|
|
|
|
Страница 1 из 1
|
[ Сообщений: 2 ] |
|
Автор |
Сообщение |
sarkai
Зарегистрирован: 12 фев 2020, 12:24 Сообщения: 3
|
Нужна помощь, уже зациклился и найти косяк не могу Asa 5512 в dmz есть радиус сервер в локальной сети на одном из контроллеров домена по https:\\внешний адрес выбрасывает окно с запросом учетной записи. Если пользователь в домене находится в группе удаленного доступа, дает скачать Anyconnect после установки the vpn configuration received from the secure gateway is invalid + anyconnect cannot confirm it is connected to your secure gateway.the network may not be trustworthy облазил все понять не могу что ей не нравится в политиках. сертификат самоподписанный генерен и выбрасывается при подключении с предложением доверить или же уйти
: Saved : Written by mesitkai at 13:10:47.506 UTC Wed May 20 2020
ASA Version 9.1(2) ! hostname ciscoasa domain-name my.dom enable password ** encrypted names ip local pool pool 10.13.24.1-10.13.24.250 mask 255.255.0.0 ! interface GigabitEthernet0/0 description out nameif out security-level 0 ip address 192.168.9.3 255.255.255.248 ! interface GigabitEthernet0/1 description inside nameif inside security-level 100 ip address 10.13.0.24 255.255.255.128 ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 description LAN/STATE Failover Interface ! interface GigabitEthernet0/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/5 shutdown no nameif no security-level no ip address ! interface Management0/0 management-only shutdown no nameif no security-level no ip address ! interface Redundant1 no nameif no security-level no ip address ! ftp mode passive dns server-group DefaultDNS domain-name my.dom object network NETWORK_OBJ_10.13.24.0_24 subnet 10.13.24.0 255.255.255.0 access-list Radius-ACL standard permit 10.13.0.0 255.255.0.0 access-list Radius-ACL standard permit 10.64.0.0 255.255.0.0 access-list Radius-ACL standard permit 172.23.40.0 255.255.255.0 access-list FROMOUTSIDE extended permit ip any any access-list out_access_in extended permit ip any any pager lines 24 logging enable logging asdm informational mtu out 1500 mtu inside 1500 failover failover lan unit secondary failover lan interface Falover GigabitEthernet0/3 failover polltime unit 1 holdtime 3 failover polltime interface 1 holdtime 5 failover replication http failover link Falover GigabitEthernet0/3 failover interface ip Falover 192.168.99.1 255.255.255.0 standby 192.168.99.2 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,out) source static any any destination static NETWORK_OBJ_10.13.24.0_24 NETWORK_OBJ_10.13.24.0_24 no-proxy-arp route-lookup ! nat (inside,out) after-auto source dynamic any interface access-group out_access_in in interface out route out 0.0.0.0 0.0.0.0 192.168.9.1 1 route inside 10.13.0.0 255.255.0.0 10.13.0.1 1 route inside 10.64.0.0 255.255.0.0 10.13.0.1 1 route inside 172.23.30.0 255.255.255.0 10.13.0.1 1 route inside 192.168.3.0 255.255.255.0 10.13.0.1 1 route inside 192.168.15.0 255.255.255.0 10.13.0.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 ldap attribute-map AD map-name memberOf IETF-Radius-Class dynamic-access-policy-record DfltAccessPolicy network-acl FROMOUTSIDE webvpn url-list none file-browsing enable file-entry enable http-proxy enable url-entry enable svc ask none default svc always-on-vpn profile-setting aaa-server radius protocol radius aaa-server radius (inside) host 10.13.1.30 timeout 120 key ***** radius-common-pw **** user-identity default-domain LOCAL aaa authentication http console LOCAL aaa authentication ssh console LOCAL http server enable http 0.0.0.0 0.0.0.0 inside no snmp-server location no snmp-server contact crypto ipsec ikev1 transform-set 3DES esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set 3DES mode transport crypto ipsec ikev1 transform-set 3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set 3DES-MD5 mode transport crypto ipsec ikev1 transform-set AES-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set AES-SHA mode transport crypto ipsec ikev1 transform-set AES-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set AES-MD5 mode transport crypto ipsec ikev1 transform-set AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set AES-192-SHA mode transport crypto ipsec ikev1 transform-set AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set AES-192-MD5 mode transport crypto ipsec ikev1 transform-set AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set AES-256-SHA mode transport crypto ipsec ikev1 transform-set AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set AES-256-MD5 mode transport crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256 crypto map out_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map