Сообщения без ответов | Активные темы Текущее время: 24 апр 2024, 03:22

Список форумов » AntiCISCO » Ваши вопросы

Часовой пояс: UTC + 3 часа




Ответить на тему  Страница 1 из 1
  [ Сообщений: 2 ] 
Версия для печати Пред. тема | След. тема 
HELP asa 5512 + radius 
Автор Сообщение
sarkai

Зарегистрирован: 12 фев 2020, 12:24
Сообщения: 3
Сообщение HELP asa 5512 + radius
Нужна помощь, уже зациклился и найти косяк не могу
Asa 5512 в dmz есть радиус сервер в локальной сети на одном из контроллеров домена
по https:\\внешний адрес выбрасывает окно с запросом учетной записи. Если пользователь в домене находится в группе удаленного доступа, дает скачать Anyconnect
после установки the vpn configuration received from the secure gateway is invalid + anyconnect cannot confirm it is connected to your secure gateway.the network may not be trustworthy
облазил все понять не могу что ей не нравится в политиках.
сертификат самоподписанный генерен и выбрасывается при подключении с предложением доверить или же уйти

: Saved
: Written by mesitkai at 13:10:47.506 UTC Wed May 20 2020

ASA Version 9.1(2)
!
hostname ciscoasa
domain-name my.dom
enable password ** encrypted
names
ip local pool pool 10.13.24.1-10.13.24.250 mask 255.255.0.0
!
interface GigabitEthernet0/0
description out
nameif out
security-level 0
ip address 192.168.9.3 255.255.255.248
!
interface GigabitEthernet0/1
description inside
nameif inside
security-level 100
ip address 10.13.0.24 255.255.255.128
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address
!
interface Redundant1
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name my.dom
object network NETWORK_OBJ_10.13.24.0_24
subnet 10.13.24.0 255.255.255.0
access-list Radius-ACL standard permit 10.13.0.0 255.255.0.0
access-list Radius-ACL standard permit 10.64.0.0 255.255.0.0
access-list Radius-ACL standard permit 172.23.40.0 255.255.255.0
access-list FROMOUTSIDE extended permit ip any any
access-list out_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu out 1500
mtu inside 1500
failover
failover lan unit secondary
failover lan interface Falover GigabitEthernet0/3
failover polltime unit 1 holdtime 3
failover polltime interface 1 holdtime 5
failover replication http
failover link Falover GigabitEthernet0/3
failover interface ip Falover 192.168.99.1 255.255.255.0 standby 192.168.99.2
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,out) source static any any destination static NETWORK_OBJ_10.13.24.0_24 NETWORK_OBJ_10.13.24.0_24 no-proxy-arp route-lookup
!
nat (inside,out) after-auto source dynamic any interface
access-group out_access_in in interface out
route out 0.0.0.0 0.0.0.0 192.168.9.1 1
route inside 10.13.0.0 255.255.0.0 10.13.0.1 1
route inside 10.64.0.0 255.255.0.0 10.13.0.1 1
route inside 172.23.30.0 255.255.255.0 10.13.0.1 1
route inside 192.168.3.0 255.255.255.0 10.13.0.1 1
route inside 192.168.15.0 255.255.255.0 10.13.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map AD
map-name memberOf IETF-Radius-Class
dynamic-access-policy-record DfltAccessPolicy
network-acl FROMOUTSIDE
webvpn
url-list none
file-browsing enable
file-entry enable
http-proxy enable
url-entry enable
svc ask none default svc
always-on-vpn profile-setting
aaa-server radius protocol radius
aaa-server radius (inside) host 10.13.1.30
timeout 120
key *****
radius-common-pw ****
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set 3DES esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set 3DES mode transport
crypto ipsec ikev1 transform-set 3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set 3DES-MD5 mode transport
crypto ipsec ikev1 transform-set AES-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set AES-SHA mode transport
crypto ipsec ikev1 transform-set AES-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set AES-MD5 mode transport
crypto ipsec ikev1 transform-set AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set AES-192-SHA mode transport
crypto ipsec ikev1 transform-set AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set AES-192-MD5 mode transport
crypto ipsec ikev1 transform-set AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set AES-256-SHA mode transport
crypto ipsec ikev1 transform-set AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set AES-256-MD5 mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map out_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map out_map interface out
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=ASAv
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=ciscoasa
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 0509
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable out
crypto ikev2 remote-access trustpoint ASDM_TrustPoint1
crypto ikev1 enable out
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.13.12.0 255.255.255.0 inside
ssh 10.13.16.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint1 out
webvpn
enable out
anyconnect image disk0:/anyconnect-win-4.6.01103-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-linux64-4.6.01103-webdeploy-k9.pkg 2
anyconnect image disk0:/anyconnect-macos-4.6.01103-webdeploy-k9.pkg 3
anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 10.13.1.10
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
default-domain value my.dom
group-policy GroupPolicy_VPN internal
group-policy GroupPolicy_VPN attributes
dns-server value 10.13.128.51 10.13.1.10
vpn-idle-timeout 30
vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
group-lock value VPN
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Radius-ACL
default-domain value my.dom
split-tunnel-all-dns disable
webvpn
anyconnect firewall-rule client-interface public value Radius-ACL
anyconnect firewall-rule client-interface private value Radius-ACL
anyconnect profiles value VPN_client_profile type user
group-policy GroupPolicy_Radius internal
group-policy GroupPolicy_Radius attributes
wins-server none
dns-server value 10.13.1.10
vpn-tunnel-protocol ikev1 ikev2 ssl-client
split-tunnel-network-list value Radius-ACL
default-domain value my.dom
username admin password lY46JPhi6AWl7hbO encrypted
username kmsmsi password INv2MlQCDLIy4Kog encrypted privilege 15
username mesitmda password peNNfoPgV8lUidqE encrypted privilege 15
username mesitkai password WKWDjc1PmjbzbKKY encrypted privilege 15
tunnel-group DefaultL2LGroup general-attributes
default-group-policy GroupPolicy_Radius
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key ****
peer-id-validate nocheck
ikev1 trust-point ASDM_TrustPoint1
ikev2 remote-authentication pre-shared-key ******
ikev2 local-authentication certificate ASDM_TrustPoint1
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool pool
authentication-server-group radius
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool pool
authentication-server-group radius
default-group-policy GroupPolicy_VPN
tunnel-group VPN webvpn-attributes
group-alias VPN enable
!
class-map inspection_default
match default-inspection-traffic
class-map out-class
match any
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map out-policy
class out-class
inspect pptp
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
service-policy out-policy interface out
prompt hostname context
call-home reporting anonymous
Cryptochecksum:
: end
20 май 2020, 14:34
Профиль
sarkai

