LTLnetworker | IT hálózatok, biztonság, Cisco

               IT networks, security, Cisco

IOS Easy VPN with RADIUS, Cisco Secure ACS 5.1 and AAA cache

Posted by ltlnetworker on May 10, 2010


AAA Authorization and Authentication Cache was integrated in IOS 15.0(1)M. This feature enables the router to store AAA credentials in its cache after it received the RADIUS or TACACS+ reply to an AAA request. The cache can be used either for performance boost (avoiding sending requests to the AAA server) or for a fallback method in case the servers are unreachable. The mode depends on the order you place your authentication methods in the aaa commands (see below).

In this example we are caching TACACS admin users’ credentials (telnet, vty) and RADIUS VPN users’ credentials (IKE xauth). The VPN group is also defined on the RADIUS server.


Here is what you need:

! define AAA servers
radius-server host 192.168.159.41 auth-port 1812 acct-port 1813
radius-server timeout 4
radius-server key SECRET12345

tacacs-server host 192.168.159.41
tacacs-server timeout 4
tacacs-server key SECRET12345

! define cache profile groups
! each profile name must match an AAA username
aaa cache profile admin
 profile peteradmin
 profile kisnovakadmin
 profile aliceadmin

aaa cache profile vpnuser
 ! you can match multiple usernames (becivpn, kisnovakvpn etc.) using a regexp
 regexp .*vpn any

! assign the authentication and authorization caching rules to the aaa server groups
aaa group server tacacs+ admin-tac
 server 192.168.159.41
 cache authentication profile admin
 cache authorization  profile admin
aaa group server radius vpnuser-rad
 server 192.168.159.41 auth-port 1812 acct-port 1813
 cache authentication profile vpnuser
 cache authorization  profile vpnuser

! define authorization and authentication method lists containing cache method
! in this example, cache is used only if the AAA servers don't respond
! if you switch the order to 'cache admin-tac group admin-tac' then cache will be looked up first
! and TACACS will only be used if user is not in the cache
aaa authentication login   mtac    group admin-tac cache admin-tac local
aaa authorization  exec    default group admin-tac cache admin-tac local
! enable password from TACACS is not cached (I tested it) so this command would be useless
aaa authentication enable  default group admin-tac cache admin-tac enable
aaa authentication enable  default group admin-tac enable
aaa accounting exec default start-stop group admin-tac

! xauth user authentication
aaa authentication login   xauth group vpnuser-rad cache vpnuser-rad local
! xauth VPN group authorization (including VPN group name and group password check)
aaa authorization  network xauth group vpnuser-rad cache vpnuser-rad local
aaa authentication login default local

! this pool is used with local group authorization when RADIUS server is unreachable
ip local pool R102_Loopback1 192.168.102.11 192.168.102.19
! this pool is used with RADIUS group authorization
ip local pool R102_AAA 192.168.102.21 192.168.102.29

! this split tunnel ACL is used with local group authorization when RADIUS server is unreachable
ip access-list extended EZsplit
 permit ip 10.0.0.0 0.255.255.255 any
 permit ip 192.168.0.0 0.0.255.255 any
! this split tunnel ACL is used with RADIUS group authorization
ip access-list extended EZsplitAAA
 permit ip 10.0.2.0     0.0.0.255 any
 permit ip 192.168.23.0 0.0.0.255 any

! TACACS AAA on vty
line vty 0 4
 login authentication mtac

We define admin users and VPN users on the ACS. Two VPN users (becivpn and kisnovakvpn) have a static IP address assigned, others obtain an address from a pool.


EZVPNgroup profile defines the R102-EZVPN group’s attributes. The group password ‘lab’ is also set in a RADIUS AV-pair. The referred R102_AAA address pool and EZsplitAAA ACL is defined on the router. xauth-banner is not working.
The router command ‘client authentication list‘ is responsible for the user authentication method (RADIUS user profile in our case).
The router command ‘isakmp authorization list‘ is responsible for the group authorization method (RADIUS group profile in our case) similar to the group policy in ASA.


EZVPNuser profile is basically empty. It just allows ordinary VPN users to connect with no special features.

EZVPNbeci and EZVPNkisnovak are for the two special VPN users who need a static IP address assigned. This is achieved by the Framed-IP-Address attribute.

For TACACS admin users we need a shell profile that allows them a privilege level of maximum 15. Without that, they couldn’t get into enable mode.