out_map interface out crypto ca trustpoint _SmartCallHome_ServerCA no validation-usage crl configure crypto ca trustpoint ASDM_TrustPoint0 enrollment terminal subject-name CN=ASAv crl configure crypto ca trustpoint ASDM_TrustPoint1 enrollment self subject-name CN=ciscoasa crl configure crypto ca trustpool policy crypto ca certificate chain _SmartCallHome_ServerCA certificate ca 0509 quit crypto ca certificate chain ASDM_TrustPoint1 certificate quit crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable out crypto ikev2 remote-access trustpoint ASDM_TrustPoint1 crypto ikev1 enable out crypto ikev1 policy 10 authentication crack encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 40 authentication crack encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 70 authentication crack encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 100 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 130 authentication crack encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 telnet timeout 5 ssh 10.13.12.0 255.255.255.0 inside ssh 10.13.16.0 255.255.255.0 inside ssh timeout 5 ssh version 2 ssh key-exchange group dh-group1-sha1 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ssl trust-point ASDM_TrustPoint1 out webvpn enable out anyconnect image disk0:/anyconnect-win-4.6.01103-webdeploy-k9.pkg 1 anyconnect image disk0:/anyconnect-linux64-4.6.01103-webdeploy-k9.pkg 2 anyconnect image disk0:/anyconnect-macos-4.6.01103-webdeploy-k9.pkg 3 anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml anyconnect enable tunnel-group-list enable group-policy DfltGrpPolicy attributes dns-server value 10.13.1.10 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless default-domain value my.dom group-policy GroupPolicy_VPN internal group-policy GroupPolicy_VPN attributes dns-server value 10.13.128.51 10.13.1.10 vpn-idle-timeout 30 vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless group-lock value VPN split-tunnel-policy tunnelspecified split-tunnel-network-list value Radius-ACL default-domain value my.dom split-tunnel-all-dns disable webvpn anyconnect firewall-rule client-interface public value Radius-ACL anyconnect firewall-rule client-interface private value Radius-ACL anyconnect profiles value VPN_client_profile type user group-policy GroupPolicy_Radius internal group-policy GroupPolicy_Radius attributes wins-server none dns-server value 10.13.1.10 vpn-tunnel-protocol ikev1 ikev2 ssl-client split-tunnel-network-list value Radius-ACL default-domain value my.dom username admin password lY46JPhi6AWl7hbO encrypted username kmsmsi password INv2MlQCDLIy4Kog encrypted privilege 15 username mesitmda password peNNfoPgV8lUidqE encrypted privilege 15 username mesitkai password WKWDjc1PmjbzbKKY encrypted privilege 15 tunnel-group DefaultL2LGroup general-attributes default-group-policy GroupPolicy_Radius tunnel-group DefaultL2LGroup ipsec-attributes ikev1 pre-shared-key **** peer-id-validate nocheck ikev1 trust-point ASDM_TrustPoint1 ikev2 remote-authentication pre-shared-key ****** ikev2 local-authentication certificate ASDM_TrustPoint1 tunnel-group DefaultWEBVPNGroup general-attributes address-pool pool authentication-server-group radius tunnel-group VPN type remote-access tunnel-group VPN general-attributes address-pool pool authentication-server-group radius default-group-policy GroupPolicy_VPN tunnel-group VPN webvpn-attributes group-alias VPN enable ! class-map inspection_default match default-inspection-traffic class-map out-class match any ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map out-policy class out-class inspect pptp policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global service-policy out-policy interface out prompt hostname context call-home reporting anonymous Cryptochecksum: : end
|
20 май 2020, 14:34 |
|
|
sarkai
Зарегистрирован: 12 фев 2020, 12:24 Сообщения: 3
|
тему можно закрывать, трабла была смешная ssl encryption aes128-sha1 - все заработала сразу аса
Сервер сетевых политик предоставил доступ пользователю.
Сведения о проверке подлинности: Имя политики запросов на подключение: Использовать проверку подлинности Windows для всех пользователей RADIUS-клиент: Понятное имя клиента: Radius Client
все подробные логи выкинулось на сервак - адрес откуда произошел коннект, какая учетка стучалась
|
20 май 2020, 16:06 |
|
|
|
Страница 1 из 1
|
[ Сообщений: 2 ] |
|
Кто сейчас на конференции |
Сейчас этот форум просматривают: нет зарегистрированных пользователей и гости: 25 |
|
Вы не можете начинать темы Вы не можете отвечать на сообщения Вы не можете редактировать свои сообщения Вы не можете удалять свои сообщения Вы не можете добавлять вложения
|
|
|
|