ASA内部有ACS5.2,客户端通过ezvpn客户端进来后,若ACS不存在MAC地址认证则可以直接访问内部资源,若ACS存在MAC地址的认证匹配,则用户名/密码认证不通过;
参考配置
ASA:
interface GigabitEthernet0
nameif inside
security-level 100
ip address 172.16.28.254 255.255.255.0
!
interface GigabitEthernet1
nameif outside
security-level 0
ip address 202.16.1.1 255.255.255.248
!
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network Remote
subnet 10.144.1.0 255.255.255.0
object network ACS
host 172.16.28.30
access-list traffic extended permit icmp any any
access-list traffic extended permit ip any host 172.16.28.30
access-list split standard permit 192.168.1.0 255.255.255.0
!
ip local pool ezvpn 10.144.1.41-10.144.1.80 mask 255.255.255.0
nat (inside,outside) source static obj-192.168.1.0 obj-192.168.1.0 destination static Remote Remote
!
object network obj-192.168.1.0
nat (inside,outside) dynamic interface
object network ACS
nat (inside,outside) static 202.16.1.2
access-group traffic in interface outside
route outside 0.0.0.0 0.0.0.0 202.16.1.6 1
route inside 192.168.1.0 255.255.255.0 172.16.28.10 1
!
aaa-server Radius protocol radius
aaa-server Radius (inside) host 172.16.28.30
key *****
!
crypto ipsec ikev1 transform-set cisco esp-3des esp-sha-hmac
crypto dynamic-map dymap 10 set ikev1 transform-set cisco
crypto map mymap 1000 ipsec-isakmp dynamic dymap
crypto map mymap interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
group-policy ezvpn internal
group-policy ezvpn attributes
banner value welcome to access to ezvpn!
vpn-tunnel-protocol ikev1 ikev2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
address-pools value ezvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group ezvpn type remote-access
tunnel-group ezvpn general-attributes
authentication-server-group Radius LOCAL
default-group-policy ezvpn
tunnel-group ezvpn ipsec-attributes
ikev1 pre-shared-key *****
ACS配置(重要部分):
基础配置:建立AAA客户端,增加组sale-ezvpn,添加用户user1,将用户添加到sale-ezvpn里面;
MAC地址信任添加:
用户名+MAC地址认证:
此时在客户端电脑上拨号不能通过
debug:
ASA# test aaa-server authentication Radius host 172.16.28.30
Username: user1
Password: *********
INFO: Attempting Authentication test to IP address <172.16.28.30> (timeout: 12 seconds)
radius mkreq: 0x6
alloc_rip 0xcb7b156c
new request 0x6 --> 5 (0xcb7b156c)
got user 'user1'
got password
add_req 0xcb7b156c session 0x6 id 5
RADIUS_REQUEST
radius.c: rad_mkpkt
RADIUS packet decode (authentication request)
--------------------------------------
Raw packet data (length = 63).....
01 05 00 3f 3e 9f ec b5 4a bb d8 31 16 97 84 6d | ...?>...J..1...m
a2 33 f0 69 01 07 75 73 65 72 31 02 12 8d d4 19 | .3.i..user1.....
08 6b 42 73 3c df 12 60 b7 c3 01 56 92 04 06 ac | .kBs<..`...V....
10 1c fe 05 06 00 00 00 05 3d 06 00 00 00 05 | .........=.....
Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 5 (0x05)
Radius: Length = 63 (0x003F)
Radius: Vector: 3E9FECB54ABBD8311697846DA233F069
Radius: Type = 1 (0x01) User-Name
Radius: Length = 7 (0x07)
Radius: Value (String) =
75 73 65 72 31 | user1
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
8d d4 19 08 6b 42 73 3c df 12 60 b7 c3 01 56 92 | ....kBs<..`...V.
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 172.16.28.254 (0xAC101CFE)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
send pkt 172.16.28.30/1645
rip 0xcb7b156c state 7 id 5
rad_vrfy() : response message verified
rip 0xcb7b156c
: chall_state ''
: state 0x7
: reqauth:
3e 9f ec b5 4a bb d8 31 16 97 84 6d a2 33 f0 69
: info 0xcb7b16a4
session_id 0x6
request_id 0x5
user 'user1'
response '***'
app 0
reason 0
skey 'cisco'
sip 172.16.28.30
type 1
RADIUS packet decode (response)
--------------------------------------
Raw packet data (length = 20).....
03 05 00 14 59 66 81 66 1f c4 4b bb bd 44 fd e8 | ....Yf.f..K..D..
1d 7b f2 a8 | .{..
Parsed packet data.....
Radius: Code = 3 (0x03)
Radius: Identifier = 5 (0x05)
Radius: Length = 20 (0x0014)
Radius: Vector: 596681661FC44BBBBD44FDE81D7BF2A8
rad_procpkt: REJECT
RADIUS_DELETE
remove_req 0xcb7b156c session 0x6 id 5
free_rip 0xcb7b156c
radius: send queue empty
ERROR: Authentication Rejected: AAA failure