Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2945
Views
0
Helpful
13
Replies

magic or bug in Radius ? any workaround ?

andbor600
Level 1
Level 1

‎05-03-2013 03:37 AM - edited ‎03-10-2019 08:23 PM

good day guys,

just came across the following issue:

I set up a radius server on my 877 series router. I need the RADIUS to authenticate/authorize users logging in from cisco Access Points connected to my router. by now everything was working fine - my radius server were authenticating AP users.

I decided to set up VPN easy server on above mentioned router and this is where my troubles started, becasue my idea was to use the same radius server usernames as for Access Points.

so to authenticate/authorize VPN users I use the radius server, which is in fact within the same router, which serves VPN conncection.

my problem is that:

no VPN conncection is possible until VPN username string is excalty the same as password string.

for example:

VPN connection is made if:

username = test

passowrd = test

VPN connection is not made if

username = test

password = anything_else_than_test

any help guys ?

Labels:
0 Helpful
13 Replies 13

andbor600
Level 1
Level 1

‎05-03-2013 07:10 AM

guys,

and facts (terminal printout)

-----------------------------------------------------------------------------------------
C877W#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
C877W(config)#radi loc
C877W(config-radsrv)#user tester password tester
C877W(config-radsrv)#^Z
C877W#test aaa group rad_eap tester tester legacy
Attempting authentication test to server-group rad_eap using radius
User was successfully authenticated.

C877W#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
C877W(config)#radius-server local
C877W(config-radsrv)#user tester password tester2
C877W(config-radsrv)#^Z
C877W#test aaa group rad_eap tester tester2 legacy
Attempting authentication test to server-group rad_eap using radius
User authentication request was rejected by server.

C877W#

------------------------------------------------------------------------------

any idea ?

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to andbor600

‎05-03-2013 08:14 AM

This is not a default behaviour.

kindly run debug radius, debug authentication and share the output.

Jatin Katyal


- Do rate helpful posts -

~Jatin
0 Helpful

andbor600
Level 1
Level 1
In response to Jatin Katyal

‎05-03-2013 09:55 AM

here you go, the log with "tester2" pasword.

below it says client tester password failed, although the password is correct.

C877W#debug radius loc c
Radius server client failures debugging is on
C877W#debug radius loc p
Radius server packet debugging is on
C877W#debug radius loc err
Radius server error debugging is on
C877W#term mo
% Ambiguous command:  "term mo"
C877W#term mon
C877W#
020744: *May  3 18:29:46.945: RADIUS: Pick NAS IP for u=0x83934C2C tableid=0 cfg_addr=0.0.0.0
020745: *May  3 18:29:46.945: RADIUS: ustruct sharecount=1
020746: *May  3 18:29:46.945: Radius: radius_port_info() success=0 radius_nas_port=1
020747: *May  3 18:29:46.945: RADIUS(00000000): Config NAS IP: 0.0.0.0
020748: *May  3 18:29:46.949: RADIUS/ENCODE: Best Local IP-Address 10.10.10.1 for Radius-Server 10.10.10.1
020749: *May  3 18:29:46.949: RADIUS(00000000): Send Access-Request to 10.10.10.1:1812 id 1645/48, len 65
020750: *May  3 18:29:46.949: RADIUS:  authenticator 57 BD E9 69 C3 6D 67 C6 - 75 BA 22 17 46 E4 0A C0
020751: *May  3 18:29:46.949: RADIUS:  NAS-IP-Address      [4]   6   10.10.10.1
020752: *May  3 18:29:46.953: RADIUS:  NAS-Port-Type       [61]  6   Async                     [0]
020753: *May  3 18:29:46.953: RADIUS:  User-Name           [1]   8   "tester"
020754: *May  3 18:29:46.953: RADIUS:  User-Password       [2]   18  *
020755: *May  3 18:29:46.953: RADIUS:  Nas-Identifier      [32]  7   "C877W"
020756: *May  3 18:29:46.957: RADSRV: Client tester password failed
020757: *May  3 18:29:46.957: RADSRV 10.10.10.1< Code 3 Id 30 Len 88
020758: *May  3 18:29:46.957:   Auth 3B95E45 D30473AA 374ACF2D C09A9028
020759: *May  3 18:29:46.957:   24 - 29 8B BD E3 15 5E 15 62 B8 21 3F F3 38 09 62 B8 E3 81 60 8D D9 36 39 CA 50 2D 2B 32 27 80 E6 06 A9 DC F5 47 06 22 B6 76 12 85 59 98 11 2D D1 B9
020760: *May  3 18:29:46.961:   80 - CA DD 84 B6 40 D9 3B 8C 54 F8 BB 45 B7 DE A4 08
020761: *May  3 18:29:46.961: RADIUS: Received from id 1645/48 10.10.10.1:1812, Access-Reject, len 88
020762: *May  3 18:29:46.961: RADIUS:  authenticator 03 B9 5E 45 D3 04 73 AA - 37 4A CF 2D C0 9A 90 28
020763: *May  3 18:29:46.961: RADIUS:  State               [24]  50
020764: *May  3 18:29:46.965: RADIUS:   29 8B BD E3 15 5E 15 62 B8 21 3F F3 38 09 62 B8  [)????^?b?!??8?b?]
020765: *May  3 18:29:46.965: RADIUS:   E3 81 60 8D D9 36 39 CA 50 2D 2B 32 27 80 E6 06  [??`??69?P-+2'???]
020766: *May  3 18:29:46.965: RADIUS:   A9 DC F5 47 06 22 B6 76 12 85 59 98 11 2D D1 B9  [???G?"?v??Y??-??]
020767: *May  3 18:29:46.965: RADIUS:  Message-Authenticato[80]  18
020768: *May  3 18:29:46.965: RADIUS:   CA DD 84 B6 40 D9 3B 8C 54 F8 BB 45 B7 DE A4 08  [????@?;?T??E????]
020769: *May  3 18:29:46.965: RADIUS: saved authorization data for user 83934C2C at 0

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to andbor600

‎05-03-2013 10:31 AM

yep! It shows RADSRV: Client tester password failed if we use a different password.

Just out of curiosity i want you to try the same thing with

C877W#test aaa group rad_eap tester tester2 new-code

Jatin Katyal


- Do rate helpful posts -

~Jatin
0 Helpful

andbor600
Level 1
Level 1
In response to Jatin Katyal

‎05-03-2013 11:11 AM

here you go, this time test aaa with "new-code"

021272: *May  3 19:49:20.121: RADIUS/ENCODE(00000000):Orig. component type = INVALID

021273: *May  3 19:49:20.121: RADIUS/ENCODE(00000000): dropping service type, "radius-server attribute 6 on-for-logi                                                             n-auth" is off

021274: *May  3 19:49:20.121: RADIUS(00000000): Config NAS IP: 0.0.0.0

021275: *May  3 19:49:20.121: RADIUS(00000000): Config NAS IP: 0.0.0.0

021276: *May  3 19:49:20.121: RADIUS(00000000): sending

021277: *May  3 19:49:20.121: RADIUS/ENCODE: Best Local IP-Address 10.10.10.1 for Radius-Server 10.10.10.1

021278: *May  3 19:49:20.125: RADIUS(00000000): Send Access-Request to 10.10.10.1:1812 id 1645/50, len 59

021279: *May  3 19:49:20.125: RADIUS:  authenticator 5C 6A C7 E9 F6 93 D7 2F - 47 F7 95 83 E9 EB 1A E9

021280: *May  3 19:49:20.125: RADIUS:  User-Password       [2]   18  *

021281: *May  3 19:49:20.125: RADIUS:  User-Name           [1]   8   "tester"

021282: *May  3 19:49:20.125: RADIUS:  NAS-IP-Address      [4]   6   10.10.10.1

021283: *May  3 19:49:20.125: RADIUS:  Nas-Identifier      [32]  7   "C877W"

021284: *May  3 19:49:20.125: RADSRV: Client tester password failed

021285: *May  3 19:49:20.125: RADSRV 10.10.10.1< Code 3 Id 32 Len 88

021286: *May  3 19:49:20.125:   Auth 15FF4293 B5A7A299 6D303243 F0DCC79B

021287: *May  3 19:49:20.129:   24 - 58 CB E7 8F 8F DD 70 29 CF 87 7C 8A 0F 56 48 74 57 98 F9 52 EE DA BD 03 18 C3 4                                                             0 FE 76 61 27 A8 22 FC FC C7 38 BC 54 AB 13 EF 17 67 9A 70 50 66

021288: *May  3 19:49:20.133:   80 - AA 39 44 4D CE BA 94 2B A4 A3 D7 50 46 E7 97 6C

021289: *May  3 19:49:20.133: RADIUS: Received from id 1645/50 10.10.10.1:1812, Access-Reject, len 88

021290: *May  3 19:49:20.137: RADIUS:  authenticator 15 FF 42 93 B5 A7 A2 99 - 6D 30 32 43 F0 DC C7 9B

021291: *May  3 19:49:20.137: RADIUS:  State               [24]  50

021292: *May  3 19:49:20.137: RADIUS:   58 CB E7 8F 8F DD 70 29 CF 87 7C 8A 0F 56 48 74  [X?????p)??|??VHt]

021293: *May  3 19:49:20.137: RADIUS:   57 98 F9 52 EE DA BD 03 18 C3 40 FE 76 61 27 A8  [W??R??????@?va'?]

