AAA Password Expiry in Cisco IOS EasyVPN

8/6/2019 AAA Password Expiry in Cisco IOS EasyVPN

1/26


2/26

2006 Cisco Systems, Inc. All rights reserved.Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.

Page 2 of 26

NETWORK DIAGRAM

This document uses the network setup shown in Figure 1.

Figure 1. Network Setup

CONVENTIONS

For more information about document conventions, refer to the Cisco Technical Tips Conventions.

CONFIGURE CISCO EASY VPN WITH PASSWORD EXPIRY FEATURE

To configure AAA to perform a MS-CHAP2 style authentication, do the following:

Step 1. A new sub-option passwd-expiry is used to support the Password Expiry feature:

aaa authentication loginpasswd-expiry group|radius

Step 2. If you use the option, configure the following:

aaa group server radius

server

or if you use the radius option, configure:

radius-server hostauth-port 1645 acct-port 1646 key

Step 3. A client (for example, Crypto) can associate with AAA using:

crypto mapclient authentication list

The list name maps to the list in point 1.
http://www.cisco.com/en/US/tech/tk801/tk36/technologies_tech_note09186a0080121ac5.shtml


3/26


Page 3 of 26

Cisco 2821 Integrated Services Router Configuration Using Crypto Map!

version 12.4service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname xinl-gateway

!

aaa new-model

!

!

aaa authentication login USERAUTH passwd-expiry group radius

aaa authorization network branch local

!

aaa session-id common

!

resource policy

!

!

ip cef

!

!

no ip domain lookup

ip domain name cisco.com

!

!

!

crypto pki trustpoint TP-self-signed-523425186

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-523425186

revocation-check none

rsakeypair TP-self-signed-523425186

!

!crypto pki certificate chain TP-self-signed-523425186

certificate self-signed 01 nvram:IOS-Self-Sig#3601.cer

username cisco privilege 15 secret 5 $1$A3HU$bCWjlkrEztDJx6JJzSnMV1

!

!

crypto isakmp policy 1

encr 3des


4/26


Page 4 of 26

authentication pre-share

group 2

crypto isakmp client configuration address-pool local dynpool

!

crypto isakmp client configuration group branch

key cisco

domain cisco.com

pool dynpool

!

!

crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 1

set transform-set transform-1

reverse-route

!

!

crypto map dynmap client authentication list USERAUTH

crypto map dynmap isakmp authorization list branch

crypto map dynmap client configuration address respond

crypto map dynmap 1 ipsec-isakmp dynamic dynmap

!

!

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$

ip address 200.1.1.100 255.255.255.0

duplex auto

speed auto

crypto map dynmap

!


description $ES_LAN$

ip address 172.19.217.96 255.255.255.0

duplex auto

speed auto

!

ip local pool dynpool 10.2.122.211 10.2.122.213

ip route 0.0.0.0 0.0.0.0 172.19.217.1

!

!

ip http server

ip http authentication local


5/26


Page 5 of 26

ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

!

!

!

radius-server host 172.19.220.149 auth-port 1645 acct-port 1646 key cisco

radius-server vsa send authentication

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

privilege level 15

transport input telnet ssh

line vty 5 15

privilege level 15

transport input telnet ssh

!

scheduler allocate 20000 1000

!

End

Cisco 2821 Integrated Services Router Configuration Using DVTI!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname xinl-gateway

!

aaa new-model

!!

aaa authentication login USERAUTH passwd-expiry group radius

aaa authorization network branch local

!

aaa session-id common

!

resource policy


6/26


Page 6 of 26

!

!

!

ip cef

!

!

no ip domain lookup

ip domain name cisco.com

!

!

!

crypto pki trustpoint TP-self-signed-523425186

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-523425186

revocation-check none

rsakeypair TP-self-signed-523425186

!

!

crypto pki certificate chain TP-self-signed-523425186

certificate self-signed 01 nvram:IOS-Self-Sig#3601.cer

username cisco privilege 15 secret 5 $1$A3HU$bCWjlkrEztDJx6JJzSnMV1

username user1 password 0 password1

!

!

policy-map FOO

class class-default

shape average 128000

!

!

crypto logging ezvpn

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group branch

key cisco

domain cisco.com

pool dynpool

acl 150

crypto isakmp profile vi

match identity group branch


7/26


Page 7 of 26

client authentication list USERAUTH

isakmp authorization list branch

client configuration address respond

virtual-template 1

!

!

crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac

!

crypto ipsec profile vi

set transform-set transform-1

set isakmp-profile vi

!

!

!

!


description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$

ip address 200.1.1.100 255.255.255.0

duplex auto

speed auto

!


description $ES_LAN$

ip address 172.19.217.96 255.255.255.0

duplex auto

speed auto

!

interface Virtual-Template1 type tunnel

ip unnumbered GigabitEthernet0/0

tunnel source GigabitEthernet0/0

tunnel mode ipsec ipv4

tunnel protection ipsec profile vi

service-policy output FOO

!

ip local pool dynpool 10.2.122.211 10.2.122.213

ip route 0.0.0.0 0.0.0.0 172.19.217.1

!

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

!


8/26


9/26


Page 9 of 26

Configure Cisco Secure ACS

Use the following procedure to configure Cisco Secure ACS:

Step 1. Define the Cisco 2800 Series router as an AAA client. Be sure to select RADIUS (Cisco IOS/PIX) as the authentication method.Refer to Figure 2.

Figure 2. AAA Client Configuration


10/26


Page 10 of 26

Step 2. Define the external user database for Windows Active Directory users.

Be sure to check the Dialin Permission and MS-CHAP2 boxes, and enter the domain name for the Windows Active Directory server

(Figures 3 and 4).

Figure 3. Defining External User Database


11/26


12/26


Page 12 of 26

Step 3. Add the external user to the Cisco Secure ACS user database. It is a reference pointing to the Windows Active Directory database.

