version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone no service password-encryption service sequence-numbers ! hostname VPN ! boot-start-marker boot-end-marker ! logging buffered 51200 debugging enable secret 5 ! aaa new-model ! ! aaa group server radius rad_eap server 192.168.100.4 auth-port 1645 acct-port 1646 aaa authentication login eap_methods group rad_eap ! aaa session-id common ! resource policy ! clock timezone PST -8 clock summer-time PDT recurring ip subnet-zero no ip source-route no ip gratuitous-arps ip cef ! ! no ip dhcp use vrf connected no ip dhcp conflict logging ip dhcp excluded-address 192.168.193.1 ip dhcp excluded-address 192.168.193.33 ! ip dhcp pool SOHO-193.0 network 192.168.193.0 255.255.255.224 default-router 192.168.193.1 option 150 ip 192.168.100.11 192.168.100.10 domain-name extrateam.com netbios-name-server 192.168.100.1 192.168.100.4 dns-server 206.13.31.12 192.168.100.1 192.168.100.4 lease 8 ! ip dhcp pool FAMILY-193.32 network 192.168.193.32 255.255.255.224 default-router 192.168.193.33 dns-server 206.13.31.12 26.13.28.12 lease 8 ! ! ip tcp synwait-time 10 ip tcp path-mtu-discovery no ip bootp server ip domain name .com ip inspect name FW cuseeme ip inspect name FW ftp ip inspect name FW h323 ip inspect name FW icmp ip inspect name FW netshow ip inspect name FW rcmd ip inspect name FW realaudio ip inspect name FW rtsp ip inspect name FW esmtp ip inspect name FW sqlnet ip inspect name FW streamworks ip inspect name FW tftp ip inspect name FW tcp ip inspect name FW udp ip inspect name FW vdolive ip inspect name FW sip ip inspect name FW skinny ip inspect name FW ntp login block-for 5 attempts 5 within 5 ! ! ! username removed secret 5 removed ! ! class-map match-any INTERNETWORK match access-group name IKE.acl match ip dscp cs6 match ip dscp cs7 class-map match-any AutoQoS-VoIP-Remark match ip dscp ef match ip dscp cs3 match ip dscp af31 class-map match-any AutoQoS-VoIP-Control-UnTrust match access-group name AutoQoS-VoIP-Control class-map match-any AutoQoS-VoIP-RTP-UnTrust match protocol rtp audio match access-group name AutoQoS-VoIP-RTCP ! ! policy-map AutoQoS-Policy-UnTrust class AutoQoS-VoIP-RTP-UnTrust priority percent 65 set dscp ef class AutoQoS-VoIP-Control-UnTrust bandwidth percent 5 set dscp af31 class AutoQoS-VoIP-Remark set dscp default class INTERNETWORK bandwidth percent 5 class class-default fair-queue ! ! crypto isakmp keepalive 10 ! ! ! ! ! crypto ipsec client ezvpn removed connect auto group VPN key removed mode network-extension peer username vpn871-02 password removed xauth userid mode local ! ! bridge irb ! ! ! interface FastEthernet0 description IP PHONE switchport voice vlan 1 switchport priority extend cos 0 spanning-tree portfast ! interface FastEthernet1 description FAMILY switchport access vlan 2 spanning-tree portfast ! interface FastEthernet2 description FAMILY switchport access vlan 2 spanning-tree portfast ! interface FastEthernet3 description FAMILY switchport access vlan 2 spanning-tree portfast ! interface FastEthernet4 description WAN ip address dhcp client-id FastEthernet4 ip access-group FW-IN in no ip redirects no ip unreachables no ip proxy-arp ip virtual-reassembly ip route-cache flow ip tcp adjust-mss 542 duplex auto speed auto auto qos voip no cdp enable crypto ipsec client ezvpn service-policy output