021294: *May  3 19:49:20.137: RADIUS:   22 FC FC C7 38 BC 54 AB 13 EF 17 67 9A 70 50 66  ["???8?T????g?pPf]

021295: *May  3 19:49:20.137: RADIUS:  Message-Authenticato[80]  18

021296: *May  3 19:49:20.137: RADIUS:   AA 39 44 4D CE BA 94 2B A4 A3 D7 50 46 E7 97 6C  [?9DM???+???PF??l]

021297: *May  3 19:49:20.137: RADIUS(00000000): Received from id 1645/50

021298: *May  3 19:49:20.137: RADIUS(00000000): Unique id not in use

021299: *May  3 19:49:20.137: RADIUS/DECODE(00000000): There is no RADIUS DB Some Radius attributes may not be stored

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to andbor600

‎05-03-2013 11:58 AM

CSCeg03267    test aaa should support nthash to test local RADIUS server

This is an enhancement request and it's in NEW state.

symptom:test aaa command does not work with the local radius server

Further Problem Description

The "test aaa group radius" command cannot be used to test an entry in the

local RADIUS user database, because password entries in the local user database

are stored in NTHASH format.

   Example:

   router#test aaa group radius USERNAME PASSWORD new-code

   Trying to authenticate with Servergroup radius

   User rejected

NOTE FOR TESTING PURPOSES ONLY: as long as MAC authentication is allowed, the

user can test logging in with these credentials for different EAP methods such

as LEAP and EAP-FAST. If the command "no authentication mac" is used in the

local radius server configuration, then these will fail as well.

On an access point, if the local radius username and password are the same, it

does mac authentication instead of client authentication and will show the

correct output

  AP#test aaa group radius Cisco Cisco new

  Trying to authenticate with Servergroup radius

  User successfully authenticated

The NT hash is simply a hash. The password is hashed by using the MD4 algorithm and stored.

Jatin Katyal

- Do rate helpful posts -

~Jatin
0 Helpful

andbor600
Level 1
Level 1
In response to Jatin Katyal

‎05-03-2013 12:25 PM

Jatin,

I am a little bit lost, lookls like system works as designed.

coming back to my issue...

I want to to have one username database (used by different devices accessing radius server)

do you think it is doable ?

my access points work fine with usernames, the problem is VPN user database which should be stored in my router, but it does not accept passwords...

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to andbor600

‎05-03-2013 12:29 PM

could you send/upload the running config of the router.

also, run the radius debugs when you authenticate users from the access point.

Jatin Katyal


- Do rate helpful posts -

~Jatin
0 Helpful

andbor600
Level 1
Level 1
In response to Jatin Katyal

‎05-03-2013 01:25 PM

Jatin, first of all - thanks for your time

below please find config:


C877W#sh run
Building configuration...

Current configuration : 12129 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service sequence-numbers
!
hostname C877W
!
boot-start-marker
boot system flash:/c870-advipservicesk9-mz.124-24.T7.bin
boot-end-marker
!
security authentication failure rate 3 log
logging message-counter syslog
logging buffered 151200
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.10.10.1 auth-port 1812 acct-port 1813
!
aaa group server tacacs+ tac_admin
!
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authorization exec default local
aaa authorization exec exec_auth group rad_eap
aaa authorization network default local
aaa authorization network network_auth group rad_eap
aaa accounting network acct_methods
action-type start-stop
group rad_acct
!
!
!
aaa session-id common
clock timezone CET 1
clock summer-time CET recurring last Sun Mar 3:00 last Sun Oct 4:00
!
crypto pki trustpoint TP-self-signed-32
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-32
revocation-check none
rsakeypair TP-self-signed-32
!
!
crypto pki certificate chain TP-self-signed-3274552524
certificate self-signed 01
   4A41B40C E59ED810 2B557A04 1FD1E4CC D94873B8 6F4C7F7C 01CA70D0 46D63A81 A4
        quit
no dot11 syslog
no ip source-route
!
!
no ip dhcp use vrf connected
!
ip dhcp pool HOME
   import all
   network 10.10.11.0 255.255.255.0
   default-router 10.10.11.1
   dns-server 10.10.11.1 62.233.233.233 87.204.204.204
   lease infinite
!
ip dhcp pool MON
   import all
   network 10.10.12.0 255.255.255.0
   dns-server 62.233.233.233
   default-router 10.10.12.1
   lease infinite
!
ip dhcp pool default
   import all
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
   dns-server 62.233.233.233
   lease infinite
!
ip dhcp pool DMZ
   import all
   network 10.10.13.0 255.255.255.0
   default-router 10.10.13.1
   dns-server 62.233.233.233
   lease infinite
!
ip dhcp pool GUESTS
   import all
   network 192.168.1.0 255.255.255.0
   dns-server 62.233.233.233
   default-router 192.168.1.1
   lease infinite
!
!
!
ip cef
no ip bootp server
ip host abc.de 10.10.10.99
ip name-server 8.8.8.8
no ip port-map x11 port tcp from 6000 to 6606  description X Window System
ip ips config location flash:/ips5/ retries 5 timeout 10
ip ips notify SDEE
no ip ips notify log
!
ip ips signature-category
  category all
   retired true
  category ios_ips basic
   retired false
!
ip inspect audit-trail
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username admin privilege 15 secret 5 $1$xKVu$G55U3WdL..gEuKo97kiqv1
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub
  key-string
   F3020301 0001
  quit
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group ina12345
key easy
dns 10.10.10.1 8.8.8.8
wins 10.10.10.99
domain abc.de
pool VPN_POOL
save-password
max-users 20
crypto isakmp profile VPN_IPsec-ike-profile-1
   match identity group ina12345
   client authentication list eap_methods
   isakmp authorization list default
   client configuration address initiate
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile VPN_IPsec
set transform-set ESP-3DES-SHA
set isakmp-profile VPN_IPsec-ike-profile-1
!
!
crypto ctcp
archive
log config
  hidekeys
!
!
ip tcp synwait-time 10
no ip ftp passive
ip ssh time-out 60
ip ssh authentication-retries 2
!
zone security VPN
!
!
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0.2 point-to-point
description $FW_OUTSIDE$$ES_WAN$
no ip redirects
no ip unreachables
ip flow ingress
pvc 0/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 2
!
!
interface FastEthernet0
description trunk
switchport mode trunk
!
interface FastEthernet1
switchport mode trunk
!
interface FastEthernet2
!
interface FastEthernet3
switchport mode trunk
!
interface Virtual-Template1 type tunnel
ip unnumbered Dialer1
ip nat inside
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN_IPsec
!
interface Dot11Radio0
no ip address
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly
shutdown
!
encryption mode ciphers tkip
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
description default$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly
!
interface Vlan11
description HOME$FW_INSIDE$
ip address 10.10.11.1 255.255.255.0
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly
!
interface Vlan13
description DMZ$FW_DMZ$
ip address 10.10.13.1 255.255.255.0
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly
!
interface Vlan14
description GUESTS$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly
!
interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 2
dialer-group 2
no cdp enable
ppp authentication chap callin
ppp chap hostname bb@abc.de
ppp chap password 7 00000000
!
ip local pool VPN_POOL 10.10.11.100 10.10.11.110
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-cache timeout active 1
ip flow-export version 5
!
ip dns server
ip nat inside source list 10 interface Dialer1 overload
ip nat inside source list 11 interface Dialer1 overload
ip nat inside source list 12 interface Dialer1 overload
ip nat inside source list 13 interface Dialer1 overload
ip nat inside source list 14 interface Dialer1 overload
!
ip access-list extended SDM_WEBVPN
remark CCP_ACL Category=1
permit tcp any any eq 443
!
logging trap debugging
logging 10.10.10.1
access-list 10 remark NAT - DEFAULT
access-list 10 remark SDM_ACL Category=2
access-list 10 remark NAT for DEFAULT VLAN
access-list 10 permit 10.10.10.0 0.0.0.255
access-list 10 deny   any
access-list 11 remark NAT - HOME
access-list 11 remark SDM_ACL Category=2
access-list 11 remark NAT for HOME VLAN
access-list 11 permit 10.10.11.0 0.0.0.255
access-list 11 deny   any
access-list 12 remark NAT - MONITORING
access-list 12 remark SDM_ACL Category=2
access-list 12 remark NAT for MONITORING VLAN
access-list 12 permit 10.10.12.0 0.0.0.255
access-list 12 deny   any
access-list 13 remark NAT - DMZ
access-list 13 remark SDM_ACL Category=2
access-list 13 remark NAT for DMZ VLAN
access-list 13 permit 10.10.13.0 0.0.0.255
access-list 13 deny   any
access-list 14 remark NAT - GUESTS
access-list 14 remark SDM_ACL Category=2
access-list 14 remark NAT for GUESTS VLAN
access-list 14 permit 192.168.1.0 0.0.0.255
access-list 14 deny   any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip any host 88.88.88.88
no cdp run

!
!
!
!
radius-server local
nas 10.10.10.3 key 7 9999999999
nas 10.10.10.1 key 7 9999999999
user tester nthash 7 8888888888888888881537592F260888888888888
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.10.10.1 auth-port 1812 acct-port 1813 key 7 0088888888888888
radius-server vsa send accounting
!
control-plane
!
banner exec ^CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
% Password expiration warning.
-----------------------------------------------------------------------

nice, huh ?