Be sure to select Windows Database as the Password Authentication type (Figure 5).

Figure 5. User Setup


13/26


Page 13 of 26

Step 4. Define a VPN user on Windows Active Directory.

Note: Windows users must checkAllow access under the Remote Access Permission under Dial-in tab (Figure 6) and check User must change

password at next logon under the Account tab (Figure 7) in the user profile.

Figure 6. Active Directory User ConfigurationRemote Access Permission

Figure 7. Active Directory User ConfigurationAccount Options


14/26


Page 14 of 26

Verify

The following examples demonstrate how the RADIUS Password Expiry feature works when the Windows password expires. The VPN user is

informed that the password has expired and prompted to enter a new one.

Step 1. Launch the Cisco VPN Client (Figure 8).

Figure 8. Cisco VPN Client

Step 2. Type your username and password to log in. Then clickOK (Figure 9).

Figure 9. User Authentication

Step 3. When the Windows password expires, you will be prompted to change the password. Type a new password. Type again to confirm it,

and clickOK (Figure 10).

Figure 10. Change Password


15/26


Page 15 of 26

Troubleshoot

Before examining the debug messages, consider the Microsoft vendor-specific attributes needed for understanding this feature. The following

Microsoft attributes are generated or processed by AAA, for providing the password expiry support.

MS-CHAP-ErrorThe MS-CHAP-Error attribute contains error data related to the preceding MS-CHAP exchange. This attribute can be used

in MS-CHAP2; it is used only in Access-Reject packets.

MS-CHAP2-CPWThis attribute allows users to change their password if it has expired. It is used only in conjunction with the MS-CHAP-NT-

Enc-PW attribute in Access-Request packets, and should be included only if an MS-CHAP-Error attribute was included in the immediately

preceding Access-Reject packet, the String field of the MS-CHAP-Error attribute indicated that the user password had expired, and the MS-CHAP

version is 3.

MS-CHAP-NT-Enc-PWThis attribute contains the new Windows NT password encrypted with the old Windows NT password hash. The

encrypted Windows NT password is 516 octets long. Because this is longer than the maximum length of a RADIUS attribute, the password must

be split into several attributes for transmission. A 2-octet sequence number is included in the attribute to help preserve ordering of the password

fragments. This attribute is used only in Access-Request packets, in conjunction with MS-CHAP-CPW-2 and MS-CHAP2-CPW attributes. It

should be included only if an MS-CHAP-Error attribute was included in the immediately preceding Access-Reject packet, the String field of the

MS-CHAP-Error attribute indicated that the user password had expired, and the MS-CHAP version is 2 or greater. MS-CHAP2-ResponseThis attribute contains the response value provided by an MS-CHAP2 peer in response to the challenge. It is used only

in Access-Request packets.

MS-CHAP2-SuccessThis attribute contains a 42-octet authenticator response string, which must be included in the message field of the MS-

CHAP2 Success packet sent from the network access server to the peer. This attribute is used only in Access-Accept packets.

The following section shows the debug messages captured on the Cisco 2821 Integrated Services Router with Cisco IOS Software during a tunnel

negotiation. Refer to the bold portions to see how AAA attributes are passed between the Cisco Secure ACS and the Cisco IOS Easy VPN Server to

inform the VPN user that the password has expired, and take the new Windows password back from the VPN user to the Window user database.

Turn on the following debug commands on the Cisco 2821 Integrated Services Router:

debug aaa authentication

debug ppp authentication

debug aaa attributes

*Mar 10 03:19:14.570: AAA/ATTR(000015C7): new list: 0x451A04E8

*Mar 10 03:19:14.570: AAA/ATTR(000015C7): cursor init: 44FE4F78 451A04E8 none none

*Mar 10 03:19:14.570: AAA/ATTR(000015C7): find: port-type(162): not found

*Mar 10 03:19:14.570: AAA/ATTR(000015C7): add attr: 451A0500 0 00000001 port-type(162) 4 Virtual

Terminal

*Mar 10 03:19:14.570: AAA/BIND(000015C7): Bind i/f

*Mar 10 03:19:14.570: AAA/ATTR(000015C7): new list: 0x451A1588

*Mar 10 03:19:14.574: AAA/ATTR(000015C7): add attr: 451A15A0 0 00000001 session-id(323) 4 5575(15C7)

*Mar 10 03:19:14.602: AAA/ATTR(000015C7): copy lists*Mar 10 03:19:14.602: AAA/ATTR(000015C7): new list: 0x44E5678C old list: 451A04E8

*Mar 10 03:19:14.602: AAA/ATTR(000015C7): new list: 0x4519D0DC

*Mar 10 03:19:14.602: AAA/ATTR(000015C7): add attr: 4519D0F4 0 0000000A username(352) 6 branch

*Mar 10 03:19:14.602: AAA/ATTR(000015C7): add attr: 4519D108 0 0000000A password(242) 5 63 69 73 63

6F

*Mar 10 03:19:14.602: AAA/ATTR(000015C7): add attr: 4519D11C 0 0000000A clid(28) 9 200.1.1.3

*Mar 10 03:19:14.602: AAA/ATTR(000015C7): cursor init: 44A15F78 4519D0DC none unknown


16/26


Page 16 of 26

*Mar 10 03:19:14.602: AAA/ATTR(000015C7): find: 4519D0F4 0 0000000A username(352) 6 branch

*Mar 10 03:19:14.602: AAA/ATTR(00000000): add attr: 4519D130 0 00000009 tunnel-password(343) 5 63 69

73 63 6F

*Mar 10 03:19:14.602: AAA/ATTR(00000000): add attr: 4519D144 0 0000000A default-domain(571) 9

cisco.com

*Mar 10 03:19:14.602: AAA/ATTR(00000000): add attr: 4519D158 0 0000000A addr-pool(9) 7 dynpool