You can define various policies in the Access Policy – Authorization section. A rule contains a condition (e. g. group name or user name match) and the corresponding authorization profile. We have rules for the special users becivpn and kisnovakvpn, a rule handling the VPN group and a general VPN user rule. (Note: Device Type condition is not necessary here.) General VPN users are identified by the vpnuser group membership (not the vpn string in their name).

The top level policy, the Service Selection Rules assigns the priv15 service we defined to TACACS protocol requests and the Network Access VPN service to the RADIUS requests.

Testing telnet access:

telnet to the router using TACACS user and TACACS enable password:
username: peteradmin
password: peteradmin

R102>en
password: cpeter
R102#

R102#debug tacacs events
R102#debug aaa cache group
R102#
*May  5 11:35:47.151: TPLUS: Queuing AAA Authentication request 16 for processing
*May  5 11:35:47.159: TPLUS: processing authentication start request id 16
*May  5 11:35:47.163: TPLUS: Authentication start packet created for 16()
*May  5 11:35:47.167: TPLUS: Using server 192.168.159.41
*May  5 11:35:47.187: TPLUS(00000010)/0/NB_WAIT/69540BEC: Started 4 sec timeout
*May  5 11:35:47.223: TPLUS(00000010)/0/NB_WAIT: wrote entire 37 bytes request
*May  5 11:35:47.227: TPLUS: Would block while reading pak header
*May  5 11:35:47.251: TPLUS(00000010)/0/READ: read entire 12 header bytes (expect 16 bytes)
*May  5 11:35:47.255: TPLUS(00000010)/0/READ: read entire 28 bytes response
*May  5 11:35:47.255: TPLUS(00000010)/0/69540BEC: Processing the reply packet
*May  5 11:35:47.259: TPLUS: Received authen response status GET_USER (7)
*May  5 11:35:47.263: AAA/AUTHEN/CACHE: No username in response
*May  5 11:35:56.703: TPLUS: Queuing AAA Authentication request 16 for processing
*May  5 11:35:56.711: TPLUS: processing authentication continue request id 16
*May  5 11:35:56.715: TPLUS: Authentication continue packet generated for 16
*May  5 11:35:56.719: TPLUS(00000010)/0/WRITE/69540BEC: Started 4 sec timeout
*May  5 11:35:56.727: TPLUS(00000010)/0/WRITE: wrote entire 27 bytes request
*May  5 11:35:56.751: TPLUS(00000010)/0/READ: read entire 12 header bytes (expect 16 bytes)
*May  5 11:35:56.751: TPLUS(00000010)/0/READ: read entire 28 bytes response
*May  5 11:35:56.755: TPLUS(00000010)/0/69540BEC: Processing the reply packet
*May  5 11:35:56.759: TPLUS: Received authen response status GET_PASSWORD (8)
*May  5 11:35:56.763: AAA/AUTHEN/CACHE: Request status = 8, cannot add to cache
*May  5 11:36:02.943: TPLUS: Queuing AAA Authentication request 16 for processing
*May  5 11:36:02.955: TPLUS: processing authentication continue request id 16
*May  5 11:36:02.959: TPLUS: Authentication continue packet generated for 16
*May  5 11:36:02.963: TPLUS(00000010)/0/WRITE/69540BEC: Started 4 sec timeout
*May  5 11:36:02.967: TPLUS(00000010)/0/WRITE: wrote entire 27 bytes request
*May  5 11:36:03.971: TPLUS(00000010)/0/READ: read entire 12 header bytes (expect 6 bytes)
*May  5 11:36:03.975: TPLUS(00000010)/0/READ: read entire 18 bytes response