-----------------------------------------------------------------------
^C
banner login ^CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
speed 115200
line aux 0
transport output telnet
line vty 0 4
exec-timeout 0 0
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp server 150.254.183.15 prefer source Dialer1
!
webvpn install svc flash:/webvpn/anyconnect-dart-win-2.4.1012-k9.pkg sequence 1
end

C877W#

and now radius log (AP connection)

023096: *May  3 22:04:53.261: RADSRV 10.10.10.3< Code 11 Id 11 Len 118

023097: *May  3 22:04:53.261:   Auth 2BB02B72 C3B4A406 9872A3B0 C51500F6

023098: *May  3 22:04:53.261:   79 - 01 05 00 16 11 01 00 08 6B 58 60 E9 36 73 DF C5 74 65 73 74 65 72

023099: *May  3 22:04:53.261:   27 - 00 00 00 0A

023100: *May  3 22:04:53.261:   24 - 6B 58 60 E9 36 73 DF C5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 69 14 79 53 0C 48 EB 2E 25 9C A2 5A 99 F8 36 1F

023101: *May  3 22:04:53.265:   80 - E5 C3 89 63 AD 19 56 8D D5 4D 81 01 B2 BB 91 4F

023102: *May  3 22:04:53.297: RADSRV 10.10.10.3< Code 11 Id 12 Len 94

023103: *May  3 22:04:53.297:   Auth 5D898246 A16DAC0D 7C191310 C5211AB

023104: *May  3 22:04:53.297:   79 - 03 05 00 04

023105: *May  3 22:04:53.297:   24 - 6B 58 60 E9 36 73 DF C5 C8 5C 66 7D C5 B4 36 50 6A CD A6 BA C1 B0 91 D9 23 83 44 19 D9 DB 25 2B B3 16 53 F8 5A A1 DE D2 3D 02 C6 F7 2B FC 0D 15

023106: *May  3 22:04:53.297:   80 - 99 AE 30 E6 DE 66 80 3B F6 3A 38 57 83 89 14 4A

023107: *May  3 22:04:53.317: RADSRV 10.10.10.3< Code 2 Id 13 Len 187

023108: *May  3 22:04:53.317:   Auth E4B44E7B 8297ECC5 6BF8FA20 A7F86204

023109: *May  3 22:04:53.317:   79 - 02 05 00 26 11 01 00 18 D4 6A 12 47 26 EE 54 49 FC B3 C2 CC 3C C3 C8 01 91 8F 37 1E E3 19 7B C1 74 65 73 74 65 72

023110: *May  3 22:04:53.317:   26 9 -

023111: *May  3 22:04:53.317:     1 - 6C 65 61 70 3A 73 65 73 73 69 6F 6E 2D 6B 65 79 3D 29 51 AF 0E 4B DC D6 A6 26 47 CD 32 0F 59 4B 6D 40 DE 0B 7A 12 A2 B2 B9 DD B5 0A A5 14 36 EA D3 2C A2

023112: *May  3 22:04:53.321:   24 - 6B 58 60 E9 36 73 DF C5 C8 5C 66 7D C5 B4 36 50 6A CD A6 BA C1 B0 91 D9 23 83 44 19 D9 DB 25 2B B3 16 53 F8 5A A1 DE D2 3D 02 C6 F7 2B FC 0D 15

023113: *May  3 22:04:53.321:   80 - 1D AC 23 BF 52 80 01 5B 4D A8 28 AD E6 DB C5 B6

C877W# 023096: *May  3 22:04:53.261: RADSRV 10.10.10.3< Code 11 Id 11 Len 118
023097: *May  3 22:04:53.261:   Auth 2BB02B72 C3B4A406 9872A3B0 C51500F6
023098: *May  3 22:04:53.261:   79 - 01 05 00 16 11 01 00 08 6B 58 60 E9 36 73 DF C5 74 65 73 74 65 72
023099: *May  3 22:04:53.261:   27 - 00 00 00 0A
023100: *May  3 22:04:53.261:   24 - 6B 58 60 E9 36 73 DF C5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 69 14 79 53 0C 48 EB 2E 25 9C A2 5A 99 F8 36 1F
023101: *May  3 22:04:53.265:   80 - E5 C3 89 63 AD 19 56 8D D5 4D 81 01 B2 BB 91 4F
023102: *May  3 22:04:53.297: RADSRV 10.10.10.3< Code 11 Id 12 Len 94
023103: *May  3 22:04:53.297:   Auth 5D898246 A16DAC0D 7C191310 C5211AB
023104: *May  3 22:04:53.297:   79 - 03 05 00 04
023105: *May  3 22:04:53.297:   24 - 6B 58 60 E9 36 73 DF C5 C8 5C 66 7D C5 B4 36 50 6A CD A6 BA C1 B0 91 D9 23 83 44 19 D9 DB 25 2B B3 16 53 F8 5A A1 DE D2 3D 02 C6 F7 2B FC 0D 15
023106: *May  3 22:04:53.297:   80 - 99 AE 30 E6 DE 66 80 3B F6 3A 38 57 83 89 14 4A
023107: *May  3 22:04:53.317: RADSRV 10.10.10.3< Code 2 Id 13 Len 187
023108: *May  3 22:04:53.317:   Auth E4B44E7B 8297ECC5 6BF8FA20 A7F86204
023109: *May  3 22:04:53.317:   79 - 02 05 00 26 11 01 00 18 D4 6A 12 47 26 EE 54 49 FC B3 C2 CC 3C C3 C8 01 91 8F 37 1E E3 19 7B C1 74 65 73 74 65 72
023110: *May  3 22:04:53.317:   26 9 -
023111: *May  3 22:04:53.317:     1 - 6C 65 61 70 3A 73 65 73 73 69 6F 6E 2D 6B 65 79 3D 29 51 AF 0E 4B DC D6 A6 26 47 CD 32 0F 59 4B 6D 40 DE 0B 7A 12 A2 B2 B9 DD B5 0A A5 14 36 EA D3 2C A2
023112: *May  3 22:04:53.321:   24 - 6B 58 60 E9 36 73 DF C5 C8 5C 66 7D C5 B4 36 50 6A CD A6 BA C1 B0 91 D9 23 83 44 19 D9 DB 25 2B B3 16 53 F8 5A A1 DE D2 3D 02 C6 F7 2B FC 0D 15
023113: *May  3 22:04:53.321:   80 - 1D AC 23 BF 52 80 01 5B 4D A8 28 AD E6 DB C5 B6
C877W#

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to andbor600

‎05-03-2013 01:37 PM

the radius debugs for AP authentication is hard to analyse.

What is the authentication type while authentication through AP? LEAP, EAP-FAST or MAC authentication.

Are you using the same credentials for AP and VPN authentication?

Jatin Katyal


- Do rate helpful posts -

~Jatin
0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to andbor600

‎05-03-2013 01:42 PM

Also, try this:

debug radius local-server client

Use the client option to display error messages related to failed client authentications.

Now try to duplicate the issue with authentication to AP.

Jatin Katyal


- Do rate helpful posts -

~Jatin
0 Helpful

andbor600
Level 1
Level 1
In response to Jatin Katyal

‎05-03-2013 01:58 PM

hi Jatin,

LEAP is an authentication type.

all users coming from AP devics are authenitcated without any problem.

the same credentials I try to apply fro VPN connection - as you can see no success.

below radius log (VPN connection)