*Mar 10 03:19:14.602: AAA/ATTR(00000000): add attr: 4519D16C 0 0000000A inacl(101) 3 150

*Mar 10 03:19:14.602: AAA/ATTR(00000000): add attr: 4519D180 0 0000000A dns-servers(44) 15 0.0.0.0

0.0.0.0

*Mar 10 03:19:14.602: AAA/ATTR(00000000): add attr: 4519D194 0 0000000A wins-servers(370) 15 0.0.0.0

0.0.0.0

*Mar 10 03:19:14.606: AAA/ATTR(00000000): add attr: 4519D1A8 0 0000000A cpp-policy(580) 10

cpp-policy

*Mar 10 03:19:14.606: AAA/ATTR(000015C7): copy lists

*Mar 10 03:19:14.606: AAA/ATTR(000015C7): new list: 0x4416B2F0 old list: 4519D0DC

*Mar 10 03:19:14.606: AAA/ATTR(000015C7): cursor init: 44FE5238 4416B2F0 ike ipsec

*Mar 10 03:19:14.606: AAA/ATTR(000015C7): find next matching service=ike, protocol=ipsec

*Mar 10 03:19:14.606: AAA/ATTR(000015C7): username service:ike protocol:ipsec skip

*Mar 10 03:19:14.606: AAA/ATTR(000015C7): password service:ike protocol:ipsec skip

*Mar 10 03:19:14.606: AAA/ATTR(000015C7): clid service:ike protocol:ipsec skip

*Mar 10 03:19:14.606: AAA/ATTR(000015C7): tunnel-password ok


*Mar 10 03:19:14.606: AAA/ATTR(000015C7): default-domain ok


*Mar 10 03:19:14.606: AAA/ATTR(000015C7): addr-pool ok


*Mar 10 03:19:14.606: AAA/ATTR(000015C7): inacl ok


*Mar 10 03:19:14.606: AAA/ATTR(000015C7): dns-servers ok


*Mar 10 03:19:14.606: AAA/ATTR(000015C7): wins-servers ok


*Mar 10 03:19:14.606: AAA/ATTR(000015C7): cpp-policy ok


*Mar 10 03:19:14.606: AAA/ATTR(000015C7): not found

*Mar 10 03:19:14.606: AAA/ATTR(000015C7): free all lists: 0x4519D0DC

*Mar 10 03:19:14.606: AAA/ATTR(000015C7): del attr: 4519D0F4 0 0000000A username(352) 6 branch

*Mar 10 03:19:14.606: AAA/ATTR(000015C7): del attr: 4519D108 0 0000000A password(242) 5 63 69 73 63

6F

*Mar 10 03:19:14.606: AAA/ATTR(000015C7): del attr: 4519D11C 0 0000000A clid(28) 9 200.1.1.3

*Mar 10 03:19:14.606: AAA/ATTR(000015C7): del attr: 4519D130 0 00000009 tunnel-password(343) 5 63 69

73 63 6F


17/26


Page 17 of 26

*Mar 10 03:19:14.606: AAA/ATTR(000015C7): del attr: 4519D144 0 0000000A default-domain(571) 9

cisco.com

*Mar 10 03:19:14.606: AAA/ATTR(000015C7): del attr: 4519D158 0 0000000A addr-pool(9) 7 dynpool

*Mar 10 03:19:14.606: AAA/ATTR(000015C7): del attr: 4519D16C 0 0000000A inacl(101) 3 150

*Mar 10 03:19:14.606: AAA/ATTR(000015C7): del attr: 4519D180 0 0000000A dns-servers(44) 15 0.0.0.0

0.0.0.0

*Mar 10 03:19:14.606: AAA/ATTR(000015C7): del attr: 4519D194 0 0000000A wins-servers(370) 15 0.0.0.0

0.0.0.0

*Mar 10 03:19:14.606: AAA/ATTR(000015C7): del attr: 4519D1A8 0 0000000A cpp-policy(580) 10

cpp-policy

*Mar 10 03:19:14.610: AAA/ATTR(000015C7): free all lists: 0x44E5678C

*Mar 10 03:19:14.610: AAA/ATTR(000015C7): del attr: 44E567A4 0 00000001 port-type(162) 4 Virtual

Terminal

*Mar 10 03:19:14.634: AAA/ATTR(000015C8): new list: 0x451CDCC0

*Mar 10 03:19:14.634: AAA/ATTR(000015C8): cursor init: 44FE4E00 451CDCC0 none none

*Mar 10 03:19:14.634: AAA/ATTR(000015C8): find: port-type(162): not found

*Mar 10 03:19:14.634: AAA/ATTR(000015C8): add attr: 451CDCD8 0 00000001 port-type(162) 4 Virtual

Terminal

*Mar 10 03:19:14.634: AAA/ATTR(000015C8): find: interface(158): not found

*Mar 10 03:19:14.634: AAA/ATTR(000015C8): add attr: 451CDCEC 0 00000009 interface(158) 11

200.1.1.100

*Mar 10 03:19:14.634: AAA/BIND(000015C8): Bind i/f

*Mar 10 03:19:14.634: AAA/ATTR(000015C8): new list: 0x4519D0DC

*Mar 10 03:19:14.634: AAA/ATTR(000015C8): add attr: 4519D0F4 0 00000001 session-id(323) 4 5576(15C8)

*Mar 10 03:19:14.634: AAA/ATTR(000015C7): free all lists: 0x451A1588

*Mar 10 03:19:14.634: AAA/ATTR(000015C7): del attr: 451A15A0 0 00000001 session-id(323) 4 5575(15C7)