*May  5 11:36:03.975: TPLUS(00000010)/0/69540BEC: Processing the reply packet
*May  5 11:36:03.979: TPLUS: Received authen response status PASS (2)
*May  5 11:36:03.983: AAA/AUTHEN/CACHE: SG profile admin
*May  5 11:36:03.987: AAA/AUTHEN/CACHE: SG block for admin found
*May  5 11:36:03.987: AAA/AUTHEN/CACHE: matching profile found for peteradmin in admin
*May  5 11:36:03.991: AAA/AUTHEN/CACHE: Dealing with authen_type = 1
*May  5 11:36:03.995: TPLUS: Error occurs in reading packet header, shutdown the single connection
*May  5 11:36:04.047: TPLUS: Queuing AAA Authorization request 16 for processing
*May  5 11:36:04.055: TPLUS: processing authorization request id 16
*May  5 11:36:04.059: TPLUS: Protocol set to None .....Skipping
*May  5 11:36:04.063: TPLUS: Sending AV service=shell
*May  5 11:36:04.067: TPLUS: Sending AV cmd*
*May  5 11:36:04.067: TPLUS: Authorization request created for 16(peteradmin)
*May  5 11:36:04.071: TPLUS: using previously set server 192.168.159.41 from group admin-tac
*May  5 11:36:04.091: TPLUS(00000010)/0/NB_WAIT/689C0FDC: Started 4 sec timeout
*May  5 11:36:04.127: TPLUS(00000010)/0/NB_WAIT: wrote entire 66 bytes request
*May  5 11:36:04.131: TPLUS: Would block while reading pak header
*May  5 11:36:05.319: TPLUS(00000010)/0/READ: read entire 12 header bytes (expect 6 bytes)
*May  5 11:36:05.323: TPLUS(00000010)/0/READ: read entire 18 bytes response
*May  5 11:36:05.327: TPLUS(00000010)/0/689C0FDC: Processing the reply packet
*May  5 11:36:05.327: TPLUS: received authorization response for 16: PASS
*May  5 11:36:05.335: AAA/AUTHEN/CACHE: SG profile admin
*May  5 11:36:05.335: AAA/AUTHEN/CACHE: SG block for admin found
*May  5 11:36:05.339: AAA/AUTHEN/CACHE: matching profile found for peteradmin in admin
*May  5 11:36:05.339: AAA/AUTHOR/CACHE(00000010): Existing entry no set for authorization
*May  5 11:36:05.347: TPLUS: Error occurs in reading packet header, shutdown the single connection
*May  5 11:36:05.419: TPLUS: Queuing AAA Accounting request 16 for processing
*May  5 11:36:05.431: TPLUS: processing accounting request id 16
*May  5 11:36:05.439: TPLUS: Sending AV task_id=6
*May  5 11:36:05.439: TPLUS: Sending AV timezone=UTC
*May  5 11:36:05.443: TPLUS: Sending AV service=shell
*May  5 11:36:05.443: TPLUS: Accounting request created for 16(peteradmin)
*May  5 11:36:05.447: TPLUS: using previously set server 192.168.159.41 from group admin-tac
*May  5 11:36:05.471: TPLUS(00000010)/0/NB_WAIT/689C0FDC: Started 4 sec timeout
*May  5 11:36:05.523: TPLUS(00000010)/0/NB_WAIT: wrote entire 85 bytes request
*May  5 11:36:05.523: TPLUS: Would block while reading pak header
*May  5 11:36:05.587: TPLUS(00000010)/0/READ: read entire 12 header bytes (expect 5 bytes)
*May  5 11:36:05.591: TPLUS(00000010)/0/READ: read entire 17 bytes response
*May  5 11:36:05.591: TPLUS(00000010)/0/689C0FDC: Processing the reply packet
*May  5 11:36:05.595: TPLUS: Received accounting response with status PASS
*May  5 11:36:05.603: TPLUS: Error occurs in reading packet header, shutdown the single connection
R102#