AutoQoS-Policy-UnTrust ! interface Dot11Radio0 no ip address no ip route-cache cef no ip route-cache ! encryption vlan 1 key 1 transmit-key encryption vlan 1 mode wep mandatory ! ssid soho vlan 1 authentication open eap eap_methods ! speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root no cdp enable ! interface Dot11Radio0.1 description IP PHONE encapsulation dot1Q 1 native ip nat inside ip virtual-reassembly no ip route-cache no snmp trap link-status no cdp enable bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Dot11Radio0.2 description FAMILY encapsulation dot1Q 2 ip nat inside ip virtual-reassembly no ip route-cache no snmp trap link-status no cdp enable bridge-group 2 bridge-group 2 subscriber-loop-control bridge-group 2 spanning-disabled bridge-group 2 block-unknown-source no bridge-group 2 source-learning no bridge-group 2 unicast-flooding ! interface Vlan1 description IP PHONE no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow bridge-group 1 bridge-group 1 spanning-disabled ! interface Vlan2 description FAMILY no ip address no ip proxy-arp ip route-cache flow bridge-group 2 bridge-group 2 spanning-disabled ! interface BVI1 description IP PHONE ip address 192.168.193.1 255.255.255.224 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip inspect FW in ip virtual-reassembly ip route-cache flow ip tcp adjust-mss 1260 crypto ipsec client ezvpn inside hold-queue 32 in ! interface BVI2 description FAMILY ip address 192.168.193.33 255.255.255.224 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip inspect FW in ip virtual-reassembly ip route-cache flow ip tcp adjust-mss 1260 hold-queue 32 in ! ip classless ! ! ip http server no ip http secure-server ip nat translation port-timeout udp 500 7200 ip nat inside source route-map NAT.rmap interface FastEthernet4 overload ! ip access-list extended AutoQoS-VoIP-Control permit tcp any any eq 1720 permit tcp any any range 11000 11999 permit udp any any eq 2427 permit tcp any any eq 2428 permit tcp any any range 2000 2002 permit udp any any eq 1719 permit udp any any eq 5060 ip access-list extended AutoQoS-VoIP-RTCP permit udp any any range 16384 32767 ip access-list extended FW-IN remark OUTSIDE FIREWALL remark CBAC FIREALL remark ALLOW TUNNELED TRAFFIC permit ip host any remark remark ICMP PERMITS permit icmp any any echo-reply permit icmp any any time-exceeded permit icmp any any unreachable remark ALLOW DHCP permit udp any eq bootps any eq bootpc remark ALLOW NTP permit udp host 140.142.16.34 any eq ntp permit udp host 193.123.30.132 any eq ntp ip access-list extended IKE.acl remark QoS POLICY permit udp any eq isakmp any eq isakmp ip access-list extended NAT.acl deny ip 192.168.193.0 0.0.0.31 192.168.192.0 0.0.31.255 deny ip 192.168.193.0 0.0.0.31 172.16.1.0 0.0.0.255 deny ip 192.168.193.0 0.0.0.31 10.1.1.0 0.0.0.255 deny ip 192.168.193.32 0.0.0.31 192.168.192.0 0.0.31.255 deny ip 192.168.193.32 0.0.0.31 172.16.1.0 0.0.0.255 deny ip 192.168.193.32 0.0.0.31 10.1.1.0 0.0.0.255 permit ip 192.168.193.0 0.0.0.31 any permit ip 192.168.193.32 0.0.0.31 any ! ip radius source-interface BVI1 logging trap debugging no cdp run ! route-map NAT.rmap permit 10 match ip address NAT.acl ! radius-server attribute 32 include-in-access-req format %h radius-server host 192.168.100.4 auth-port 1645 acct-port 1646 key 7 radius-server