*Mar 10 03:19:14.634: AAA/ATTR(000015C7): free all lists: 0x451A04E8

*Mar 10 03:19:14.634: AAA/ATTR(000015C7): del attr: 451A0500 0 00000001 port-type(162) 4 Virtual

Terminal

*Mar 10 03:19:29.494: AAA/AUTHEN/LOGIN (000015C8): Pick method list 'USERAUTH'

*Mar 10 03:19:29.494: AAA/ATTR(000015C8): copy lists

*Mar 10 03:19:29.494: AAA/ATTR(000015C8): new list: 0x451A1588 old list: 451CDCC0

*Mar 10 03:19:29.498: AAA/ATTR(000015C8): new list: 0x446DAF60

*Mar 10 03:19:29.498: AAA/ATTR(000015C8): add attr: 446DAF78 0 0000000A username(352) 8 vpnuser1

*Mar 10 03:19:29.498: AAA/ATTR(000015C8): add attr: 446DAF8C 0 0000000A password(242) 8 63 69 73 63

6F 31 32 33

*Mar 10 03:19:29.498: AAA/ATTR(000015C8): add attr: 446DAFA0 0 0000000A clid(28) 9 200.1.1.3

*Mar 10 03:19:29.498: AAA/ATTR(000015C8): cursor init: 445DE970 446DAF60 none unknown

*Mar 10 03:19:29.498: AAA/ATTR(000015C8): find: 446DAF8C 0 0000000A password(242) 8 63 69 73 63 6F

31 32 33

*Mar 10 03:19:29.498: AAA/ATTR(000015C8): delete attr: 446DAF60 00000000 1

*Mar 10 03:19:29.498: AAA/ATTR(000015C8): del attr: 446DAF8C 0 0000000A password(242) 8 63 69 73 63

6F 31 32 33


18/26


Page 18 of 26

*Mar 10 03:19:29.498: AAA/ATTR(000015C8): find: 446DAF78 0 0000000A username(352) 8 vpnuser1

*Mar 10 03:19:29.498: AAA/ATTR(000015C8): add attr: 446DAFB4 0 00000009 challenge(22) 16 19 AE DA 8A

5F FE F3 95 32 2D 74 AD 0A 01 8D FD

*Mar 10 03:19:29.498: AAA/ATTR(000015C8): add attr: 446DAFC8 0 00000001 id(23) 4 1(1)

*Mar 10 03:19:29.502: AAA/ATTR(000015C8): add attr: 446DAFDC 0 00000009 response(24) 49 66 5D 60 77

74 2C 11 55 1A 15 28 79 CA C0 51 70 00 00 00 00 00 00 00 00 94 D0 68 B2 8D 0B 6

*Mar 10 03:19:29.502: AAA/ATTR(000015C8): cursor init: 445DEA08 446DAF60 none unknown


*Mar 10 03:19:29.502: AAA/ATTR(000015C8): cursor init: 445DEA08 446DAF60 none unknown

*Mar 10 03:19:29.502: AAA/ATTR(000015C8): find: password(242): not found

*Mar 10 03:19:29.502: AAA/ATTR(000015C8): cursor init: 445DEAA0 446DAF60 none unknown


*Mar 10 03:19:29.502: AAA/ATTR(000015C8): cursor init: 445DE9A8 446DAF60 none none

*Mar 10 03:19:29.502: AAA/ATTR(000015C8): find next matching service=none, protocol=none

*Mar 10 03:19:29.502: AAA/ATTR(000015C8): username ok


*Mar 10 03:19:29.502: AAA/ATTR(000015C8): clid ok


*Mar 10 03:19:29.502: AAA/ATTR(000015C8): challenge ok


*Mar 10 03:19:29.502: AAA/ATTR(000015C8): id ok


*Mar 10 03:19:29.502: AAA/ATTR(000015C8): response ok



*Mar 10 03:19:29.502: AAA/ATTR(000015C8): cursor init: 445DE9A8 451A1588 none none


*Mar 10 03:19:29.502: AAA/ATTR(000015C8): port-type ok


*Mar 10 03:19:29.502: AAA/ATTR(000015C8): interface ok



*Mar 10 03:19:29.546: AAA/ATTR(000015C8): free all lists: 0x446DAF60

*Mar 10 03:19:29.546: AAA/ATTR(000015C8): del attr: 446DAF78 0 0000000A username(352) 8 vpnuser1

*Mar 10 03:19:29.546: AAA/ATTR(000015C8): del attr: 446DAF8C 0 0000000A password(242) 8 63 69 73 63

6F 31 32 33

*Mar 10 03:19:29.546: AAA/ATTR(000015C8): del attr: 446DAFA0 0 0000000A clid(28) 9 200.1.1.3

*Mar 10 03:19:29.550: AAA/ATTR(000015C8): del attr: 446DAFB4 0 00000009 challenge(22) 16 19 AE DA 8A

5F FE F3 95 32 2D 74 AD 0A 01 8D FD

*Mar 10 03:19:29.550: AAA/ATTR(000015C8): del attr: 446DAFC8 0 00000001 id(23) 4 1(1)

*Mar 10 03:19:29.550: AAA/ATTR(000015C8): del attr: 446DAFDC 0 00000009 response(24) 49 66 5D 60 77

74 2C 11 55 1A 15 28 79 CA C0 51 70 00 00 00 00 00 00 00 00 94 D0 68 B2 8D 0B 6

*Mar 10 03:19:29.550: AAA/ATTR(000015C8): new list: 0x446DAF60


19/26


Page 19 of 26

*Mar 10 03:19:29.550: AAA/ATTR(000015C8): cursor init: 4519FE70 446DAF60 none none

*Mar 10 03:19:29.550: AAA/ATTR(00000000): add attr: 446DAF78 0 00000009 MS-CHAP-Error(489) 14 01 45