C877W#debug radius loc c
Radius server client failures debugging is on
C877W#debug radius loc p
Radius server packet debugging is on
C877W#debug radius loc e
% Ambiguous command:  "debug radius loc e"
C877W#debug radius loc err
Radius server error debugging is on
C877W#term mon
C877W#
022473: *May  3 21:39:43.291: ISAKMP (0): received packet from 178.182.46.59 dport 500 sport 500 Global (N) NEW SA
022474: *May  3 21:39:43.291: ISAKMP: Created a peer struct for 178.182.46.59, peer port 500
022475: *May  3 21:39:43.295: ISAKMP: New peer created peer = 0x84A6ABDC peer_handle = 0x80000018
022476: *May  3 21:39:43.295: ISAKMP: Locking peer struct 0x84A6ABDC, refcount 1 for crypto_isakmp_process_block
022477: *May  3 21:39:43.295: ISAKMP: local port 500, remote port 500
022478: *May  3 21:39:43.295: ISAKMP:(0):insert sa successfully sa = 84A65BB8
022479: *May  3 21:39:43.295: ISAKMP:(0): processing SA payload. message ID = 0
022480: *May  3 21:39:43.295: ISAKMP:(0): processing ID payload. message ID = 0
022481: *May  3 21:39:43.295: ISAKMP (0): ID payload
        next-payload : 13
        type         : 11
        group id     : ina12345
        protocol     : 0
        port         : 0
        length       : 16
022482: *May  3 21:39:43.295: ISAKMP:(0):: peer matches VPN_IPsec-ike-profile-1 profile
022483: *May  3 21:39:43.295: ISAKMP:(0):Setting client config settings 860E26F4
022484: *May  3 21:39:43.295: ISAKMP:(0):(Re)Setting client xauth list  and state
022485: *May  3 21:39:43.295: ISAKMP/xauth: initializing AAA request
022486: *May  3 21:39:43.295: ISAKMP:(0): processing vendor id payload
022487: *May  3 21:39:43.295: ISAKMP:(0): processing IKE frag vendor id payload
022488: *May  3 21:39:43.299: ISAKMP:(0):Support for IKE Fragmentation not enabled
022489: *May  3 21:39:43.299: ISAKMP:(0): processing vendor id payload
022490: *May  3 21:39:43.299: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
022491: *May  3 21:39:43.299: ISAKMP (0): vendor ID is NAT-T RFC 3947
022492: *May  3 21:39:43.299: ISAKMP:(0): processing vendor id payload
022493: *May  3 21:39:43.299: ISAKMP:(0): vendor ID seems Unity/DPD but major 198 mismatch
022494: *May  3 21:39:43.299: ISAKMP:(0): processing vendor id payload
022495: *May  3 21:39:43.299: ISAKMP:(0): vendor ID seems Unity/DPD but major 29 mismatch
022496: *May  3 21:39:43.299: ISAKMP:(0): processing vendor id payload
022497: *May  3 21:39:43.299: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
022498: *May  3 21:39:43.299: ISAKMP (0): vendor ID is NAT-T v7
022499: *May  3 21:39:43.299: ISAKMP:(0): processing vendor id payload
022500: *May  3 21:39:43.299: ISAKMP:(0): vendor ID seems Unity/DPD but major 114 mismatch
022501: *May  3 21:39:43.299: ISAKMP:(0): processing vendor id payload
022502: *May  3 21:39:43.299: ISAKMP:(0): vendor ID seems Unity/DPD but major 227 mismatch
022503: *May  3 21:39:43.299: ISAKMP:(0): processing vendor id payload
022504: *May  3 21:39:43.299: ISAKMP:(0): vendor ID seems Unity/DPD but major 250 mismatch
022505: *May  3 21:39:43.299: ISAKMP:(0): processing vendor id payload
022506: *May  3 21:39:43.299: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
022507: *May  3 21:39:43.299: ISAKMP:(0): vendor ID is NAT-T v3
022508: *May  3 21:39:43.299: ISAKMP:(0): processing vendor id payload
022509: *May  3 21:39:43.303: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
022510: *May  3 21:39:43.303: ISAKMP:(0): processing vendor id payload
022511: *May  3 21:39:43.303: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
022512: *May  3 21:39:43.303: ISAKMP:(0): vendor ID is NAT-T v2
022513: *May  3 21:39:43.303: ISAKMP:(0): processing vendor id payload
022514: *May  3 21:39:43.303: ISAKMP:(0): vendor ID seems Unity/DPD but major 242 mismatch
022515: *May  3 21:39:43.303: ISAKMP:(0): vendor ID is XAUTH
022516: *May  3 21:39:43.303: ISAKMP:(0): processing vendor id payload
022517: *May  3 21:39:43.303: ISAKMP:(0): vendor ID is Unity
022518: *May  3 21:39:43.303: ISAKMP:(0): processing vendor id payload
022519: *May  3 21:39:43.303: ISAKMP:(0): vendor ID is DPD
022520: *May  3 21:39:43.303: ISAKMP:(0): Authentication by xauth preshared
022521: *May  3 21:39:43.303: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
022522: *May  3 21:39:43.303: ISAKMP:      life type in seconds
022523: *May  3 21:39:43.303: ISAKMP:      life duration (basic) of 3600
022524: *May  3 21:39:43.303: ISAKMP:      encryption AES-CBC
022525: *May  3 21:39:43.303: ISAKMP:      keylength of 256
022526: *May  3 21:39:43.303: ISAKMP:      auth XAUTHInitPreShared
022527: *May  3 21:39:43.303: ISAKMP:      hash SHA
022528: *May  3 21:39:43.303: ISAKMP:      default group 2
022529: *May  3 21:39:43.303: ISAKMP:(0):Encryption algorithm offered does not match policy!
022530: *May  3 21:39:43.303: ISAKMP:(0):atts are not acceptable. Next payload is 3
022531: *May  3 21:39:43.303: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
022532: *May  3 21:39:43.303: ISAKMP:      life type in seconds
022533: *May  3 21:39:43.307: ISAKMP:      life duration (basic) of 3600
022534: *May  3 21:39:43.307: ISAKMP:      encryption AES-CBC
022535: *May  3 21:39:43.307: ISAKMP:      keylength of 128
022536: *May  3 21:39:43.307: ISAKMP:      auth XAUTHInitPreShared
022537: *May  3 21:39:43.307: ISAKMP:      hash SHA
022538: *May  3 21:39:43.307: ISAKMP:      default group 2
022539: *May  3 21:39:43.307: ISAKMP:(0):Encryption algorithm offered does not match policy!
022540: *May  3 21:39:43.307: ISAKMP:(0):atts are not acceptable. Next payload is 3
022541: *May  3 21:39:43.307: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
022542: *May  3 21:39:43.307: ISAKMP:      life type in seconds
022543: *May  3 21:39:43.307: ISAKMP:      life duration (basic) of 3600
022544: *May  3 21:39:43.307: ISAKMP:      encryption AES-CBC
022545: *May  3 21:39:43.307: ISAKMP:      keylength of 256
022546: *May  3 21:39:43.307: ISAKMP:      auth XAUTHInitPreShared
022547: *May  3 21:39:43.307: ISAKMP:      hash MD5
022548: *May  3 21:39:43.307: ISAKMP:      default group 2
022549: *May  3 21:39:43.307: ISAKMP:(0):Encryption algorithm offered does not match policy!
022550: *May  3 21:39:43.307: ISAKMP:(0):atts are not acceptable. Next payload is 3
022551: *May  3 21:39:43.307: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
022552: *May  3 21:39:43.307: ISAKMP:      life type in seconds
022553: *May  3 21:39:43.307: ISAKMP:      life duration (basic) of 3600
022554: *May  3 21:39:43.307: ISAKMP:      encryption AES-CBC
022555: *May  3 21:39:43.307: ISAKMP:      keylength of 128
022556: *May  3 21:39:43.307: ISAKMP:      auth XAUTHInitPreShared
022557: *May  3 21:39:43.311: ISAKMP:      hash MD5
022558: *May  3 21:39:43.311: ISAKMP:      default group 2
022559: *May  3 21:39:43.311: ISAKMP:(0):Encryption algorithm offered does not match policy!
022560: *May  3 21:39:43.311: ISAKMP:(0):atts are not acceptable. Next payload is 3
022561: *May  3 21:39:43.311: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
022562: *May  3 21:39:43.311: ISAKMP:      life type in seconds
022563: *May  3 21:39:43.311: ISAKMP:      life duration (basic) of 3600
022564: *May  3 21:39:43.311: ISAKMP:      encryption 3DES-CBC
022565: *May  3 21:39:43.311: ISAKMP:      auth XAUTHInitPreShared
022566: *May  3 21:39:43.311: ISAKMP:      hash SHA
022567: *May  3 21:39:43.311: ISAKMP:      default group 2
022568: *May  3 21:39:43.311: ISAKMP:(0):atts are acceptable. Next payload is 3
022569: *May  3 21:39:43.311: ISAKMP:(0):Acceptable atts:actual life: 86400
022570: *May  3 21:39:43.311: ISAKMP:(0):Acceptable atts:life: 0
022571: *May  3 21:39:43.315: ISAKMP:(0):Basic life_in_seconds:3600
022572: *May  3 21:39:43.315: ISAKMP:(0):Returning Actual lifetime: 3600
022573: *May  3 21:39:43.315: ISAKMP:(0)::Started lifetime timer: 3600.

022574: *May  3 21:39:43.315: ISAKMP:(0): processing KE payload. message ID = 0
022575: *May  3 21:39:43.363: ISAKMP:(0): processing NONCE payload. message ID = 0
022576: *May  3 21:39:43.363: ISAKMP (0): vendor ID is NAT-T RFC 3947
022577: *May  3 21:39:43.363: ISAKMP (0): vendor ID is NAT-T v7
022578: *May  3 21:39:43.363: ISAKMP:(0): vendor ID is NAT-T v3
022579: *May  3 21:39:43.363: ISAKMP:(0): vendor ID is NAT-T v2
022580: *May  3 21:39:43.363: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
022581: *May  3 21:39:43.367: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_AM_AAA_AWAIT

022582: *May  3 21:39:43.367: ISAKMP:(2013): constructed NAT-T vendor-rfc3947 ID
022583: *May  3 21:39:43.367: ISAKMP:(2013):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR
022584: *May  3 21:39:43.367: ISAKMP (2013): ID payload
        next-payload : 10
        type         : 1
        address      : 88.88.88.88
        protocol     : 0
        port         : 0
        length       : 12
022585: *May  3 21:39:43.367: ISAKMP:(2013):Total payload length: 12
022586: *May  3 21:39:43.371: ISAKMP:(2013): sending packet to 178.182.46.59 my_port 500 peer_port 500 (R) AG_INIT_EXCH
022587: *May  3 21:39:43.371: ISAKMP:(2013):Sending an IKE IPv4 Packet.
022588: *May  3 21:39:43.371: ISAKMP:(2013):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
022589: *May  3 21:39:43.371: ISAKMP:(2013):Old State = IKE_R_AM_AAA_AWAIT  New State = IKE_R_AM2

022590: *May  3 21:39:44.211: ISAKMP (2013): received packet from 178.182.46.59 dport 4500 sport 4500 Global (R) AG_INIT_EXCH
022591: *May  3 21:39:44.211: ISAKMP:(2013): processing HASH payload. message ID = 0
022592: *May  3 21:39:44.215: ISAKMP:received payload type 20
022593: *May  3 21:39:44.215: ISAKMP (2013): His hash no match - this node outside NAT
022594: *May  3 21:39:44.215: ISAKMP:received payload type 20
022595: *May  3 21:39:44.215: ISAKMP (2013): His hash no match - this node outside NAT
022596: *May  3 21:39:44.215: ISAKMP:(2013): processing NOTIFY INITIAL_CONTACT protocol 1
        spi 0, message ID = 0, sa = 84A65BB8
022597: *May  3 21:39:44.215: ISAKMP:(2013):SA authentication status:
        authenticated
022598: *May  3 21:39:44.215: ISAKMP:(2013):SA has been authenticated with 178.182.46.59
022599: *May  3 21:39:44.215: ISAKMP:(2013):Detected port,floating to port = 4500
022600: *May  3 21:39:44.215: ISAKMP: Trying to find existing peer 88.88.88.88/178.182.46.59/4500/
022601: *May  3 21:39:44.215: ISAKMP:(2013):SA authentication status:
        authenticated
022602: *May  3 21:39:44.215: ISAKMP:(2013): Process initial contact,
bring down existing phase 1 and 2 SA's with local 88.88.88.88 remote 178.182.46.59 remote port 4500
022603: *May  3 21:39:44.215: ISAKMP:(2013):returning IP addr to the address pool
022604: *May  3 21:39:44.215: ISAKMP: Trying to insert a peer 88.88.88.88/178.182.46.59/4500/,  and inserted successfully 84A6ABDC.
022605: *May  3 21:39:44.219: ISAKMP:(2013):Returning Actual lifetime: 3600
022606: *May  3 21:39:44.219: ISAKMP: set new node 1853025393 to CONF_XAUTH
022607: *May  3 21:39:44.219: ISAKMP:(2013):Sending NOTIFY RESPONDER_LIFETIME protocol 1
        spi 2220717296, message ID = 1853025393
022608: *May  3 21:39:44.219: ISAKMP:(2013): sending packet to 178.182.46.59 my_port 4500 peer_port 4500 (R) QM_IDLE
022609: *May  3 21:39:44.219: ISAKMP:(2013):Sending an IKE IPv4 Packet.
022610: *May  3 21:39:44.219: ISAKMP:(2013):purging node 1853025393
022611: *May  3 21:39:44.219: ISAKMP: Sending phase 1 responder lifetime 3600