R102#sh aaa cache group admin-tac all
----------------------------------------------------------
Entries in Profile dB admin-tac for exact match
----------------------------------------------------------
Profile: peteradmin
Updated: 00:00:42
Parse User: N
Authen User: Y
Query Count: 2
6731AF7C 0 00000009 username(422) 10 peteradmin, service shell, protocol none
6731AF8C 0 0000000A cmd(73) 0 , service shell, protocol none
----------------------------------------------------------
Entries in Profile dB admin-tac for regexp match
----------------------------------------------------------
No entries found for regexp match

There is no mentioning of the cache aging time in the documentation so I assume the entries stay there permanently until a reload or clear command.

Now we are disconnecting the ACS from the network.

telnet to the router using TACACS user and local enable password (enable password from TACACS cannot be cached)
username: peteradmin
password: peteradmin

R102>en
password: c
R102#

*May  5 11:39:10.723: TPLUS: Queuing AAA Authentication request 17 for processing
*May  5 11:39:10.735: TPLUS: processing authentication start request id 17
*May  5 11:39:10.739: TPLUS: Authentication start packet created for 17()
*May  5 11:39:10.743: TPLUS: Using server 192.168.159.41
*May  5 11:39:10.759: TPLUS(00000011)/0/NB_WAIT/68A4A820: Started 4 sec timeout
*May  5 11:39:14.759: TPLUS(00000011)/0/NB_WAIT/68A4A820: timed out
*May  5 11:39:14.763: TPLUS(00000011)/0/NB_WAIT/68A4A820: timed out, clean up
*May  5 11:39:14.767: TPLUS(00000011)/0/68A4A820: Processing the reply packet
*May  5 11:39:14.771: AAA/AUTHEN/CACHE: Don't cache responses with errors
*May  5 11:39:14.779: AAA/AUTHEN/CACHE(00000011): GET_USER  for username NULL
*May  5 11:39:23.315: AAA/AUTHEN/CACHE(00000011): GET_PASSWORD  for username peteradmin
*May  5 11:39:25.191: AAA/AUTHEN/CACHE(00000011): Found a match
*May  5 11:39:25.195: AAA/AUTHEN/CACHE(00000011): PASS  for username peteradmin
*May  5 11:39:25.215: TPLUS: Queuing AAA Authorization request 17 for processing
*May  5 11:39:25.223: TPLUS: processing authorization request id 17
*May  5 11:39:25.227: TPLUS: Protocol set to None .....Skipping
*May  5 11:39:25.231: TPLUS: Sending AV service=shell
*May  5 11:39:25.235: TPLUS: Sending AV cmd*
*May  5 11:39:25.239: TPLUS: Authorization request created for 17(peteradmin)
*May  5 11:39:25.239: TPLUS: Using server 192.168.159.41
*May  5 11:39:25.243: TPLUS(00000011)/0/IDLE/689C3A0C: got immediate connect on new 0
*May  5 11:39:25.247: TPLUS(00000011)/0/WRITE/689C3A0C: Started 4 sec timeout
*May  5 11:39:25.251: TPLUS(00000011)/0/WRITE: write to 192.168.159.41 failed with errno 257((ENOTCONN))
*May  5 11:39:25.255: TPLUS: Protocol set to None .....Skipping
*May  5 11:39:25.259: TPLUS: Sending AV service=shell
*May  5 11:39:25.259: TPLUS: Sending AV cmd*
*May  5 11:39:25.263: TPLUS: Authorization request created for 17(peteradmin)
*May  5 11:39:25.263: TPLUS(00000011): Start write failed
*May  5 11:39:29.247: TPLUS(00000011)/0/WRITE/689C3A0C: timed out
*May  5 11:39:29.251: TPLUS: Protocol set to None .....Skipping
*May  5 11:39:29.255: TPLUS: Sending AV service=shell
*May  5 11:39:29.255: TPLUS: Sending AV cmd*
*May  5 11:39:29.259: TPLUS: Authorization request created for 17(peteradmin)