3D 36 34 38 20 52 3D 30 20 56 3D 33

*Mar 10 03:19:29.550: AAA/ATTR(00000000): add attr: 446DAF8C 0 00000009 reply-message(203) 10

Rejected

*Mar 10 03:19:29.550: AAA/ATTR(000015C8): cursor init: 4519FDC8 446DAF60 none unknown

*Mar 10 03:19:29.550: AAA/ATTR(000015C8): find: mschap-v2-success(513): not found

*Mar 10 03:19:29.550: AAA/ATTR(000015C8): find: 446DAF78 0 00000009 MS-CHAP-Error(489) 14 01 45 3D

36 34 38 20 52 3D 30 20 56 3D 33

*Mar 10 03:19:29.550: AAA/ATTR(000015C8): add attr: 446DAFA0 0 00000009 reply-message(203) 14 E=648

R=0 V=3

*Mar 10 03:19:29.550: AAA/ATTR(000015C8): cursor init: 44FE5288 446DAF60 ike ipsec

*Mar 10 03:19:29.550: AAA/ATTR(000015C8): find: 446DAF8C 0 00000009 reply-message(203) 10 Rejected

*Mar 10 03:19:29.550: AAA/ATTR(000015C8): delete attr: 446DAF60 00000000 1

*Mar 10 03:19:29.550: AAA/ATTR(000015C8): del attr: 446DAF8C 0 00000009 reply-message(203) 10

Rejected

*Mar 10 03:19:29.550: AAA/ATTR(000015C8): free all lists: 0x446DAF60

*Mar 10 03:19:29.550: AAA/ATTR(000015C8): del attr: 446DAF78 0 00000009 MS-CHAP-Error(489) 14 01 45

3D 36 34 38 20 52 3D 30 20 56 3D 33

*Mar 10 03:19:29.550: AAA/ATTR(000015C8): del attr: 446DAF8C 0 00000009 reply-message(203) 10

Rejected

*Mar 10 03:19:29.550: AAA/ATTR(000015C8): del attr: 446DAFA0 0 00000009 reply-message(203) 14 E=648

R=0 V=3

*Mar 10 03:19:29.550: AAA/ATTR(000015C8): free all lists: 0x451A1588

*Mar 10 03:19:29.550: AAA/ATTR(000015C8): del attr: 451A15A0 0 00000001 port-type(162) 4 Virtual

Terminal

*Mar 10 03:19:29.550: AAA/ATTR(000015C8): del attr: 451A15B4 0 00000009 interface(158) 11

200.1.1.100

*Mar 10 04:14:12.386: AAA/AUTHEN/LOGIN (000015DC): Pick method list 'USERAUTH'

*Mar 10 04:14:12.386: AAA/ATTR(000015DC): copy lists

*Mar 10 04:14:12.386: AAA/ATTR(000015DC): new list: 0x44E1BC8C old list: 44E8D658

*Mar 10 04:14:12.386: AAA/ATTR(000015DC): new list: 0x446DAC48

*Mar 10 04:14:12.386: AAA/ATTR(000015DC): add attr: 446DAC60 0 0000000A username(352) 8 vpnuser1

*Mar 10 04:14:12.386: AAA/ATTR(000015DC): add attr: 446DAC74 0 0000000A password

(242) 8 63 69 73 63 6F 31 32 33

*Mar 10 04:14:12.386: AAA/ATTR(000015DC): add attr: 446DAC88 0 0000000A clid(28) 9 200.1.1.3

*Mar 10 04:14:12.386: AAA/ATTR(000015DC): cursor init: 445DE970 446DAC48 none unknown

*Mar 10 04:14:12.386: AAA/ATTR(000015DC): find: 446DAC74 0 0000000A password(242) 8 63 69 73 63 6F

31 32 33


20/26


Page 20 of 26

*Mar 10 04:14:12.386: AAA/ATTR(000015DC): delete attr: 446DAC48 00000000 1

*Mar 10 04:14:12.386: AAA/ATTR(000015DC): del attr: 446DAC74 0 0000000A password(242) 8 63 69 73 63

6F 31 32 33

*Mar 10 04:14:12.386: AAA/ATTR(000015DC): free all lists: 0x446DAC48

*Mar 10 04:14:12.386: AAA/ATTR(000015DC): del attr: 446DAC60 0 0000000A username(352) 8 vpnuser1


6F 31 32 33

*Mar 10 04:14:12.386: AAA/ATTR(000015DC): del attr: 446DAC88 0 0000000A clid(28) 9 200.1.1.3


*Mar 10 04:14:12.390: AAA/ATTR(000015DC): add attr: 446DAC60 0 00000009 username(352) 8 vpnuser1

*Mar 10 04:14:12.390: AAA/ATTR(000015DC): add attr: 446DAC74 0 00000009 challeng

e(22) 16 AF B4 3E A6 B0 1F 63 F7 FC E3 2B E6 7C 30 E8 BC

*Mar 10 04:14:12.394: AAA/ATTR(000015DC): add attr: 446DAC88 0 00000009 MS-CHAP-

CPW-2(514) 67 01 42 97 6F 67 F7 AC A3 1C 37 98 0B 71 CF B9 25 C5 98 12 5A BF F7

07 14 2C 45 C0 24 C

*Mar 10 04:14:12.394: AAA/ATTR(000015DC): add attr: 446DAC9C 0 00000009 MS-CHAP-

NT-Enc-PW1(490) 175 01 00 01 C3 83 9E EC 48 E7 BF C7 4C CA 4A D9 2B 5C 11 8D 9A

22 8B 20 0E 3A 67 A

*Mar 10 04:14:12.394: AAA/ATTR(000015DC): add attr: 446DACB0 0 00000009 MS-CHAP-

NT-Enc-PW2(491) 175 01 00 02 74 57 58 0D BB DB 1A 34 71 E2 EE 43 12 A5 2A 17 19

E6 41 FD 13 42 F5 4

*Mar 10 04:14:12.394: AAA/ATTR(000015DC): add attr: 446DACC4 0 00000009 MS-CHAP-

NT-Enc-PW3(492) 175 01 00 03 9F 44 EC D1 00 F1 C0 E9 67 41 99 09 1E E7 09 C4 3E

00 80 EC 5B F3 02 3

*Mar 10 04:14:12.394: AAA/ATTR(000015DC): cursor init: 445DEA08 446DAC48 none unknown