022612: *May  3 21:39:44.219: ISAKMP:(2013):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
022613: *May  3 21:39:44.219: ISAKMP:(2013):Old State = IKE_R_AM2  New State = IKE_P1_COMPLETE

022614: *May  3 21:39:44.223: ISAKMP:(2013):Need XAUTH
022615: *May  3 21:39:44.223: ISAKMP: set new node -939166725 to CONF_XAUTH
022616: *May  3 21:39:44.223: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
022617: *May  3 21:39:44.223: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
022618: *May  3 21:39:44.223: ISAKMP:(2013): initiating peer config to 178.182.46.59. ID = -939166725
022619: *May  3 21:39:44.227: ISAKMP:(2013): sending packet to 178.182.46.59 my_port 4500 peer_port 4500 (R) CONF_XAUTH
022620: *May  3 21:39:44.227: ISAKMP:(2013):Sending an IKE IPv4 Packet.
022621: *May  3 21:39:44.227: ISAKMP:(2013):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
022622: *May  3 21:39:44.227: ISAKMP:(2013):Old State = IKE_P1_COMPLETE  New State = IKE_XAUTH_REQ_SENT

022623: *May  3 21:39:59.231: ISAKMP:(2013): retransmitting phase 2 CONF_XAUTH    -939166725 ...
022624: *May  3 21:39:59.231: ISAKMP (2013): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
022625: *May  3 21:39:59.231: ISAKMP (2013): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
022626: *May  3 21:39:59.231: ISAKMP:(2013): retransmitting phase 2 -939166725 CONF_XAUTH
022627: *May  3 21:39:59.231: ISAKMP:(2013): sending packet to 178.182.46.59 my_port 4500 peer_port 4500 (R) CONF_XAUTH
022628: *May  3 21:39:59.231: ISAKMP:(2013):Sending an IKE IPv4 Packet.
022629: *May  3 21:40:14.234: ISAKMP:(2013): retransmitting phase 2 CONF_XAUTH    -939166725 ...
022630: *May  3 21:40:14.234: ISAKMP (2013): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
022631: *May  3 21:40:14.234: ISAKMP (2013): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
022632: *May  3 21:40:14.234: ISAKMP:(2013): retransmitting phase 2 -939166725 CONF_XAUTH
022633: *May  3 21:40:14.234: ISAKMP:(2013): sending packet to 178.182.46.59 my_port 4500 peer_port 4500 (R) CONF_XAUTH
022634: *May  3 21:40:14.234: ISAKMP:(2013):Sending an IKE IPv4 Packet.
022635: *May  3 21:40:16.311: ISAKMP (2013): received packet from 178.182.46.59 dport 4500 sport 4500 Global (R) CONF_XAUTH
022636: *May  3 21:40:16.311: ISAKMP:(2013):processing transaction payload from 178.182.46.59. message ID = -939166725
022637: *May  3 21:40:16.311: ISAKMP: Config payload REPLY
022638: *May  3 21:40:16.311: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
022639: *May  3 21:40:16.311: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
022640: *May  3 21:40:16.315: ISAKMP:(2013):deleting node -939166725 error FALSE reason "Done with xauth request/reply exchange"
022641: *May  3 21:40:16.315: ISAKMP:(2013):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
022642: *May  3 21:40:16.315: ISAKMP:(2013):Old State = IKE_XAUTH_REQ_SENT  New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT

022643: *May  3 21:40:16.315: RADIUS/ENCODE(0000053F):Orig. component type = VPN_IPSEC
022644: *May  3 21:40:16.315: RADIUS:  AAA Unsupported Attr: interface         [175] 12
022645: *May  3 21:40:16.315: RADIUS:   37 37 2E 32 35 33 2E 32 31 36                    [77.253.216]
022646: *May  3 21:40:16.315: RADIUS/ENCODE(0000053F): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
022647: *May  3 21:40:16.315: RADIUS(0000053F): Config NAS IP: 0.0.0.0
022648: *May  3 21:40:16.315: RADIUS/ENCODE(0000053F): acct_session_id: 1343
022649: *May  3 21:40:16.315: RADIUS(0000053F): Config NAS IP: 0.0.0.0
022650: *May  3 21:40:16.315: RADIUS(0000053F): sending
022651: *May  3 21:40:16.319: RADIUS/ENCODE: Best Local IP-Address 10.10.10.1 for Radius-Server 10.10.10.1
022652: *May  3 21:40:16.319: RADIUS(0000053F): Send Access-Request to 10.10.10.1:1812 id 1645/53, len 101
022653: *May  3 21:40:16.319: RADIUS:  authenticator DF 34 EE 2D 7E 87 AD 6F - 69 CE 15 C4 3D 26 86 27
022654: *May  3 21:40:16.319: RADIUS:  User-Name           [1]   9   "xxxxxx"
022655: *May  3 21:40:16.319: RADIUS:  User-Password       [2]   18  *
022656: *May  3 21:40:16.319: RADIUS:  Calling-Station-Id  [31]  15  "178.182.46.59"
022657: *May  3 21:40:16.319: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
022658: *May  3 21:40:16.319: RADIUS:  NAS-Port            [5]   6   2
022659: *May  3 21:40:16.319: RADIUS:  NAS-Port-Id         [87]  14  "88.88.88.88"
022660: *May  3 21:40:16.319: RADIUS:  NAS-IP-Address      [4]   6   10.10.10.1
022661: *May  3 21:40:16.319: RADIUS:  Nas-Identifier      [32]  7   "C877W"
022662: *May  3 21:40:16.323: RADSRV: Client xxxxxx password failed
022663: *May  3 21:40:16.323: RADSRV 10.10.10.1< Code 3 Id 35 Len 88
022664: *May  3 21:40:16.323:   Auth 7B33349A A96418D7 99BFB34C 436EEC87
022665: *May  3 21:40:16.323:   24 - 8A 3D 23 56 12 5F 8D 19 C2 9C 8B C5 FA E1 90 08 E5 86 D4 8E 42 1B 20 76 A5 8C 19 D9 7E 18 3C E6 62 07 96 13 5C 7B F7 90 56 03 F4 45 AF E4 37 40
022666: *May  3 21:40:16.323:   80 - 90 4E F0 92 C7 B4 9D 7B 6D AC 19 1C 0A 74 4B 78
022667: *May  3 21:40:16.327: RADIUS: Received from id 1645/53 10.10.10.1:1812, Access-Reject, len 88
022668: *May  3 21:40:16.327: RADIUS:  authenticator 7B 33 34 9A A9 64 18 D7 - 99 BF B3 4C 43 6E EC 87
022669: *May  3 21:40:16.327: RADIUS:  State               [24]  50
022670: *May  3 21:40:16.327: RADIUS:   8A 3D 23 56 12 5F 8D 19 C2 9C 8B C5 FA E1 90 08  [?=#V?_??????????]
022671: *May  3 21:40:16.327: RADIUS:   E5 86 D4 8E 42 1B 20 76 A5 8C 19 D9 7E 18 3C E6  [????B? v????~?
022672: *May  3 21:40:16.327: RADIUS:   62 07 96 13 5C 7B F7 90 56 03 F4 45 AF E4 37 40  [b???\{??V??E??7@]
022673: *May  3 21:40:16.331: RADIUS:  Message-Authenticato[80]  18
022674: *May  3 21:40:16.331: RADIUS:   90 4E F0 92 C7 B4 9D 7B 6D AC 19 1C 0A 74 4B 78  [?N?????{m????tKx]
022675: *May  3 21:40:16.331: RADIUS(0000053F): Received from id 1645/53
022676: *May  3 21:40:16.331: ISAKMP: set new node -333886752 to CONF_XAUTH
022677: *May  3 21:40:16.331: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
022678: *May  3 21:40:16.331: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
022679: *May  3 21:40:16.335: ISAKMP:(2013): initiating peer config to 178.182.46.59. ID = -333886752
022680: *May  3 21:40:16.335: ISAKMP:(2013): sending packet to 178.182.46.59 my_port 4500 peer_port 4500 (R) CONF_XAUTH
022681: *May  3 21:40:16.335: ISAKMP:(2013):Sending an IKE IPv4 Packet.
022682: *May  3 21:40:16.335: ISAKMP:(2013):Input = IKE_MESG_FROM_AAA, IKE_AAA_START_LOGIN
022683: *May  3 21:40:16.335: ISAKMP:(2013):Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT  New State = IKE_XAUTH_REQ_SENT

