Windows Azure(Phone 因素)Cisco ASA 的多重身份验证问题
Windows Azure (Phone Factor) Multi-Factor Authentication Issues with Cisco ASA
我有一个 Cisco ASA 安全设备,我正在尝试在域成员(虚拟)服务器 (Windows Server 2012 R2) 上使用 Azure MFA 服务器。据我所知,MFA 服务器已安装并正确配置。
当我从 Cisco CLI 运行 进行 AAA 测试时,它工作正常:
测试 aaa 服务器身份验证 RADIUS
它要求我提供服务器 IP 地址和我的域凭据。 MFA 系统调用我的 phone,我输入我的 PIN,我得到成功测试,如下所示(调试输出)
Attempting Authentication test to IP address <192.168.100.3> (timeout: 62 seconds)
alloc_rip 0xac1a30a4
new request 0x80000005 --> 29 (0xac1a30a4)
got user 'Morgan'
got password
add_req 0xac1a30a4 session 0x80000005 id 29
RADIUS_REQUEST
radius.c: rad_mkpkt
RADIUS packet decode (authentication request)
--------------------------------------
Raw packet data (length = 80).....
01 1d 00 50 2c 0d 72 e7 3e d9 0a d2 a8 19 45 d4 | ...P,.r.>.....E.
4c 33 b9 1d 01 08 4d 6f 72 67 61 6e 02 22 80 0c | L3....Morgan."..
4c b3 ba fc 66 68 e7 f2 26 db 32 45 2a 0a 47 e1 | L...fh..&.2E*.G.
5a 19 7a 35 e3 07 e1 00 49 1a 5c c9 75 71 04 06 | Z.z5....I.\.uq..
c0 a8 64 fd 05 06 00 00 00 08 3d 06 00 00 00 05 | ..d.......=.....
Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 29 (0x1D)
Radius: Length = 80 (0x0050)
Radius: Vector: 2C0D72E73ED90AD2A81945D44C33B91D
Radius: Type = 1 (0x01) User-Name
Radius: Length = 8 (0x08)
Radius: Value (String) =
4d 6f 72 67 61 6e | Morgan
Radius: Type = 2 (0x02) User-Password
Radius: Length = 34 (0x22)
Radius: Value (String) =
80 0c 4c b3 ba fc 66 68 e7 f2 26 db 32 45 2a 0a | ..L...fh..&.2E*.
47 e1 5a 19 7a 35 e3 07 e1 00 49 1a 5c c9 75 71 | G.Z.z5....I.\.uq
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 192.168.100.253 (0xC0A864FD)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x8
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
send pkt 192.168.100.3/1645
radius.c: rad_mkpkt
RADIUS packet decode (authentication request (retransmission))
--------------------------------------
Raw packet data (length = 80).....
01 1d 00 50 2c 0d 72 e7 3e d9 0a d2 a8 19 45 d4 | ...P,.r.>.....E.
4c 33 b9 1d 01 08 4d 6f 72 67 61 6e 02 22 80 0c | L3....Morgan."..
4c b3 ba fc 66 68 e7 f2 26 db 32 45 2a 0a 47 e1 | L...fh..&.2E*.G.
5a 19 7a 35 e3 07 e1 00 49 1a 5c c9 75 71 04 06 | Z.z5....I.\.uq..
c0 a8 64 fd 05 06 00 00 00 09 3d 06 00 00 00 05 | ..d.......=.....
Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 29 (0x1D)
Radius: Length = 80 (0x0050)
Radius: Vector: 2C0D72E73ED90AD2A81945D44C33B91D
Radius: Type = 1 (0x01) User-Name
Radius: Length = 8 (0x08)
Radius: Value (String) =
4d 6f 72 67 61 6e | Morgan
Radius: Type = 2 (0x02) User-Password
Radius: Length = 34 (0x22)
Radius: Value (String) =
80 0c 4c b3 ba fc 66 68 e7 f2 26 db 32 45 2a 0a | ..L...fh..&.2E*.