*Mar 10 04:14:12.394: AAA/ATTR(000015DC): find: 446DAC60 0 00000009 username(352) 8 vpnuser1

*Mar 10 04:14:12.394: AAA/ATTR(000015DC): cursor init: 445DEA08 446DAC48 none unknown

*Mar 10 04:14:12.394: AAA/ATTR(000015DC): find: password(242): not found

*Mar 10 04:14:12.394: AAA/ATTR(000015DC): cursor init: 445DEAA0 446DAC48 none unknown

*Mar 10 04:14:12.394: AAA/ATTR(000015DC): find: 446DAC60 0 00000009 username(352) 8 vpnuser1

*Mar 10 04:14:12.394: AAA/ATTR(000015DC): cursor init: 445DE9A8 446DAC48 none none

*Mar 10 04:14:12.394: AAA/ATTR(000015DC): find next matching service=none, protocol=none

*Mar 10 04:14:12.398: AAA/ATTR(000015DC): username ok


*Mar 10 04:14:12.398: AAA/ATTR(000015DC): challenge ok


*Mar 10 04:14:12.398: AAA/ATTR(000015DC): MS-CHAP-CPW-2 ok


*Mar 10 04:14:12.398: AAA/ATTR(000015DC): MS-CHAP-NT-Enc-PW1 ok






21/26


Page 21 of 26


*Mar 10 04:14:12.398: AAA/ATTR(000015DC): not found

*Mar 10 04:14:12.398: AAA/ATTR(000015DC): cursor init: 445DE9A8 44E1BC8C none none


*Mar 10 04:14:12.398: AAA/ATTR(000015DC): port-type ok


*Mar 10 04:14:12.398: AAA/ATTR(000015DC): interface ok




*Mar 10 04:14:12.486: AAA/ATTR(000015DC): del attr: 446DAC60 0 00000009 username(352) 8 vpnuser1

*Mar 10 04:14:12.486: AAA/ATTR(000015DC): del attr: 446DAC74 0 00000009 challeng

e(22) 16 AF B4 3E A6 B0 1F 63 F7 FC E3 2B E6 7C 30 E8 BC

*Mar 10 04:14:12.486: AAA/ATTR(000015DC): del attr: 446DAC88 0 00000009 MS-CHAP-

CPW-2(514) 67 01 42 97 6F 67 F7 AC A3 1C 37 98 0B 71 CF B9 25 C5 98 12 5A BF F7

07 14 2C 45 C0 24 C

*Mar 10 04:14:12.486: AAA/ATTR(000015DC): del attr: 446DAC9C 0 00000009 MS-CHAP-

NT-Enc-PW1(490) 175 01 00 01 C3 83 9E EC 48 E7 BF C7 4C CA 4A D9 2B 5C 11 8D 9A

22 8B 20 0E 3A 67 A

*Mar 10 04:14:12.486: AAA/ATTR(000015DC): del attr: 446DACB0 0 00000009 MS-CHAP-

NT-Enc-PW2(491) 175 01 00 02 74 57 58 0D BB DB 1A 34 71 E2 EE 43 12 A5 2A 17 19

E6 41 FD 13 42 F5 4

*Mar 10 04:14:12.486: AAA/ATTR(000015DC): del attr: 446DACC4 0 00000009 MS-CHAP-

NT-Enc-PW3(492) 175 01 00 03 9F 44 EC D1 00 F1 C0 E9 67 41 99 09 1E E7 09 C4 3E

00 80 EC 5B F3 02 3


*Mar 10 04:14:12.486: AAA/ATTR(000015DC): cursor init: 4519FE70 446DAC48 none none

*Mar 10 04:14:12.486: AAA/ATTR(00000000): add attr: 446DAC60 0 00000009 mschap-v

2-success(513) 43 S=1E0C11C3E724FB4FD2F5DFA20407F1ABCC8D4728S=1E0C11C3E724FB4FD2F5DFA20407F1ABCC8D4728

*Mar 10 04:14:12.486: AAA/ATTR(00000000): add attr: 446DAC74 0 00000001 addrv4(7) 4 255.255.255.255

*Mar 10 04:14:12.486: AAA/ATTR(000015DC): new list: 0x44EA1950

*Mar 10 04:14:12.486: AAA/ATTR(000015DC): new list: 0x451C5360

*Mar 10 04:14:12.486: AAA/ATTR(000015DC): cursor init: 4519FDB0 451C5360 none none



*Mar 10 04:14:12.486: AAA/ATTR(00000000): add attr: 451C5378 0 00000009 class(30

1) 28 43 49 53 43 4F 41 43 53 3A 30 30 30 31 32 39 30 35 2F 61 63 31 33 64 39 36

30 2F 31

*Mar 10 04:14:12.490: AAA/ATTR(000015DC): cursor init: 4519FDC8 446DAC48 none unknown

*Mar 10 04:14:12.490: AAA/ATTR(000015DC): find: 446DAC60 0 00000009 mschap-v2-su

ccess(513) 43 S=1E0C11C3E724FB4FD2F5DFA20407F1ABCC8D4728S=1E0C11C3E724FB4FD2F5DFA20407F1ABCC8D4728

*Mar 10 04:14:12.490: AAA/ATTR(000015DC): add attr: 446DAC88 0 00000009 reply-me

ssage(203) 43 S=1E0C11C3E724FB4FD2F5DFA20407F1ABCC8D4728


22/26


Page 22 of 26

*Mar 10 04:14:12.490: AAA/ATTR(000015DC): free all lists: 0x451C4970

*Mar 10 04:14:12.490: AAA/ATTR(000015DC): del attr: 451C4988 0 0000000A username(352) 6 branch