*May  5 11:39:29.263: TPLUS(00000011)/0/WRITE/689C3A0C: timed out, clean up
*May  5 11:39:29.267: TPLUS: Error occured while writing, shutdown the single connection
*May  5 11:39:29.267: TPLUS(00000011)/0/689C3A0C: Processing the reply packet
*May  5 11:39:29.271: AAA/AUTHEN/CACHE: Don't cache responses with errors
*May  5 11:39:29.331: TPLUS: Queuing AAA Accounting request 17 for processing
*May  5 11:39:29.343: TPLUS: processing accounting request id 17
*May  5 11:39:29.351: TPLUS: Sending AV task_id=7
*May  5 11:39:29.351: TPLUS: Sending AV timezone=UTC
*May  5 11:39:29.355: TPLUS: Sending AV service=shell
*May  5 11:39:29.359: TPLUS: Accounting request created for 17(peteradmin)
*May  5 11:39:29.359: TPLUS: using previously set server 192.168.159.41 from group admin-tac
*May  5 11:39:29.379: TPLUS(00000011)/0/NB_WAIT/689C0FDC: Started 4 sec timeout
*May  5 11:39:33.375: TPLUS(00000011)/0/NB_WAIT/689C0FDC: timed out
*May  5 11:39:33.379: TPLUS: Choosing next server 192.168.159.41
*May  5 11:39:33.383: TPLUS(00000011)/689C0FDC: releasing old socket 0
*May  5 11:39:33.387: TPLUS(00000011)/0/NB_WAIT/689C0FDC: got immediate connect on new 0
*May  5 11:39:33.387: TPLUS(00000011)/0/WRITE/689C0FDC: Started 4 sec timeout
*May  5 11:39:33.391: TPLUS(00000011)/0/WRITE: write to 192.168.159.41 failed with errno 257((ENOTCONN))
*May  5 11:39:33.399: TPLUS: Sending AV task_id=7
*May  5 11:39:33.399: TPLUS: Sending AV timezone=UTC
*May  5 11:39:33.403: TPLUS: Sending AV service=shell
*May  5 11:39:33.403: TPLUS: Accounting request created for 17(peteradmin)
*May  5 11:39:33.407: TPLUS(00000011)/0/WRITE/689C0FDC: Write failed, this request will be cleaned up after timeout
*May  5 11:39:37.387: TPLUS(00000011)/0/WRITE/689C0FDC: timed out
*May  5 11:39:37.395: TPLUS: Sending AV task_id=7
*May  5 11:39:37.395: TPLUS: Sending AV timezone=UTC
*May  5 11:39:37.399: TPLUS: Sending AV service=shell
*May  5 11:39:37.403: TPLUS: Accounting request created for 17(peteradmin)
*May  5 11:39:37.407: TPLUS: Choosing next server 192.168.159.41
*May  5 11:39:37.407: TPLUS(00000011)/689C0FDC: releasing old socket 0
*May  5 11:39:37.411: TPLUS(00000011)/0/WRITE/689C0FDC: got immediate connect on new 0
*May  5 11:39:37.415: TPLUS(00000011)/0/WRITE/689C0FDC: Started 4 sec timeout
*May  5 11:39:37.415: TPLUS(00000011)/0/WRITE: write to 192.168.159.41 failed with errno 257((ENOTCONN))
*May  5 11:39:37.423: TPLUS: Sending AV task_id=7
*May  5 11:39:37.427: TPLUS: Sending AV timezone=UTC
*May  5 11:39:37.427: TPLUS: Sending AV service=shell
*May  5 11:39:37.431: TPLUS: Accounting request created for 17(peteradmin)
*May  5 11:39:37.431: TPLUS(00000011)/0/WRITE/689C0FDC: Write failed, this request will be cleaned up after timeout
*May  5 11:39:41.411: TPLUS(00000011)/0/WRITE/689C0FDC: timed out
*May  5 11:39:41.419: TPLUS: Sending AV task_id=7
*May  5 11:39:41.423: TPLUS: Sending AV timezone=UTC
*May  5 11:39:41.423: TPLUS: Sending AV service=shell
*May  5 11:39:41.427: TPLUS: Accounting request created for 17(peteradmin)
*May  5 11:39:41.431: TPLUS(00000011)/0/WRITE/689C0FDC: timed out, clean up
*May  5 11:39:41.431: TPLUS: Error occured while writing, shutdown the single connection
*May  5 11:39:41.435: TPLUS(00000011)/0/689C0FDC: Processing the reply packet