47 e1 5a 19 7a 35 e3 07 e1 00 49 1a 5c c9 75 71 | G.Z.z5....I.\.uq
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 192.168.100.253 (0xC0A864FD)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x9
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
send pkt 192.168.100.3/1645
rip 0xac1a30a4 state 7 id 29
rad_vrfy() : response message verified
rip 0xac1a30a4
: chall_state ''
: state 0x7
: reqauth:
2c 0d 72 e7 3e d9 0a d2 a8 19 45 d4 4c 33 b9 1d
: info 0xac1a31dc
session_id 0x80000005
request_id 0x1d
user 'Morgan'
response '***'
app 0
reason 0
skey 'cisco'
sip 192.168.100.3
type 1
RADIUS packet decode (response)
--------------------------------------
Raw packet data (length = 20).....
02 1d 00 14 4f b4 3f 0d 47 3e 85 48 c0 f2 eb 6f | ....O.?.G>.H...o
7d 92 19 14 | }...
Parsed packet data.....
Radius: Code = 2 (0x02)
Radius: Identifier = 29 (0x1D)
Radius: Length = 20 (0x0014)
Radius: Vector: 4FB43F0D473E8548C0F2EB6F7D921914
rad_procpkt: ACCEPT
RADIUS_ACCESS_ACCEPT: normal termination
RADIUS_DELETE
remove_req 0xac1a30a4 session 0x80000005 id 29
free_rip 0xac1a30a4
radius: send queue empty
INFO: Authentication Successful
万岁!有用!但是,没那么快。
当我从我的远程客户端(只是 Windows 7 x64 DUN)拨入时,MFA RADIUS 服务器拒绝我(完全相同的凭据)。即:
radius mkreq: 0x8d9
alloc_rip 0xac1a30a4
new request 0x8d9 --> 22 (0xac1a30a4)
got user 'Morgan'
got password
add_req 0xac1a30a4 session 0x8d9 id 22
RADIUS_REQUEST
radius.c: rad_mkpkt
RADIUS packet decode (authentication request)
--------------------------------------
Raw packet data (length = 191).....
01 16 00 bf 38 24 5e c4 67 f8 67 f6 df a4 45 ad | ....8$^.g.g...E.
d9 bb 37 ca 01 08 4d 6f 72 67 61 6e 05 06 00 34 | ..7...Morgan...4
d0 00 06 06 00 00 00 02 07 06 00 00 00 01 3d 06 | ..............=.
00 00 00 05 42 11 31 39 32 2e 31 36 38 2e 31 30 | ....B.192.168.10
30 2e 32 35 33 1a 18 00 00 01 37 0b 12 93 4e 09 | 0.253.....7...N.
d3 05 63 7b d1 7f 27 08 60 2e 8b a4 68 1a 3a 00 | ..c{.'.`...h.:.
00 01 37 19 34 01 00 64 74 e0 85 42 cc b2 0a 93 | ..7.4..dt..B....
34 89 9e 8e 9e 3c aa 00 00 00 00 00 00 00 00 00 | 4....<..........
28 e9 58 f7 0e bf b1 15 43 c5 f8 79 a8 c8 4f 3f | (.X.....C..y..O?
08 e5 4f 13 a3 c9 c5 04 06 c0 a8 64 fd 1a 16 00 | ..O........d....
00 0c 04 92 10 44 65 66 61 75 6c 74 52 41 47 72 | .....DefaultRAGr
6f 75 70 1a 0c 00 00 0c 04 96 06 00 00 00 05 | oup............
Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 22 (0x16)
Radius: Length = 191 (0x00BF)
Radius: Vector: 38245EC467F867F6DFA445ADD9BB37CA
Radius: Type = 1 (0x01) User-Name
Radius: Length = 8 (0x08)
Radius: Value (String) =
4d 6f 72 67 61 6e | Morgan
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x34D000
Radius: Type = 6 (0x06) Service-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x2
Radius: Type = 7 (0x07) Framed-Protocol
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x1
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
Radius: Type = 66 (0x42) Tunnel-Client-Endpoint
Radius: Length = 17 (0x11)
Radius: Value (String) =
31 39 32 2e 31 36 38 2e 31 30 30 2e 32 35 33 | 192.168.100.253
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 24 (0x18)
Radius: Vendor ID = 311 (0x00000137)
Radius: Type = 11 (0x0B) MS-CHAP-Challenge
Radius: Length = 18 (0x12)
Radius: Value (String) =
93 4e 09 d3 05 63 7b d1 7f 27 08 60 2e 8b a4 68 | .N...c{.'.`...h
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 58 (0x3A)
Radius: Vendor ID = 311 (0x00000137)
Radius: Type = 25 (0x19) MS-CHAP2-Response
Radius: Length = 52 (0x34)
Radius: Value (String) =
01 00 64 74 e0 85 42 cc b2 0a 93 34 89 9e 8e 9e | ..dt..B....4....