022684: *May  3 21:40:31.338: ISAKMP:(2013): retransmitting phase 2 CONF_XAUTH    -333886752 ...
022685: *May  3 21:40:31.338: ISAKMP (2013): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
022686: *May  3 21:40:31.338: ISAKMP (2013): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
022687: *May  3 21:40:31.338: ISAKMP:(2013): retransmitting phase 2 -333886752 CONF_XAUTH
022688: *May  3 21:40:31.338: ISAKMP:(2013): sending packet to 178.182.46.59 my_port 4500 peer_port 4500 (R) CONF_XAUTH
022689: *May  3 21:40:31.338: ISAKMP:(2013):Sending an IKE IPv4 Packet.
022690: *May  3 21:40:46.338: ISAKMP:(2013): retransmitting phase 2 CONF_XAUTH    -333886752 ...
022691: *May  3 21:40:46.338: ISAKMP (2013): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
022692: *May  3 21:40:46.338: ISAKMP (2013): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
022693: *May  3 21:40:46.338: ISAKMP:(2013): retransmitting phase 2 -333886752 CONF_XAUTH
022694: *May  3 21:40:46.338: ISAKMP:(2013): sending packet to 178.182.46.59 my_port 4500 peer_port 4500 (R) CONF_XAUTH
022695: *May  3 21:40:46.338: ISAKMP:(2013):Sending an IKE IPv4 Packet.
022696: *May  3 21:41:01.342: ISAKMP:(2013): retransmitting phase 2 CONF_XAUTH    -333886752 ...
022697: *May  3 21:41:01.342: ISAKMP (2013): incrementing error counter on node, attempt 3 of 5: retransmit phase 2
022698: *May  3 21:41:01.342: ISAKMP (2013): incrementing error counter on sa, attempt 3 of 5: retransmit phase 2
022699: *May  3 21:41:01.342: ISAKMP:(2013): retransmitting phase 2 -333886752 CONF_XAUTH
022700: *May  3 21:41:01.342: ISAKMP:(2013): sending packet to 178.182.46.59 my_port 4500 peer_port 4500 (R) CONF_XAUTH
022701: *May  3 21:41:01.342: ISAKMP:(2013):Sending an IKE IPv4 Packet.
022702: *May  3 21:41:16.345: ISAKMP:(2013): retransmitting phase 2 CONF_XAUTH    -333886752 ...
022703: *May  3 21:41:16.345: ISAKMP (2013): incrementing error counter on node, attempt 4 of 5: retransmit phase 2
022704: *May  3 21:41:16.345: ISAKMP (2013): incrementing error counter on sa, attempt 4 of 5: retransmit phase 2
022705: *May  3 21:41:16.345: ISAKMP:(2013): retransmitting phase 2 -333886752 CONF_XAUTH
022706: *May  3 21:41:16.345: ISAKMP:(2013): sending packet to 178.182.46.59 my_port 4500 peer_port 4500 (R) CONF_XAUTH
022707: *May  3 21:41:16.345: ISAKMP:(2013):Sending an IKE IPv4 Packet.
022708: *May  3 21:41:27.208: Telnet4: 1 1 251 1
022709: *May  3 21:41:27.208: TCP4: Telnet sent WILL ECHO (1)
022710: *May  3 21:41:27.208: Telnet4: 2 2 251 3
022711: *May  3 21:41:27.208: TCP4: Telnet sent WILL SUPPRESS-GA (3)
022712: *May  3 21:41:27.212: Telnet4: 80000 80000 253 24
022713: *May  3 21:41:27.212: TCP4: Telnet sent DO TTY-TYPE (24)
022714: *May  3 21:41:27.212: Telnet4: 10000000 10000000 253 31
022715: *May  3 21:41:27.212: TCP4: Telnet sent DO WINDOW-SIZE (31)
022716: *May  3 21:41:27.220: TCP4: Telnet received DO ECHO (1)
022717: *May  3 21:41:27.220: TCP4: Telnet received DO SUPPRESS-GA (3)
022718: *May  3 21:41:27.220: TCP4: Telnet received WILL TTY-TYPE (24)
022719: *May  3 21:41:27.220: Telnet4: Sent SB 24 1
022720: *May  3 21:41:27.220: TCP4: Telnet received WILL WINDOW-SIZE (31)
022721: *May  3 21:41:27.224: TCP4: Telnet received WILL SUPPRESS-GA (3)
022722: *May  3 21:41:27.224: TCP4: Telnet sent DO SUPPRESS-GA (3)
022723: *May  3 21:41:27.224: TCP4: Telnet received WILL X-DISPLAY (35) (refused)
022724: *May  3 21:41:27.224: TCP4: Telnet sent DONT X-DISPLAY (35)
022725: *May  3 21:41:27.224: TCP4: Telnet received DO STATUS (5)
022726: *May  3 21:41:27.224: TCP4: Telnet sent WONT STATUS (5) (unimplemented)
022727: *May  3 21:41:27.224: Telnet4: recv SB NAWS 116 46
022728: *May  3 21:41:27.228: Telnet4: recv SB 24 0 vt220
022729: *May  3 21:41:31.345: ISAKMP:(2013): retransmitting phase 2 CONF_XAUTH    -333886752 ...
022730: *May  3 21:41:31.345: ISAKMP (2013): incrementing error counter on node, attempt 5 of 5: retransmit phase 2
022731: *May  3 21:41:31.345: ISAKMP (2013): incrementing error counter on sa, attempt 5 of 5: retransmit phase 2
022732: *May  3 21:41:31.345: ISAKMP:(2013): retransmitting phase 2 -333886752 CONF_XAUTH
022733: *May  3 21:41:31.345: ISAKMP:(2013): sending packet to 178.182.46.59 my_port 4500 peer_port 4500 (R) CONF_XAUTH
022734: *May  3 21:41:31.345: ISAKMP:(2013):Sending an IKE IPv4 Packet.
022735: *May  3 21:41:34.497: %SYS-5-CONFIG_I: Configured from console by admin on vty2 (10.10.11.10)
022736: *May  3 21:41:46.348: ISAKMP:(2013): retransmitting phase 2 CONF_XAUTH    -333886752 ...
022737: *May  3 21:41:46.348: ISAKMP:(2013):deleting node -333886752 error TRUE reason "Phase 2 err count exceeded"
022738: *May  3 21:42:02.032: ISAKMP (0): received packet from 178.182.46.59 dport 500 sport 500 Global (N) NEW SA
022739: *May  3 21:42:02.036: ISAKMP: Created a peer struct for 178.182.46.59, peer port 500
022740: *May  3 21:42:02.036: ISAKMP: New peer created peer = 0x855D1574 peer_handle = 0x8000001A
022741: *May  3 21:42:02.036: ISAKMP: Locking peer struct 0x855D1574, refcount 1 for crypto_isakmp_process_block
022742: *May  3 21:42:02.036: ISAKMP: local port 500, remote port 500
022743: *May  3 21:42:02.036: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 84F16874
022744: *May  3 21:42:02.036: ISAKMP:(0): processing SA payload. message ID = 0
022745: *May  3 21:42:02.036: ISAKMP:(0): processing ID payload. message ID = 0
022746: *May  3 21:42:02.036: ISAKMP (0): ID payload
        next-payload : 13
        type         : 11
        group id     : ina12345
        protocol     : 0
        port         : 0
        length       : 16
022747: *May  3 21:42:02.036: ISAKMP:(0):: peer matches VPN_IPsec-ike-profile-1 profile
022748: *May  3 21:42:02.036: ISAKMP:(0):Setting client config settings 8451A3A0
022749: *May  3 21:42:02.036: ISAKMP:(0):(Re)Setting client xauth list  and state
022750: *May  3 21:42:02.036: ISAKMP/xauth: initializing AAA request
022751: *May  3 21:42:02.036: ISAKMP:(0): processing vendor id payload
022752: *May  3 21:42:02.040: ISAKMP:(0): processing IKE frag vendor id payload
022753: *May  3 21:42:02.040: ISAKMP:(0):Support for IKE Fragmentation not enabled
022754: *May  3 21:42:02.040: ISAKMP:(0): processing vendor id payload
022755: *May  3 21:42:02.040: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
022756: *May  3 21:42:02.040: ISAKMP (0): vendor ID is NAT-T RFC 3947
022757: *May  3 21:42:02.040: ISAKMP:(0): processing vendor id payload
022758: *May  3 21:42:02.040: ISAKMP:(0): vendor ID seems Unity/DPD but major 198 mismatch
022759: *May  3 21:42:02.040: ISAKMP:(0): processing vendor id payload
022760: *May  3 21:42:02.040: ISAKMP:(0): vendor ID seems Unity/DPD but major 29 mismatch
022761: *May  3 21:42:02.040: ISAKMP:(0): processing vendor id payload
022762: *May  3 21:42:02.040: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
022763: *May  3 21:42:02.040: ISAKMP (0): vendor ID is NAT-T v7
022764: *May  3 21:42:02.040: ISAKMP:(0): processing vendor id payload
022765: *May  3 21:42:02.040: ISAKMP:(0): vendor ID seems Unity/DPD but major 114 mismatch
022766: *May  3 21:42:02.040: ISAKMP:(0): processing vendor id payload
022767: *May  3 21:42:02.040: ISAKMP:(0): vendor ID seems Unity/DPD but major 227 mismatch
022768: *May  3 21:42:02.040: ISAKMP:(0): processing vendor id payload
022769: *May  3 21:42:02.040: ISAKMP:(0): vendor ID seems Unity/DPD but major 250 mismatch
022770: *May  3 21:42:02.040: ISAKMP:(0): processing vendor id payload
022771: *May  3 21:42:02.040: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
022772: *May  3 21:42:02.040: ISAKMP:(0): vendor ID is NAT-T v3
022773: *May  3 21:42:02.040: ISAKMP:(0): processing vendor id payload
022774: *May  3 21:42:02.044: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
022775: *May  3 21:42:02.044: ISAKMP:(0): processing vendor id payload
022776: *May  3 21:42:02.044: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
022777: *May  3 21:42:02.044: ISAKMP:(0): vendor ID is NAT-T v2
022778: *May  3 21:42:02.044: ISAKMP:(0): processing vendor id payload
022779: *May  3 21:42:02.044: ISAKMP:(0): vendor ID seems Unity/DPD but major 242 mismatch
022780: *May  3 21:42:02.044: ISAKMP:(0): vendor ID is XAUTH
022781: *May  3 21:42:02.044: ISAKMP:(0): processing vendor id payload
022782: *May  3 21:42:02.044: ISAKMP:(0): vendor ID is Unity
022783: *May  3 21:42:02.044: ISAKMP:(0): processing vendor id payload
022784: *May  3 21:42:02.044: ISAKMP:(0): vendor ID is DPD
022785: *May  3 21:42:02.044: ISAKMP:(0): Authentication by xauth preshared
022786: *May  3 21:42:02.044: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
022787: *May  3 21:42:02.044: ISAKMP:      life type in seconds
022788: *May  3 21:42:02.044: ISAKMP:      life duration (basic) of 3600
022789: *May  3 21:42:02.044: ISAKMP:      encryption AES-CBC
022790: *May  3 21:42:02.044: ISAKMP:      keylength of 256
022791: *May  3 21:42:02.044: ISAKMP:      auth XAUTHInitPreShared
022792: *May  3 21:42:02.044: ISAKMP:      hash SHA
022793: *May  3 21:42:02.044: ISAKMP:      default group 2
022794: *May  3 21:42:02.044: ISAKMP:(0):Encryption algorithm offered does not match policy!
022795: *May  3 21:42:02.044: ISAKMP:(0):atts are not acceptable. Next payload is 3
022796: *May  3 21:42:02.044: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
022797: *May  3 21:42:02.044: ISAKMP:      life type in seconds
022798: *May  3 21:42:02.048: ISAKMP:      life duration (basic) of 3600
022799: *May  3 21:42:02.048: ISAKMP:      encryption AES-CBC
022800: *May  3 21:42:02.048: ISAKMP:      keylength of 128
022801: *May  3 21:42:02.048: ISAKMP:      auth XAUTHInitPreShared
022802: *May  3 21:42:02.048: ISAKMP:      hash SHA
022803: *May  3 21:42:02.048: ISAKMP:      default group 2
022804: *May  3 21:42:02.048: ISAKMP:(0):Encryption algorithm offered does not match policy!
022805: *May  3 21:42:02.048: ISAKMP:(0):atts are not acceptable. Next payload is 3
022806: *May  3 21:42:02.048: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
022807: *May  3 21:42:02.048: ISAKMP:      life type in seconds
022808: *May  3 21:42:02.048: ISAKMP:      life duration (basic) of 3600
022809: *May  3 21:42:02.048: ISAKMP:      encryption AES-CBC
022810: *May  3 21:42:02.048: ISAKMP:      keylength of 256
022811: *May  3 21:42:02.048: ISAKMP:      auth XAUTHInitPreShared
022812: *May  3 21:42:02.048: ISAKMP:      hash MD5
022813: *May  3 21:42:02.048: ISAKMP:      default group 2
022814: *May  3 21:42:02.048: ISAKMP:(0):Encryption algorithm offered does not match policy!
022815: *May  3 21:42:02.048: ISAKMP:(0):atts are not acceptable. Next payload is 3
022816: *May  3 21:42:02.048: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
022817: *May  3 21:42:02.048: ISAKMP:      life type in seconds
022818: *May  3 21:42:02.048: ISAKMP:      life duration (basic) of 3600
022819: *May  3 21:42:02.048: ISAKMP:      encryption AES-CBC
022820: *May  3 21:42:02.048: ISAKMP:      keylength of 128
022821: *May  3 21:42:02.048: ISAKMP:      auth XAUTHInitPreShared
022822: *May  3 21:42:02.048: ISAKMP:      hash MD5
022823: *May  3 21:42:02.048: ISAKMP:      default group 2
022824: *May  3 21:42:02.048: ISAKMP:(0):Encryption algorithm offered does not match policy!
022825: *May  3 21:42:02.048: ISAKMP:(0):atts are not acceptable. Next payload is 3
022826: *May  3 21:42:02.052: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
022827: *May  3 21:42:02.052: ISAKMP:      life type in seconds
022828: *May  3 21:42:02.052: ISAKMP:      life duration (basic) of 3600
022829: *May  3 21:42:02.052: ISAKMP:      encryption 3DES-CBC
022830: *May  3 21:42:02.052: ISAKMP:      auth XAUTHInitPreShared
022831: *May  3 21:42:02.052: ISAKMP:      hash SHA
022832: *May  3 21:42:02.052: ISAKMP:      default group 2
022833: *May  3 21:42:02.052: ISAKMP:(0):atts are acceptable. Next payload is 3
022834: *May  3 21:42:02.052: ISAKMP:(0):Acceptable atts:actual life: 86400
022835: *May  3 21:42:02.052: ISAKMP:(0):Acceptable atts:life: 0
022836: *May  3 21:42:02.052: ISAKMP:(0):Basic life_in_seconds:3600
022837: *May  3 21:42:02.052: ISAKMP:(0):Returning Actual lifetime: 3600
022838: *May  3 21:42:02.052: ISAKMP:(0)::Started lifetime timer: 3600.

