aug 1 09:42:16.700 CST: As8 AAA/AUTHOR/IPCP: Processing AV service=ppp
Aug 1 09:42:16.704 CST: As8 AAA/AUTHOR/IPCP: Processing AV protocol=ip
Aug 1 09:42:16.708 CST: As8 AAA/AUTHOR/IPCP: Authorization succeeded
Aug 1 09:42:16.708 CST: As8 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.0, we 
  want 172.22.53.148
Aug 1 09:42:16.716 CST: As8 IPCP: O CONFNAK [ACKrcvd] id 6 len 16
Aug 1 09:42:16.720 CST: As8 IPCP: Address 172.22.53.148 (0x0306AC163594)
Aug 1 09:42:16.724 CST: As8 IPCP: PrimaryDNS 172.22.53.210 (0x8106AC1635D2)
Aug 1 09:42:16.748 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async8,
  changed state to up
Aug 1 09:42:16.852 CST: As8 IPCP: I CONFREQ [ACKrcvd] id 7 len 22
Aug 1 09:42:16.856 CST: As8 IPCP: CompressType VJ 15 slots CompressSlotID
  (0x0206002D0F01)
Aug 1 09:42:16.860 CST: As8 IPCP: Address 172.22.53.148 (0x0306AC163594)
Aug 1 09:42:16.864 CST: As8 IPCP: PrimaryDNS 172.22.53.210 (0x8106AC1635D2)
Aug 1 09:42:16.868 CST: As8 AAA/AUTHOR/IPCP: Start. Her address 172.22.53.148,
  we want 172.22.53.148
Aug 1 09:42:16.876 CST: As8 AAA/AUTHOR/IPCP (4022385425): Port='Async8'
  list=''service=NET
Aug 1 09:42:16.880 CST: AAA/AUTHOR/IPCP: As8 (4022385425) user='callback_user'
Aug 1 09:42:16.884 CST: As8 AAA/AUTHOR/IPCP (4022385425): send AV service=ppp
Aug 1 09:42:16.888 CST: As8 AAA/AUTHOR/IPCP (4022385425): send AV protocol=ip
Aug 1 09:42:16.892 CST: As8 AAA/AUTHOR/IPCP (4022385425):
  send AV addr*172.22.53.148
Aug 1 09:42:16.892 CST: As8 AAA/AUTHOR/IPCP (4022385425): found list "default"
Aug 1 09:42:16.896 CST: As8 AAA/AUTHOR/IPCP (4022385425): Method=tacacs+ (tacacs+)
Aug 1 09:42:16.900 CST: AAA/AUTHOR/TAC+: (4022385425): user=callback_user
Aug 1 09:42:16.904 CST: AAA/AUTHOR/TAC+: (4022385425): send AV service=ppp
Aug 1 09:42:16.908 CST: AAA/AUTHOR/TAC+: (4022385425): send AV protocol=ip
Aug 1 09:42:16.912 CST: AAA/AUTHOR/TAC+: (4022385425): 
  send AV addr*172.22.53.148
Aug 1 09:42:17.140 CST: TAC+: (4022385425): received author response status 
  = PASS_REPL
Aug 1 09:42:17.148 CST: As8 AAA/AUTHOR (4022385425): Post authorization status 
  = PASS_REPL
Aug 1 09:42:17.156 CST: As8 AAA/AUTHOR/IPCP: Reject 172.22.53.148,
  using 172.22.53.148
Aug 1 09:42:17.164 CST: As8 AAA/AUTHOR/IPCP: Processing AV service=ppp
Aug 1 09:42:17.164 CST: As8 AAA/AUTHOR/IPCP: Processing AV protocol=ip
Aug 1 09:42:17.168 CST: As8 AAA/AUTHOR/IPCP: Processing AV addr*172.22.53.148
Aug 1 09:42:17.172 CST: As8 AAA/AUTHOR/IPCP: Authorization succeeded
Aug 1 09:42:17.176 CST: As8 AAA/AUTHOR/IPCP: Done. Her address 172.22.53.148, 
  we want 172.22.53.148
Aug 1 09:42:17.180 CST: As8 IPCP: O CONFACK [ACKrcvd] id 7 len 22
Aug 1 09:42:17.184 CST: As8 IPCP: CompressType VJ 15 slots CompressSlotID
  (0x0206002D0F01)
Aug 1 09:42:17.192 CST: As8 IPCP: Address 172.22.53.148 (0x0306AC163594)
Aug 1 09:42:17.196 CST: As8 IPCP: PrimaryDNS 172.22.53.210 (0x8106AC1635D2)
Aug 1 09:42:17.200 CST: As8 IPCP: State is Open
Aug 1 09:42:17.220 CST: As8 IPCP: Install route to 172.22.53.148

관련 정보

• Windows용 Cisco Secure ACS 지원 페이지
• TACACS+ 지원 페이지
• IOS의 TACACS+ 문서
• 기술 지원 및 문서 − Cisco Systems