3c aa 00 00 00 00 00 00 00 00 00 28 e9 58 f7 0e | <..........(.X..
bf b1 15 43 c5 f8 79 a8 c8 4f 3f 08 e5 4f 13 a3 | ...C..y..O?..O..
c9 c5 | ..
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 192.168.100.253 (0xC0A864FD)
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 22 (0x16)
Radius: Vendor ID = 3076 (0x00000C04)
Radius: Type = 146 (0x92) Tunnel-Group-Name
Radius: Length = 16 (0x10)
Radius: Value (String) =
44 65 66 61 75 6c 74 52 41 47 72 6f 75 70 | DefaultRAGroup
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 12 (0x0C)
Radius: Vendor ID = 3076 (0x00000C04)
Radius: Type = 150 (0x96) Client-Type
Radius: Length = 6 (0x06)
Radius: Value (Integer) = 5 (0x0005)
send pkt 192.168.100.3/1645
rip 0xac1a30a4 state 7 id 22
rad_vrfy() : response message verified
rip 0xac1a30a4
: chall_state ''
: state 0x7
: reqauth:
38 24 5e c4 67 f8 67 f6 df a4 45 ad d9 bb 37 ca
: info 0xac1a31dc
session_id 0x8d9
request_id 0x16
user 'Morgan'
response '***'
app 0
reason 0
skey 'cisco'
sip 192.168.100.3
type 1
RADIUS packet decode (response)
--------------------------------------
Raw packet data (length = 38).....
03 16 00 26 5e fd c0 10 be 94 4b 72 5f 0e 51 a8 | ...&^.....Kr_.Q.
d3 5b 3a 65 1a 12 00 00 01 37 02 0c 01 45 3d 36 | .[:e.....7...E=6
39 31 00 52 3d 31 | 91.R=1
Parsed packet data.....
Radius: Code = 3 (0x03)
Radius: Identifier = 22 (0x16)
Radius: Length = 38 (0x0026)
Radius: Vector: 5EFDC010BE944B725F0E51A8D35B3A65
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 18 (0x12)
Radius: Vendor ID = 311 (0x00000137)
Radius: Type = 2 (0x02) MS-CHAP-Error
Radius: Length = 12 (0x0C)
Radius: Value (String) =
01 45 3d 36 39 31 00 52 3d 31 | .E=691.R=1
rad_procpkt: REJECT
RADIUS_DELETE
remove_req 0xac1a30a4 session 0x8d9 id 22
free_rip 0xac1a30a4
radius: send queue empty
DUN 客户端设置为独占使用MS-CHAP-V2,并要求加密。我可以从系统日志条目中看到 ASA 正在正确建立隧道,因此这不是 IKE 或 L2TP 问题。
我会注意到 RADIUS 请求本身的格式明显不同,如您所见。我在来自 DUN 客户端的请求中没有看到任何类型 2(用户密码)元素(我假设)。对RADIUS实在是不太了解,一头雾水
我真的需要让我们的员工重新使用这个 VPN。想法?
好的,经过进一步研究,我找到了我自己提出的问题的答案。
事实证明,要让域对 MS-CHAP-v2 请求进行身份验证,NTLMv1 是必需的。为了增强安全性,我们的组策略将 "Network security: LAN Manager authentication level" 设置为 5 - 发送 NTLMv2 响应 only\refuse LM & NTLM(这里的 NTLM 表示 NTLMv1)。我将此组策略设置更改为 4 - 发送 NTLMv2 响应 only\refuse LM(意味着允许 NTLMv1 请求但仅响应 NTLMv2)现在 Azure MFA (PhoneFactor) Radius 服务器运行完美!