*Mar 10 04:14:12.490: AAA/ATTR(000015DC): del attr: 451C499C 0 0000000A password(242) 5 63 69 73 63

6F

*Mar 10 04:14:12.490: AAA/ATTR(000015DC): del attr: 451C49B0 0 0000000A clid(28) 9 200.1.1.3

*Mar 10 04:14:12.490: AAA/ATTR(000015DC): del attr: 451C49C4 0 00000009 tunnel-password(343) 5 63 69

73 63 6F

*Mar 10 04:14:12.490: AAA/ATTR(000015DC): del attr: 451C49D8 0 0000000A default-domain(571) 9

cisco.com

*Mar 10 04:14:12.490: AAA/ATTR(000015DC): del attr: 451C49EC 0 0000000A addr-pool(9) 7 dynpool

*Mar 10 04:14:12.490: AAA/ATTR(000015DC): del attr: 451C4A00 0 0000000A inacl(101) 3 150

*Mar 10 04:14:12.490: AAA/ATTR(000015DC): del attr: 451C4A14 0 0000000A dns-servers(44) 15 0.0.0.0

0.0.0.0

*Mar 10 04:14:12.490: AAA/ATTR(000015DC): del attr: 451C4A28 0 0000000A wins-servers(370) 15 0.0.0.0

0.0.0.0

*Mar 10 04:14:12.490: AAA/ATTR(000015DC): del attr: 451C4A3C 0 0000000A cpp-policy(580) 10

cpp-policy


*Mar 10 04:14:12.490: AAA/ATTR(000015DC): new list: 0x451C4970 old list: 446DAC48

*Mar 10 04:14:12.490: AAA/ATTR(000015DC): cursor init: 44FE5210 451C4970 ike ipsec

*Mar 10 04:14:12.490: AAA/ATTR(000015DC): find next matching service=ike, protocol=ipsec

*Mar 10 04:14:12.490: AAA/ATTR(000015DC): mschap-v2-success skip

*Mar 10 04:14:12.490: AAA/ATTR(000015DC): addrv4 ok


*Mar 10 04:14:12.490: AAA/ATTR(000015DC): reply-message skip



*Mar 10 04:14:12.490: AAA/ATTR(000015DC): del attr: 446DAC60 0 00000009 mschap-v


*Mar 10 04:14:12.490: AAA/ATTR(000015DC): del attr: 446DAC74 0 00000001 addrv4(7) 4 255.255.255.255

*Mar 10 04:14:12.490: AAA/ATTR(000015DC): del attr: 446DAC88 0 00000009 reply-me


*Mar 10 04:14:12.490: AAA/ATTR(000015DC): free all lists: 0x44E1BC8C

*Mar 10 04:14:12.490: AAA/ATTR(000015DC): del attr: 44E1BCA4 0 00000001 port-type(162) 4 Virtual

Terminal

*Mar 10 04:14:12.490: AAA/ATTR(000015DC): del attr: 44E1BCB8 0 00000009 interface(158) 11

200.1.1.100


*Mar 10 04:14:12.638: AAA/ATTR(000015DC): new list: 0x44E1BC8C old list: 44E8D658


*Mar 10 04:14:12.638: AAA/ATTR(000015DC): add attr: 446DAC60 0 0000000A username(352) 6 branch

*Mar 10 04:14:12.638: AAA/ATTR(000015DC): add attr: 446DAC74 0 0000000A password(242) 5 63 69 73 63

6F


23/26


Page 23 of 26

*Mar 10 04:14:12.638: AAA/ATTR(000015DC): add attr: 446DAC88 0 0000000A clid(28) 9 200.1.1.3

*Mar 10 04:14:12.638: AAA/ATTR(000015DC): add attr: 446DAC9C 0 00000002 port-type(162) 4 Virtual

Terminal

*Mar 10 04:14:12.638: AAA/ATTR(000015DC): cursor init: 44A15F78 446DAC48 none unknown

*Mar 10 04:14:12.638: AAA/ATTR(000015DC): find: 446DAC60 0 0000000A username(352) 6 branch

*Mar 10 04:14:12.638: AAA/ATTR(00000000): add attr: 446DACB0 0 00000009 tunnel-password(343) 5 63 69

73 63 6F

*Mar 10 04:14:12.638: AAA/ATTR(00000000): add attr: 446DACC4 0 0000000A default-domain(571) 9

cisco.com

*Mar 10 04:14:12.638: AAA/ATTR(00000000): add attr: 446DACD8 0 0000000A addr-pool(9) 7 dynpool

*Mar 10 04:14:12.638: AAA/ATTR(00000000): add attr: 446DACEC 0 0000000A inacl(101) 3 150

*Mar 10 04:14:12.638: AAA/ATTR(00000000): add attr: 446DAD00 0 0000000A dns-servers(44) 15 0.0.0.0

0.0.0.0

*Mar 10 04:14:12.638: AAA/ATTR(00000000): add attr: 446DAD14 0 0000000A wins-servers(370) 15 0.0.0.0

0.0.0.0

*Mar 10 04:14:12.638: AAA/ATTR(00000000): add attr: 446DAD28 0 0000000A cpp-policy(580) 10

cpp-policy

*Mar 10 04:14:12.638: AAA/ATTR(000015DC): free all lists: 0x451C4970

*Mar 10 04:14:12.638: AAA/ATTR(000015DC): del attr: 451C4988 0 00000009 mschap-v


*Mar 10 04:14:12.638: AAA/ATTR(000015DC): del attr: 451C499C 0 00000001 addrv4(7) 4 255.255.255.255