Cached username and password works.

R102#clear aaa cache group admin-tac all
R102#sh aaa cache group admin-tac all
----------------------------------------------------------
Entries in Profile dB admin-tac for exact match
----------------------------------------------------------
No entries found in Profile dB

telnet:
Username: userloc
Password: userloc

R102>en
Password: c
R102#

Local authentication works when user is not found in the cache.

*May  5 11:41:47.071: TPLUS: Queuing AAA Authentication request 18 for processing
*May  5 11:41:47.079: TPLUS: processing authentication start request id 18
*May  5 11:41:47.087: TPLUS: Authentication start packet created for 18()
*May  5 11:41:47.087: TPLUS: Using server 192.168.159.41
*May  5 11:41:47.107: TPLUS(00000012)/0/NB_WAIT/69540BEC: Started 4 sec timeout
*May  5 11:41:51.107: TPLUS(00000012)/0/NB_WAIT/69540BEC: timed out
*May  5 11:41:51.111: TPLUS(00000012)/0/NB_WAIT/69540BEC: timed out, clean up
*May  5 11:41:51.115: TPLUS: Error occured while writing, shutdown the single connection
*May  5 11:41:51.115: TPLUS(00000012)/0/69540BEC: Processing the reply packet
*May  5 11:41:51.119: AAA/AUTHEN/CACHE: Don't cache responses with errors
*May  5 11:41:51.135: AAA/AUTHEN/CACHE(00000012): GET_USER  for username NULL
*May  5 11:42:05.839: AAA/AUTHEN/CACHE(00000012): GET_PASSWORD  for username userloc
*May  5 11:42:07.311: AAA/AUTHEN/CACHE(00000012): No entry with username userloc
*May  5 11:42:07.311: AAA/AUTHEN/CACHE(00000012): No regexp matching username userloc
*May  5 11:42:07.315: AAA/AUTHEN/CACHE(00000012): GET_PASSWORD  for username userloc
*May  5 11:42:07.719: TPLUS: Queuing AAA Authorization request 18 for processing
*May  5 11:42:07.739: TPLUS: processing authorization request id 18
*May  5 11:42:07.743: TPLUS: Protocol set to None .....Skipping
*May  5 11:42:07.747: TPLUS: Sending AV service=shell
*May  5 11:42:07.747: TPLUS: Sending AV cmd*
*May  5 11:42:07.751: TPLUS: Authorization request created for 18(userloc)
*May  5 11:42:07.755: TPLUS: Using server 192.168.159.41
*May  5 11:42:07.771: TPLUS(00000012)/0/NB_WAIT/68B77364: Started 4 sec timeout
*May  5 11:42:11.771: TPLUS(00000012)/0/NB_WAIT/68B77364: timed out
*May  5 11:42:11.775: TPLUS(00000012)/0/NB_WAIT/68B77364: timed out, clean up
*May  5 11:42:11.779: TPLUS: Error occured while writing, shutdown the single connection
*May  5 11:42:11.779: TPLUS(00000012)/0/68B77364: Processing the reply packet
*May  5 11:42:11.783: AAA/AUTHEN/CACHE: Don't cache responses with errors
*May  5 11:42:11.795: AAA/AUTHEN/CACHE(00000012): No entry with username userloc
*May  5 11:42:11.799: AAA/AUTHEN/CACHE(00000012): No regexp matching username userloc
*May  5 11:42:11.847: TPLUS: Queuing AAA Accounting request 18 for processing
*May  5 11:42:11.859: TPLUS: processing accounting request id 18
*May  5 11:42:11.863: TPLUS: Sending AV task_id=8
*May  5 11:42:11.867: TPLUS: Sending AV timezone=UTC
*May  5 11:42:11.867: TPLUS: Sending AV service=shell
*May  5 11:42:11.871: TPLUS: Accounting request created for 18(userloc)
*May  5 11:42:11.875: TPLUS: Using server 192.168.159.41
*May  5 11:42:11.891: TPLUS(00000012)/0/NB_WAIT/68B77364: Started 4 sec timeout
*May  5 11:42:15.891: TPLUS(00000012)/0/NB_WAIT/68B77364: timed out
*May  5 11:42:15.895: TPLUS(00000012)/0/NB_WAIT/68B77364: timed out, clean up
*May  5 11:42:15.899: TPLUS: Error occured while writing, shutdown the single connection
*May  5 11:42:15.899: TPLUS(00000012)/0/68B77364: Processing the reply packet

Testing VPN

Now let’s connect with a Cisco VPN client on a Windows XP machine.

VPN group name: R102-EZVPN
VPN group password: lab
username: kisnovakvpn
password: kisnovakvpn

The router config contains a VPN group R102-EZVPN but the group authorization is set to RADIUS (‘isakmp authorization list‘ command) that’s why the R102-EZVPN with password ‘pw1’ only works when local authorization is used, i. e. when neither RADIUS server is reachable nor the AAA cache lookup for R102-EZVPN is successful. In our case, R102-EZVPN will not be cached as it does not match the .*vpn regexp defined in the cache profile.
(The distinct passwords are for testing. In real life you probably want to set the group password in the router to the same as in the RADIUS group profile so that clients do not need to switch to the fallback group password manually. )

R102#debug radius
Radius protocol debugging is on
Radius protocol brief debugging is off
Radius protocol verbose debugging is off
Radius packet hex dump debugging is off
Radius packet protocol debugging is on
Radius elog debugging debugging is off
Radius packet retransmission debugging is off
Radius server fail-over debugging is off
Radius elog debugging debugging is off
R102#debug aaa subsys
AAA Subsystem debugs debugging is on
R102#debug aaa authen
AAA Authentication debugging is on
R102#debug aaa author
AAA Authorization debugging is on
R102#debug aaa cache group
AAA Server Group Cache debugging is on
R102#sh aaa cache group vpnuser-rad all
----------------------------------------------------------
Entries in Profile dB vpnuser-rad for exact match
----------------------------------------------------------
No entries found in Profile dB