我真的很想将其切换回 5(出于安全考虑),因此我仍在寻找一种方法来强制 Azure MFA (PhoneFactor) Radius 服务器改为使用 NTLMv2 针对域进行身份验证。如果我找到一种方法来完成这项工作,我会在这里post。但现在,至少我回到了我们的 2-factor VPN。
我有一个 Cisco ASA 安全设备,我正在尝试在域成员(虚拟)服务器 (Windows Server 2012 R2) 上使用 Azure MFA 服务器。据我所知,MFA 服务器已安装并正确配置。
当我从 Cisco CLI 运行 进行 AAA 测试时,它工作正常:
测试 aaa 服务器身份验证 RADIUS
它要求我提供服务器 IP 地址和我的域凭据。 MFA 系统调用我的 phone,我输入我的 PIN,我得到成功测试,如下所示(调试输出)
Attempting Authentication test to IP address <192.168.100.3> (timeout: 62 seconds)
alloc_rip 0xac1a30a4
new request 0x80000005 --> 29 (0xac1a30a4)
got user 'Morgan'
got password
add_req 0xac1a30a4 session 0x80000005 id 29
RADIUS_REQUEST
radius.c: rad_mkpkt
RADIUS packet decode (authentication request)
--------------------------------------
Raw packet data (length = 80).....
01 1d 00 50 2c 0d 72 e7 3e d9 0a d2 a8 19 45 d4 | ...P,.r.>.....E.
4c 33 b9 1d 01 08 4d 6f 72 67 61 6e 02 22 80 0c | L3....Morgan."..
4c b3 ba fc 66 68 e7 f2 26 db 32 45 2a 0a 47 e1 | L...fh..&.2E*.G.
5a 19 7a 35 e3 07 e1 00 49 1a 5c c9 75 71 04 06 | Z.z5....I.\.uq..
c0 a8 64 fd 05 06 00 00 00 08 3d 06 00 00 00 05 | ..d.......=.....
Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 29 (0x1D)
Radius: Length = 80 (0x0050)
Radius: Vector: 2C0D72E73ED90AD2A81945D44C33B91D
Radius: Type = 1 (0x01) User-Name
Radius: Length = 8 (0x08)
Radius: Value (String) =
4d 6f 72 67 61 6e | Morgan
Radius: Type = 2 (0x02) User-Password
Radius: Length = 34 (0x22)
Radius: Value (String) =
80 0c 4c b3 ba fc 66 68 e7 f2 26 db 32 45 2a 0a | ..L...fh..&.2E*.
47 e1 5a 19 7a 35 e3 07 e1 00 49 1a 5c c9 75 71 | G.Z.z5....I.\.uq
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 192.168.100.253 (0xC0A864FD)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x8
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
send pkt 192.168.100.3/1645
radius.c: rad_mkpkt
RADIUS packet decode (authentication request (retransmission))
--------------------------------------
Raw packet data (length = 80).....
01 1d 00 50 2c 0d 72 e7 3e d9 0a d2 a8 19 45 d4 | ...P,.r.>.....E.
4c 33 b9 1d 01 08 4d 6f 72 67 61 6e 02 22 80 0c | L3....Morgan."..
4c b3 ba fc 66 68 e7 f2 26 db 32 45 2a 0a 47 e1 | L...fh..&.2E*.G.
5a 19 7a 35 e3 07 e1 00 49 1a 5c c9 75 71 04 06 | Z.z5....I.\.uq..
c0 a8 64 fd 05 06 00 00 00 09 3d 06 00 00 00 05 | ..d.......=.....
Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 29 (0x1D)
Radius: Length = 80 (0x0050)
Radius: Vector: 2C0D72E73ED90AD2A81945D44C33B91D
Radius: Type = 1 (0x01) User-Name
Radius: Length = 8 (0x08)
Radius: Value (String) =
4d 6f 72 67 61 6e | Morgan
Radius: Type = 2 (0x02) User-Password
Radius: Length = 34 (0x22)
Radius: Value (String) =
80 0c 4c b3 ba fc 66 68 e7 f2 26 db 32 45 2a 0a | ..L...fh..&.2E*.