Зарегистрирован: 12 фев 2020, 12:24
Сообщения: 3
Сообщение Re: HELP asa 5512 + radius
тему можно закрывать, трабла была смешная
ssl encryption aes128-sha1 - все заработала сразу аса

Сервер сетевых политик предоставил доступ пользователю.

Сведения о проверке подлинности:
Имя политики запросов на подключение: Использовать проверку подлинности Windows для всех пользователей
RADIUS-клиент:
Понятное имя клиента: Radius Client

все подробные логи выкинулось на сервак - адрес откуда произошел коннект, какая учетка стучалась
20 май 2020, 16:06
Профиль
Показать сообщения за:  Поле сортировки  
Ответить на тему   Страница 1 из 1
  [ Сообщений: 2 ] 

Список форумов » AntiCISCO » Ваши вопросы

Часовой пояс: UTC + 3 часа


Кто сейчас на конференции

Сейчас этот форум просматривают: нет зарегистрированных пользователей и гости: 25

Вы не можете начинать темы
Вы не можете отвечать на сообщения
Вы не можете редактировать свои сообщения
Вы не можете удалять свои сообщения
Вы не можете добавлять вложения

Найти:
Перейти:  
cron
Создано на основе phpBB® Forum Software © phpBB Group
Designed by ST Software for PTF.
Русская поддержка phpBB