022839: *May  3 21:42:02.052: ISAKMP:(0): processing KE payload. message ID = 0
022840: *May  3 21:42:02.100: ISAKMP:(0): processing NONCE payload. message ID = 0
022841: *May  3 21:42:02.100: ISAKMP (0): vendor ID is NAT-T RFC 3947
022842: *May  3 21:42:02.100: ISAKMP (0): vendor ID is NAT-T v7
022843: *May  3 21:42:02.100: ISAKMP:(0): vendor ID is NAT-T v3
022844: *May  3 21:42:02.100: ISAKMP:(0): vendor ID is NAT-T v2
022845: *May  3 21:42:02.100: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
022846: *May  3 21:42:02.100: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_AM_AAA_AWAIT

022847: *May  3 21:42:02.104: ISAKMP:(2014): constructed NAT-T vendor-rfc3947 ID
022848: *May  3 21:42:02.104: ISAKMP:(2014):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR
022849: *May  3 21:42:02.104: ISAKMP (2014): ID payload
        next-payload : 10
        type         : 1
        address      : 88.88.88.88
        protocol     : 0
        port         : 0
        length       : 12
022850: *May  3 21:42:02.104: ISAKMP:(2014):Total payload length: 12
022851: *May  3 21:42:02.104: ISAKMP:(2014): sending packet to 178.182.46.59 my_port 500 peer_port 500 (R) AG_INIT_EXCH
022852: *May  3 21:42:02.104: ISAKMP:(2014):Sending an IKE IPv4 Packet.
022853: *May  3 21:42:02.108: ISAKMP:(2014):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
022854: *May  3 21:42:02.108: ISAKMP:(2014):Old State = IKE_R_AM_AAA_AWAIT  New State = IKE_R_AM2

022855: *May  3 21:42:03.132: ISAKMP (2014): received packet from 178.182.46.59 dport 500 sport 500 Global (R) AG_INIT_EXCH
022856: *May  3 21:42:03.132: ISAKMP:(2014): phase 1 packet is a duplicate of a previous packet.
022857: *May  3 21:42:03.132: ISAKMP:(2014): retransmitting due to retransmit phase 1
022858: *May  3 21:42:03.252: ISAKMP (2014): received packet from 178.182.46.59 dport 500 sport 500 Global (R) AG_INIT_EXCH
022859: *May  3 21:42:03.252: ISAKMP:(2014): phase 1 packet is a duplicate of a previous packet.
022860: *May  3 21:42:03.252: ISAKMP:(2014): retransmitting due to retransmit phase 1
022861: *May  3 21:42:03.752: ISAKMP:(2014): retransmitting phase 1 AG_INIT_EXCH...
022862: *May  3 21:42:03.752: ISAKMP (2014): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
022863: *May  3 21:42:03.752: ISAKMP:(2014): retransmitting phase 1 AG_INIT_EXCH
022864: *May  3 21:42:03.752: ISAKMP:(2014): sending packet to 178.182.46.59 my_port 500 peer_port 500 (R) AG_INIT_EXCH
022865: *May  3 21:42:03.752: ISAKMP:(2014):Sending an IKE IPv4 Packet.
022866: *May  3 21:42:05.073: ISAKMP (2014): received packet from 178.182.46.59 dport 4500 sport 4500 Global (R) AG_INIT_EXCH
022867: *May  3 21:42:05.073: ISAKMP:(2014): processing HASH payload. message ID = 0
022868: *May  3 21:42:05.077: ISAKMP:received payload type 20
022869: *May  3 21:42:05.077: ISAKMP (2014): His hash no match - this node outside NAT
022870: *May  3 21:42:05.077: ISAKMP:received payload type 20
022871: *May  3 21:42:05.077: ISAKMP (2014): His hash no match - this node outside NAT
022872: *May  3 21:42:05.077: ISAKMP:(2014): processing NOTIFY INITIAL_CONTACT protocol 1
        spi 0, message ID = 0, sa = 84F16874
022873: *May  3 21:42:05.077: ISAKMP:(2014):SA authentication status:
        authenticated
022874: *May  3 21:42:05.077: ISAKMP:(2014):SA has been authenticated with 178.182.46.59
022875: *May  3 21:42:05.077: ISAKMP:(2014):Detected port,floating to port = 4500
022876: *May  3 21:42:05.077: ISAKMP: Trying to find existing peer 88.88.88.88/178.182.46.59/4500/ and found existing peer 84A6ABDC to reuse, free 855D1574
022877: *May  3 21:42:05.077: ISAKMP: Unlocking peer struct 0x855D1574 Reuse existing peer, count 0
022878: *May  3 21:42:05.077: ISAKMP: Deleting peer node by peer_reap for 178.182.46.59: 855D1574
022879: *May  3 21:42:05.077: ISAKMP: Locking peer struct 0x84A6ABDC, refcount 2 for Reuse existing peer
022880: *May  3 21:42:05.077: ISAKMP:(2014):SA authentication status:
        authenticated
022881: *May  3 21:42:05.081: ISAKMP:(2014): Process initial contact,
bring down existing phase 1 and 2 SA's with local 88.88.88.88 remote 178.182.46.59 remote port 4500
022882: *May  3 21:42:05.081: ISAKMP:(2014):returning IP addr to the address pool
022883: *May  3 21:42:05.081: ISAKMP:(2013):received initial contact, deleting SA
022884: *May  3 21:42:05.081: ISAKMP:(2013):peer does not do paranoid keepalives.

022885: *May  3 21:42:05.081: ISAKMP:(2013):peer does not do paranoid keepalives.