vsa send accounting ! control-plane ! bridge 1 route ip bridge 2 route ip alias exec c conf t alias exec if sh ip int brief ! line con 0 logging synchronous no modem enable line aux 0 line vty 0 4 password 7 logging synchronous length 0 ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 ntp clock-period 17175063 ntp server 140.142.16.34 ntp server 198.123.30.132 end 001606: *Feb 9 23:47:51.243 UTC: RADIUS: authenticator 93 3C 41 A4 93 2E AA B8 - 4C CB E7 95 A7 62 D2 12 001607: *Feb 9 23:47:51.243 UTC: RADIUS: User-Name [1] 16 "\tony" 001608: *Feb 9 23:47:51.243 UTC: RADIUS: Framed-MTU [12] 6 1400 001609: *Feb 9 23:47:51.243 UTC: RADIUS: Called-Station-Id [30] 16 "0014.a426.ebd0" 001610: *Feb 9 23:47:51.243 UTC: RADIUS: Calling-Station-Id [31] 16 "0013.ce4f.303e" 001611: *Feb 9 23:47:51.243 UTC: RADIUS: Service-Type [6] 6 Login [ 1] 001612: *Feb 9 23:47:51.243 UTC: RADIUS: Message-Authenticato[80] 18 001613: *Feb 9 23:47:51.243 UTC: RADIUS: E5 BA 36 D4 F7 13 6E 7F A3 9E BD 7A FC 0C C5 E9 [??6??? n????z????] 001614: *Feb 9 23:47:51.243 UTC: RADIUS: EAP-Message [79] 82 001615: *Feb 9 23:47:51.247 UTC: RADIUS: 02 03 00 50 19 80 00 00 00 46 16 03 01 00 41 01 [???P?? ???F????A?] 001616: *Feb 9 23:47:51.247 UTC: RADIUS: 00 00 3D 03 01 43 EB F4 33 D2 45 A6 98 41 85 05 [??=??C ??3?E??A??] 001617: *Feb 9 23:47:51.247 UTC: RADIUS: 02 EA F9 30 A3 8E 7A BE 8D 5A 2E 27 03 D0 A4 7E [???0?? z??Z.'???~] 001618: *Feb 9 23:47:51.247 UTC: RADIUS: 19 5E 2E 95 F8 00 00 16 00 04 00 05 00 0A 00 09 [?^.??? ??????????] 001619: *Feb 9 23:47:51.247 UTC: RADIUS: 00 64 00 62 00 03 00 06 00 13 00 12 00 63 01 00 [?d?b?? ???????c??] 001620: *Feb 9 23:47:51.247 UTC: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [ 19] 001621: *Feb 9 23:47:51.247 UTC: RADIUS: NAS-Port [5] 6 75 001622: *Feb 9 23:47:51.247 UTC: RADIUS: NAS-Port-Id [87] 4 "75" 001623: *Feb 9 23:47:51.247 UTC: RADIUS: State [24] 25 001624: *Feb 9 23:47:51.247 UTC: RADIUS: 22 71 04 06 00 00 01 37 00 01 C0 A8 C8 04 00 00 ["q???? ?7????????] 001625: *Feb 9 23:47:51.247 UTC: RADIUS: 00 03 06 3A AD A8 00 [???:?? ?] 001626: *Feb 9 23:47:51.247 UTC: RADIUS: NAS-IP-Address [4] 6 192.168.193.1 001627: *Feb 9 23:47:56.987 UTC: RADIUS: no sg in radius-timers: ctx 0x8379ADF8 sg 0x0000 001628: *Feb 9 23:47:56.987 UTC: RADIUS: Retransmit to (192.168.100.4:1645,1646) for id 1645/107 001627: *Feb 9 23:47:56.987 UTC: RADIUS: no sg in radius-timers: ctx 0x8379ADF8 sg 0x0000 001628: *Feb 9 23:47:56.987 UTC: RADIUS: Retransmit to (192.168.100.4:1645,1646) for id 1645/107 001629: *Feb 9 23:48:02.043 UTC: RADIUS: no sg in radius-timers: ctx 0x8379ADF8 sg 0x0000 001630: *Feb 9 23:48:02.043 UTC: RADIUS: Retransmit to (192.168.100.4:1645,1646) for id 1645/107 VPN-871-02# 001631: *Feb 9 23:48:07.643 UTC: RADIUS: no sg in radius-timers: ctx 0x8379ADF8 sg 0x0000 001632: *Feb 9 23:48:07.643 UTC: RADIUS: Retransmit to (192.168.100.4:1645,1646) for id 1645/107 VPN-871-02#U A 001633: *Feb 9 23:48:12.667 UTC: RADIUS: no sg in radius-timers: ctx 0x8379ADF8 sg 0x0000 001634: *Feb 9 23:48:12.667 UTC: RADIUS: Retransmit to (192.168.100.4:1645,1646) for id 1645/107LL All possible debugging has been turned off VPN-871-02# VPN-871-02# VPN-871-02# VPN-871-02# VPN-871-02# 001635: *Feb 9 23:48:18.459 UTC: %DOT11-7-AUTH_FAILED: Station 0013.ce4f.303e Authentication failed VPN-871-02#