47 e1 5a 19 7a 35 e3 07 e1 00 49 1a 5c c9 75 71 | G.Z.z5....I.\.uq
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 192.168.100.253 (0xC0A864FD)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x9
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
send pkt 192.168.100.3/1645
rip 0xac1a30a4 state 7 id 29
rad_vrfy() : response message verified
rip 0xac1a30a4
: chall_state ''
: state 0x7
: reqauth:
2c 0d 72 e7 3e d9 0a d2 a8 19 45 d4 4c 33 b9 1d
: info 0xac1a31dc
session_id 0x80000005
request_id 0x1d
user 'Morgan'
response '***'
app 0
reason 0
skey 'cisco'
sip 192.168.100.3
type 1
RADIUS packet decode (response)
--------------------------------------
Raw packet data (length = 20).....
02 1d 00 14 4f b4 3f 0d 47 3e 85 48 c0 f2 eb 6f | ....O.?.G>.H...o
7d 92 19 14 | }...
Parsed packet data.....
Radius: Code = 2 (0x02)
Radius: Identifier = 29 (0x1D)
Radius: Length = 20 (0x0014)
Radius: Vector: 4FB43F0D473E8548C0F2EB6F7D921914
rad_procpkt: ACCEPT
RADIUS_ACCESS_ACCEPT: normal termination
RADIUS_DELETE
remove_req 0xac1a30a4 session 0x80000005 id 29
free_rip 0xac1a30a4
radius: send queue empty
INFO: Authentication Successful
万岁!有用!但是,没那么快。
当我从我的远程客户端(只是 Windows 7 x64 DUN)拨入时,MFA RADIUS 服务器拒绝我(完全相同的凭据)。即:
radius mkreq: 0x8d9
alloc_rip 0xac1a30a4
new request 0x8d9 --> 22 (0xac1a30a4)
got user 'Morgan'
got password
add_req 0xac1a30a4 session 0x8d9 id 22
RADIUS_REQUEST
radius.c: rad_mkpkt
RADIUS packet decode (authentication request)
--------------------------------------
Raw packet data (length = 191).....
01 16 00 bf 38 24 5e c4 67 f8 67 f6 df a4 45 ad | ....8$^.g.g...E.
d9 bb 37 ca 01 08 4d 6f 72 67 61 6e 05 06 00 34 | ..7...Morgan...4
d0 00 06 06 00 00 00 02 07 06 00 00 00 01 3d 06 | ..............=.
00 00 00 05 42 11 31 39 32 2e 31 36 38 2e 31 30 | ....B.192.168.10
30 2e 32 35 33 1a 18 00 00 01 37 0b 12 93 4e 09 | 0.253.....7...N.
d3 05 63 7b d1 7f 27 08 60 2e 8b a4 68 1a 3a 00 | ..c{.'.`...h.:.
00 01 37 19 34 01 00 64 74 e0 85 42 cc b2 0a 93 | ..7.4..dt..B....
34 89 9e 8e 9e 3c aa 00 00 00 00 00 00 00 00 00 | 4....<..........
28 e9 58 f7 0e bf b1 15 43 c5 f8 79 a8 c8 4f 3f | (.X.....C..y..O?
08 e5 4f 13 a3 c9 c5 04 06 c0 a8 64 fd 1a 16 00 | ..O........d....
00 0c 04 92 10 44 65 66 61 75 6c 74 52 41 47 72 | .....DefaultRAGr
6f 75 70 1a 0c 00 00 0c 04 96 06 00 00 00 05 | oup............
Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 22 (0x16)
Radius: Length = 191 (0x00BF)
Radius: Vector: 38245EC467F867F6DFA445ADD9BB37CA
Radius: Type = 1 (0x01) User-Name
Radius: Length = 8 (0x08)
Radius: Value (String) =
4d 6f 72 67 61 6e | Morgan
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x34D000
Radius: Type = 6 (0x06) Service-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x2
Radius: Type = 7 (0x07) Framed-Protocol
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x1
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
Radius: Type = 66 (0x42) Tunnel-Client-Endpoint
Radius: Length = 17 (0x11)
Radius: Value (String) =
31 39 32 2e 31 36 38 2e 31 30 30 2e 32 35 33 | 192.168.100.253
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 24 (0x18)
Radius: Vendor ID = 311 (0x00000137)
Radius: Type = 11 (0x0B) MS-CHAP-Challenge
Radius: Length = 18 (0x12)
Radius: Value (String) =
93 4e 09 d3 05 63 7b d1 7f 27 08 60 2e 8b a4 68 | .N...c{.'.`...h
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 58 (0x3A)
Radius: Vendor ID = 311 (0x00000137)
Radius: Type = 25 (0x19) MS-CHAP2-Response
Radius: Length = 52 (0x34)
Radius: Value (String) =
01 00 64 74 e0 85 42 cc b2 0a 93 34 89 9e 8e 9e | ..dt..B....4....