*Mar 10 04:14:12.638: AAA/ATTR(000015DC): del attr: 451C49B0 0 00000009 reply-me



*Mar 10 04:14:12.638: AAA/ATTR(000015DC): new list: 0x451C4970 old list: 446DAC48

*Mar 10 04:14:12.642: AAA/ATTR(000015DC): cursor init: 44FE5220 451C4970 ike ipsec


*Mar 10 04:14:12.642: AAA/ATTR(000015DC): username service:ike protocol:ipsec skip

*Mar 10 04:14:12.642: AAA/ATTR(000015DC): password service:ike protocol:ipsec skip

*Mar 10 04:14:12.642: AAA/ATTR(000015DC): clid service:ike protocol:ipsec skip

*Mar 10 04:14:12.642: AAA/ATTR(000015DC): port-type service:ike protocol:ipsecskip

*Mar 10 04:14:12.642: AAA/ATTR(000015DC): tunnel-password ok


*Mar 10 04:14:12.642: AAA/ATTR(000015DC): default-domain ok


*Mar 10 04:14:12.642: AAA/ATTR(000015DC): addr-pool ok


*Mar 10 04:14:12.642: AAA/ATTR(000015DC): inacl ok


*Mar 10 04:14:12.642: AAA/ATTR(000015DC): dns-servers ok


*Mar 10 04:14:12.642: AAA/ATTR(000015DC): wins-servers ok



24/26


Page 24 of 26

*Mar 10 04:14:12.642: AAA/ATTR(000015DC): cpp-policy ok




*Mar 10 04:14:12.642: AAA/ATTR(000015DC): del attr: 446DAC60 0 0000000A username(352) 6 branch


6F

*Mar 10 04:14:12.642: AAA/ATTR(000015DC): del attr: 446DAC88 0 0000000A clid(28) 9 200.1.1.3

*Mar 10 04:14:12.642: AAA/ATTR(000015DC): del attr: 446DAC9C 0 00000002 port-type(162) 4 Virtual

Terminal

*Mar 10 04:14:12.642: AAA/ATTR(000015DC): del attr: 446DACB0 0 00000009 tunnel-password(343) 5 63 69

73 63 6F

*Mar 10 04:14:12.642: AAA/ATTR(000015DC): del attr: 446DACC4 0 0000000A default-domain(571) 9

cisco.com

*Mar 10 04:14:12.642: AAA/ATTR(000015DC): del attr: 446DACD8 0 0000000A addr-pool(9) 7 dynpool

*Mar 10 04:14:12.642: AAA/ATTR(000015DC): del attr: 446DACEC 0 0000000A inacl(101) 3 150

*Mar 10 04:14:12.642: AAA/ATTR(000015DC): del attr: 446DAD00 0 0000000A dns-servers(44) 15 0.0.0.0

0.0.0.0

*Mar 10 04:14:12.642: AAA/ATTR(000015DC): del attr: 446DAD14 0 0000000A wins-servers(370) 15 0.0.0.0

0.0.0.0

*Mar 10 04:14:12.642: AAA/ATTR(000015DC): del attr: 446DAD28 0 0000000A cpp-policy(580) 10

cpp-policy

*Mar 10 04:14:12.642: AAA/ATTR(000015DC): free all lists: 0x44E1BC8C

*Mar 10 04:14:12.642: AAA/ATTR(000015DC): del attr: 44E1BCA4 0 00000001 port-type(162) 4 Virtual

Terminal

*Mar 10 04:14:12.642: AAA/ATTR(000015DC): del attr: 44E1BCB8 0 00000009 interface(158) 11

200.1.1.100


25/26


Page 25 of 26

Corporate Headquarters

Cisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAwww.cisco.comTel: 408 526-4000

800 553-NETS (6387)Fax: 408 526-4100

European Headquarters

Cisco Systems International BVHaarlerbergparkHaarlerbergweg 13-191101 CH AmsterdamThe Netherlandswww-europe.cisco.comTel: 31 0 20 357 1000Fax: 31 0 20 357 1100

Americas Headquarters

Cisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAwww.cisco.comTel: 408 526-7660Fax: 408 527-0883

Asia Pacific Headquarters

Cisco Systems, Inc.168 Robinson Road#28-01 Capital TowerSingapore 068912www.cisco.comTel: +65 6317 7777Fax: +65 6317 7799

Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed onthe Cisco Website atwww.cisco.com/go/offices.

Argentina Australia Austria Belgium Brazil Bulgaria Canada Chile China PRC Colombia Costa Rica Croatia Cyprus

Czech Republic Denmark Dubai, UAE Finland France Germany Greece Hong Kong SAR Hungary India Indonesia Ireland Israel

Italy Japan Korea Luxembourg Malaysia Mexico The Netherlands New Zealand Norway Peru Philippines Poland Portugal

Puerto Rico Romania Russia Saudi Arabia Scotland Singapore Slovakia Slovenia South Africa Spain Sweden Switzerland Taiwan

Thailand Turkey Ukraine United Kingdom United States Venezuela Vietnam Zimbabwe

Copyright 2006 Cisco Systems, Inc. All rights reserved. CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.;

Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE,

CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,

Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net

Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect,

RateMUX, ScriptShare, SlideCast, SMARTnet, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in

the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between

Cisco and any other company. (0601R)

Printed in the USA C11-345535-00 04/06
http://www.cisco.com/go/officeshttp://www.cisco.com/go/officeshttp://www.cisco.com/go/officeshttp://www.cisco.com/go/officeshttp://www.cisco.com/go/officeshttp://www.cisco.com/go/offices


26/26

2006 Ci S I All i h d

AAA Password Expiry in Cisco IOS EasyVPN

Documents