День добрый!
Настроил связку VPN client + ASA 5510 (asa804-k8.bin) согласно
http://www.cisco.com/en/US/docs/security/asa/asa70/quick/gui...Проверил работоспособность при использовании локальной базы пользователей ASA, все ок (ASA своих узнает и VPN туннели поднимает)
Далее настроил авторизацию \ аутентификацию клиентов согласно
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/produc...
Выключил предварительную аутентификацию Kerberos для ASA, согласно
http://blog.loftninjas.org/2007/12/03/which-aaa-protocol-to-.../
Тесты из ASDM и для аутентификации с помощью Kerberos и для авторизации с помощью LDAP (использую один и тот же домен контроллер) выполняются успешно, но при попытке соединения клиент отваливается с сообщением о недопустимых имени пользователи и пароле, а Real-Time Log Viewer пишет следующее:
AAA unable to complete the request Error : reason = Invalid password : user = vpnclient
================================== Log ==================================================
4|Jan 19 2009|10:33:37|113019|||||Group = DefaultRAGroup, Username = , IP = 195.128.91.128, Session disconnected. Session Type: IPsecOverNatT, Duration: 0h:00m:01s, Bytes xmt: 800, Bytes rcv: 1011, Reason: L2TP initiated
6|Jan 19 2009|10:33:37|602304|||||IPSEC: An outbound remote access SA (SPI= 0x557A9CFC) between 195.128.91.254 and 195.128.91.128 (user= DefaultRAGroup) has been deleted.
6|Jan 19 2009|10:33:37|602304|||||IPSEC: An inbound remote access SA (SPI= 0x5E13F6CC) between 195.128.91.254 and 195.128.91.128 (user= DefaultRAGroup) has been deleted.
6|Jan 19 2009|10:33:37|603107|||||L2TP Tunnel deleted, tunnel_id = 15, remote_peer_ip = 195.128.91.128
6|Jan 19 2009|10:33:37|603106|||||L2TP Tunnel created, tunnel_id is 15, remote_peer_ip is 195.128.91.128
4|Jan 19 2009|10:33:37|737013|||||IPAA: Error freeing address 0.0.0.0, not found
6|Jan 19 2009|10:33:37|113013|||||AAA unable to complete the request Error : reason = Invalid password : user = vpnclient
6|Jan 19 2009|10:33:37|302015|195.128.91.128|1367|195.128.91.254|1701|Built inbound UDP connection 128 for outside:195.128.91.128/1367 (195.128.91.128/1367) to identity:195.128.91.254/1701 (195.128.91.254/1701)
5|Jan 19 2009|10:33:36|713120|||||Group = DefaultRAGroup, IP = 195.128.91.128, PHASE 2 COMPLETED (msgid=933328cc)
6|Jan 19 2009|10:33:36|602303|||||IPSEC: An inbound remote access SA (SPI= 0x5E13F6CC) between 195.128.91.254 and 195.128.91.128 (user= DefaultRAGroup) has been created.
5|Jan 19 2009|10:33:36|713049|||||Group = DefaultRAGroup, IP = 195.128.91.128, Security negotiation complete for User () Responder, Inbound SPI = 0x5e13f6cc, Outbound SPI = 0x557a9cfc
6|Jan 19 2009|10:33:36|602303|||||IPSEC: An outbound remote access SA (SPI= 0x557A9CFC) between 195.128.91.254 and 195.128.91.128 (user= DefaultRAGroup) has been created.
6|Jan 19 2009|10:33:36|713177|||||Group = DefaultRAGroup, IP = 195.128.91.128, Received remote Proxy Host FQDN in ID Payload: Host Name: tms-bdc45284143 Address 195.128.91.128, Protocol 17, Port 1701
5|Jan 19 2009|10:33:36|713119|||||Group = DefaultRAGroup, IP = 195.128.91.128, PHASE 1 COMPLETED
6|Jan 19 2009|10:33:36|113009|||||AAA retrieved default group policy (DefaultRAGroup) for user = DefaultRAGroup
4|Jan 19 2009|10:33:36|713903|||||Group = DefaultRAGroup, IP = 195.128.91.128, Freeing previously allocated memory for authorization-dn-attributes
6|Jan 19 2009|10:33:36|713172|||||Group = DefaultRAGroup, IP = 195.128.91.128, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device
================================== Log ==================================================
================================== Config ===============================================
dynamic-access-policy-record DfltAccessPolicy
aaa-server authen_compumark protocol kerberos
aaa-server authen_compumark (inside) host 192.168.91.25
kerberos-realm COMPUMARK.LEXMARK.RU
aaa-server author_compumark protocol ldap
aaa-server author_compumark (inside) host 192.168.91.25
ldap-base-dn DC=compumark,DC=lexmark,DC=ru
ldap-scope subtree
ldap-naming-attribute userPrincipalName
ldap-login-password *
ldap-login-dn compumark admin
server-type microsoft
================================== Config ===============================================
Подскажите пожалуйста, что я пропустил или не учел.
Спасибо!