3c aa 00 00 00 00 00 00 00 00 00 28 e9 58 f7 0e | <..........(.X..
bf b1 15 43 c5 f8 79 a8 c8 4f 3f 08 e5 4f 13 a3 | ...C..y..O?..O..
c9 c5 | ..
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 192.168.100.253 (0xC0A864FD)
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 22 (0x16)
Radius: Vendor ID = 3076 (0x00000C04)
Radius: Type = 146 (0x92) Tunnel-Group-Name
Radius: Length = 16 (0x10)
Radius: Value (String) =
44 65 66 61 75 6c 74 52 41 47 72 6f 75 70 | DefaultRAGroup
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 12 (0x0C)
Radius: Vendor ID = 3076 (0x00000C04)
Radius: Type = 150 (0x96) Client-Type
Radius: Length = 6 (0x06)
Radius: Value (Integer) = 5 (0x0005)
send pkt 192.168.100.3/1645
rip 0xac1a30a4 state 7 id 22
rad_vrfy() : response message verified
rip 0xac1a30a4
: chall_state ''
: state 0x7
: reqauth:
38 24 5e c4 67 f8 67 f6 df a4 45 ad d9 bb 37 ca
: info 0xac1a31dc
session_id 0x8d9
request_id 0x16
user 'Morgan'
response '***'
app 0
reason 0
skey 'cisco'
sip 192.168.100.3
type 1
RADIUS packet decode (response)
--------------------------------------
Raw packet data (length = 38).....
03 16 00 26 5e fd c0 10 be 94 4b 72 5f 0e 51 a8 | ...&^.....Kr_.Q.
d3 5b 3a 65 1a 12 00 00 01 37 02 0c 01 45 3d 36 | .[:e.....7...E=6
39 31 00 52 3d 31 | 91.R=1
Parsed packet data.....
Radius: Code = 3 (0x03)
Radius: Identifier = 22 (0x16)
Radius: Length = 38 (0x0026)
Radius: Vector: 5EFDC010BE944B725F0E51A8D35B3A65
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 18 (0x12)
Radius: Vendor ID = 311 (0x00000137)
Radius: Type = 2 (0x02) MS-CHAP-Error
Radius: Length = 12 (0x0C)
Radius: Value (String) =
01 45 3d 36 39 31 00 52 3d 31 | .E=691.R=1
rad_procpkt: REJECT
RADIUS_DELETE
remove_req 0xac1a30a4 session 0x8d9 id 22
free_rip 0xac1a30a4
radius: send queue empty
DUN 客户端设置为独占使用MS-CHAP-V2,并要求加密。我可以从系统日志条目中看到 ASA 正在正确建立隧道,因此这不是 IKE 或 L2TP 问题。
我会注意到 RADIUS 请求本身的格式明显不同,如您所见。我在来自 DUN 客户端的请求中没有看到任何类型 2(用户密码)元素(我假设)。对RADIUS实在是不太了解,一头雾水
我真的需要让我们的员工重新使用这个 VPN。想法?
好的,经过进一步研究,我找到了我自己提出的问题的答案。
事实证明,要让域对 MS-CHAP-v2 请求进行身份验证,NTLMv1 是必需的。为了增强安全性,我们的组策略将 "Network security: LAN Manager authentication level" 设置为 5 - 发送 NTLMv2 响应 only\refuse LM & NTLM(这里的 NTLM 表示 NTLMv1)。我将此组策略设置更改为 4 - 发送 NTLMv2 响应 only\refuse LM(意味着允许 NTLMv1 请求但仅响应 NTLMv2)现在 Azure MFA (PhoneFactor) Radius 服务器运行完美!
我真的很想将其切换回 5(出于安全考虑),因此我仍在寻找一种方法来强制 Azure MFA (PhoneFactor) Radius 服务器改为使用 NTLMv2 针对域进行身份验证。如果我找到一种方法来完成这项工作,我会在这里post。但现在,至少我回到了我们的 2-factor VPN。