022886: *May  3 21:42:05.081: ISAKMP:(2013):deleting SA reason "Receive initial contact" state (R) CONF_XAUTH    (peer 178.182.46.59)
022887: *May  3 21:42:05.081: ISAKMP:(2014):Returning Actual lifetime: 3600
022888: *May  3 21:42:05.081: ISAKMP: set new node -385562178 to CONF_XAUTH
022889: *May  3 21:42:05.081: ISAKMP:(2014):Sending NOTIFY RESPONDER_LIFETIME protocol 1
        spi 2220717296, message ID = -385562178
022890: *May  3 21:42:05.081: ISAKMP:(2014): sending packet to 178.182.46.59 my_port 4500 peer_port 4500 (R) QM_IDLE
022891: *May  3 21:42:05.081: ISAKMP:(2014):Sending an IKE IPv4 Packet.
022892: *May  3 21:42:05.085: ISAKMP:(2014):purging node -385562178
022893: *May  3 21:42:05.085: ISAKMP: Sending phase 1 responder lifetime 3600

022894: *May  3 21:42:05.085: ISAKMP:(2014):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
022895: *May  3 21:42:05.085: ISAKMP:(2014):Old State = IKE_R_AM2  New State = IKE_P1_COMPLETE

022896: *May  3 21:42:05.085: ISAKMP (2014): received packet from 178.182.46.59 dport 4500 sport 4500 Global (R) QM_IDLE
022897: *May  3 21:42:05.085: ISAKMP:(2014): phase 1 packet is a duplicate of a previous packet.
022898: *May  3 21:42:05.085: ISAKMP:(2014): retransmitting due to retransmit phase 1
022899: *May  3 21:42:05.085: ISAKMP:(2014): no outgoing phase 1 packet to retransmit. QM_IDLE
022900: *May  3 21:42:05.089: ISAKMP: set new node -1006615992 to CONF_XAUTH
022901: *May  3 21:42:05.089: ISAKMP:(2013): sending packet to 178.182.46.59 my_port 4500 peer_port 4500 (R) CONF_XAUTH
022902: *May  3 21:42:05.089: ISAKMP:(2013):Sending an IKE IPv4 Packet.
022903: *May  3 21:42:05.089: ISAKMP:(2013):purging node -1006615992
022904: *May  3 21:42:05.089: ISAKMP:(2013):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
022905: *May  3 21:42:05.089: ISAKMP:(2013):Old State = IKE_XAUTH_REQ_SENT  New State = IKE_DEST_SA

022906: *May  3 21:42:05.089: ISAKMP:(2014):Need XAUTH
022907: *May  3 21:42:05.093: ISAKMP: set new node -254957165 to CONF_XAUTH
022908: *May  3 21:42:05.093: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
022909: *May  3 21:42:05.093: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
022910: *May  3 21:42:05.093: ISAKMP:(2014): initiating peer config to 178.182.46.59. ID = -254957165
022911: *May  3 21:42:05.093: ISAKMP:(2014): sending packet to 178.182.46.59 my_port 4500 peer_port 4500 (R) CONF_XAUTH
022912: *May  3 21:42:05.093: ISAKMP:(2014):Sending an IKE IPv4 Packet.
022913: *May  3 21:42:05.093: ISAKMP:(2014):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
022914: *May  3 21:42:05.093: ISAKMP:(2014):Old State = IKE_P1_COMPLETE  New State = IKE_XAUTH_REQ_SENT

022915: *May  3 21:42:05.093: ISAKMP:(2013):deleting SA reason "Receive initial contact" state (R) CONF_XAUTH    (peer 178.182.46.59)
022916: *May  3 21:42:05.097: ISAKMP: Unlocking peer struct 0x84A6ABDC for isadb_mark_sa_deleted(), count 1
022917: *May  3 21:42:05.097: ISAKMP:(2013):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
022918: *May  3 21:42:05.097: ISAKMP:(2013):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

022919: *May  3 21:42:17.792: ISAKMP (2014): received packet from 178.182.46.59 dport 4500 sport 4500 Global (R) CONF_XAUTH
022920: *May  3 21:42:17.792: ISAKMP:(2014):processing transaction payload from 178.182.46.59. message ID = -254957165
022921: *May  3 21:42:17.796: ISAKMP: Config payload REPLY
022922: *May  3 21:42:17.796: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
022923: *May  3 21:42:17.796: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
022924: *May  3 21:42:17.796: ISAKMP:(2014):deleting node -254957165 error FALSE reason "Done with xauth request/reply exchange"
022925: *May  3 21:42:17.796: ISAKMP:(2014):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
022926: *May  3 21:42:17.796: ISAKMP:(2014):Old State = IKE_XAUTH_REQ_SENT  New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT

022927: *May  3 21:42:17.796: RADIUS/ENCODE(00000542):Orig. component type = VPN_IPSEC
022928: *May  3 21:42:17.796: RADIUS:  AAA Unsupported Attr: interface         [175] 12
022929: *May  3 21:42:17.796: RADIUS:   37 37 2E 32 35 33 2E 32 31 36                    [77.253.216]
022930: *May  3 21:42:17.796: RADIUS/ENCODE(00000542): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
022931: *May  3 21:42:17.796: RADIUS(00000542): Config NAS IP: 0.0.0.0
022932: *May  3 21:42:17.800: RADIUS/ENCODE(00000542): acct_session_id: 1346
022933: *May  3 21:42:17.800: RADIUS(00000542): Config NAS IP: 0.0.0.0
022934: *May  3 21:42:17.800: RADIUS(00000542): sending
022935: *May  3 21:42:17.800: RADIUS/ENCODE: Best Local IP-Address 10.10.10.1 for Radius-Server 10.10.10.1
022936: *May  3 21:42:17.800: RADIUS(00000542): Send Access-Request to 10.10.10.1:1812 id 1645/54, len 100
022937: *May  3 21:42:17.800: RADIUS:  authenticator 43 B5 58 8F 59 09 63 26 - 57 18 96 D3 F8 C6 F7 92
022938: *May  3 21:42:17.800: RADIUS:  User-Name           [1]   8   "tester"
022939: *May  3 21:42:17.800: RADIUS:  User-Password       [2]   18  *
022940: *May  3 21:42:17.800: RADIUS:  Calling-Station-Id  [31]  15  "178.182.46.59"
022941: *May  3 21:42:17.800: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
022942: *May  3 21:42:17.800: RADIUS:  NAS-Port            [5]   6   2
022943: *May  3 21:42:17.800: RADIUS:  NAS-Port-Id         [87]  14  "88.88.88.88"
022944: *May  3 21:42:17.804: RADIUS:  NAS-IP-Address      [4]   6   10.10.10.1
022945: *May  3 21:42:17.804: RADIUS:  Nas-Identifier      [32]  7   "C877W"
022946: *May  3 21:42:17.804: RADSRV: Client tester password failed
022947: *May  3 21:42:17.804: RADSRV 10.10.10.1< Code 3 Id 36 Len 88
022948: *May  3 21:42:17.804:   Auth 251A8295 DB8B738F E213D046 E877EF26
022949: *May  3 21:42:17.804:   24 - 8A 3D 23 56 12 5F 8D 19 C2 9C 8B C5 FA E1 90 08 E5 86 D4 8E 42 1B 20 76 A5 8C 19 D9 7E 18 3C E6 62 07 96 13 5C 7B F7 90 56 03 F4 45 AF E4 37 40
022950: *May  3 21:42:17.808:   80 - 3C CB 11 B2 38 FD 49 54 58 18 84 BB D6 DC FC 93
022951: *May  3 21:42:17.808: RADIUS: Received from id 1645/54 10.10.10.1:1812, Access-Reject, len 88
022952: *May  3 21:42:17.812: RADIUS:  authenticator 25 1A 82 95 DB 8B 73 8F - E2 13 D0 46 E8 77 EF 26
022953: *May  3 21:42:17.812: RADIUS:  State               [24]  50
022954: *May  3 21:42:17.812: RADIUS:   8A 3D 23 56 12 5F 8D 19 C2 9C 8B C5 FA E1 90 08  [?=#V?_??????????]
022955: *May  3 21:42:17.812: RADIUS:   E5 86 D4 8E 42 1B 20 76 A5 8C 19 D9 7E 18 3C E6  [????B? v????~?
022956: *May  3 21:42:17.812: RADIUS:   62 07 96 13 5C 7B F7 90 56 03 F4 45 AF E4 37 40  [b???\{??V??E??7@]
022957: *May  3 21:42:17.812: RADIUS:  Message-Authenticato[80]  18
022958: *May  3 21:42:17.812: RADIUS:   3C CB 11 B2 38 FD 49 54 58 18 84 BB D6 DC FC 93  [
022959: *May  3 21:42:17.812: RADIUS(00000542): Received from id 1645/54
022960: *May  3 21:42:17.816: ISAKMP: set new node -741097173 to CONF_XAUTH
022961: *May  3 21:42:17.816: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
022962: *May  3 21:42:17.816: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
022963: *May  3 21:42:17.816: ISAKMP:(2014): initiating peer config to 178.182.46.59. ID = -741097173
022964: *May  3 21:42:17.816: ISAKMP:(2014): sending packet to 178.182.46.59 my_port 4500 peer_port 4500 (R) CONF_XAUTH
022965: *May  3 21:42:17.816: ISAKMP:(2014):Sending an IKE IPv4 Packet.
022966: *May  3 21:42:17.816: ISAKMP:(2014):Input = IKE_MESG_FROM_AAA, IKE_AAA_START_LOGIN
022967: *May  3 21:42:17.816: ISAKMP:(2014):Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT  New State = IKE_XAUTH_REQ_SENT

0 Helpful

andbor600
Level 1
Level 1
In response to andbor600

‎05-07-2013 10:59 PM

Jatin, do you have any idea ?

0 Helpful
Customers Also Viewed These Support Documents