*May  6 16:56:28.451: AAA/BIND(00000013): Bind i/f
*May  6 16:56:28.675: AAA/AUTHOR (0x13): Pick method list 'xauth'
*May  6 16:56:28.679: AAA SRV(00000013): process author req
*May  6 16:56:28.679: AAA SRV(00000013): Author method=SERVER_GROUP vpnuser-rad
*May  6 16:56:28.683: RADIUS/ENCODE(00000013):Orig. component type = VPN IPSEC
*May  6 16:56:28.691: RADIUS:  AAA Unsupported Attr: interface         [204] 15
*May  6 16:56:28.695: RADIUS:   31 39 32 2E 31 36 38 2E 31 35 39 2E 31     [ 192.168.159.1]
*May  6 16:56:28.699: RADIUS(00000013): Config NAS IP: 0.0.0.0
*May  6 16:56:28.699: RADIUS/ENCODE(00000013): acct_session_id: 9
*May  6 16:56:28.703: RADIUS(00000013): sending
*May  6 16:56:28.711: RADIUS/ENCODE: Best Local IP-Address 192.168.159.102 for Radius-Server 192.168.159.41
*May  6 16:56:28.727: RADIUS(00000013): Send Access-Request to 192.168.159.41:1812 id 1645/7, len 97
*May  6 16:56:28.731: RADIUS:  authenticator E6 CC CB 73 A4 05 99 40 - 91 FE 9E 77 DD FD 2D D3
*May  6 16:56:28.735: RADIUS:  User-Name           [1]   12  "R102-EZVPN"
*May  6 16:56:28.735: RADIUS:  User-Password       [2]   18  *
*May  6 16:56:28.739: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*May  6 16:56:28.743: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*May  6 16:56:28.743: RADIUS:  NAS-Port            [5]   6   0
*May  6 16:56:28.747: RADIUS:  NAS-Port-Id         [87]  17  "192.168.159.102"
*May  6 16:56:28.751: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
*May  6 16:56:28.755: RADIUS:  NAS-IP-Address      [4]   6   192.168.159.102
*May  6 16:56:28.763: RADIUS(00000013): Started 4 sec timeout
*May  6 16:56:28.787: RADIUS: Received from id 1645/7 192.168.159.41:1812, Access-Accept, len 298
*May  6 16:56:28.791: RADIUS:  authenticator 28 F5 E6 41 70 6B 14 C7 - 68 F7 21 F8 E8 D1 85 8F
*May  6 16:56:28.795: RADIUS:  User-Name           [1]   12  "R102-EZVPN"
*May  6 16:56:28.795: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
*May  6 16:56:28.799: RADIUS:  Class               [25]  24
*May  6 16:56:28.803: RADIUS:   43 41 43 53 3A 63 73 61 63 73 2F 36 32 35 30 37  [CACS:csacs/62507]
*May  6 16:56:28.807: RADIUS:   35 37 30 2F 35 36            [ 570/56]
*May  6 16:56:28.811: RADIUS:  Vendor, Cisco       [26]  29
*May  6 16:56:28.811: RADIUS:   Cisco AVpair       [1]   23  "ipsec:tunnel-type*ESP"
*May  6 16:56:28.815: RADIUS:  Vendor, Cisco       [26]  30
*May  6 16:56:28.815: RADIUS:   Cisco AVpair       [1]   24  "ipsec:key-exchange=ike"
*May  6 16:56:28.819: RADIUS:  Vendor, Cisco       [26]  33
*May  6 16:56:28.819: RADIUS:   Cisco AVpair       [1]   27  "ipsec:tunnel-password=lab"
*May  6 16:56:28.823: RADIUS:  Vendor, Cisco       [26]  32
*May  6 16:56:28.827: RADIUS:   Cisco AVpair       [1]   26  "ipsec:addr-pool=R102_AAA"
*May  6 16:56:28.827: RADIUS:  Vendor, Cisco       [26]  43
*May  6 16:56:28.831: RADIUS:   Cisco AVpair       [1]   37  "ipsec:dns-servers=10.1.1.1 10.2.2.2"
*May  6 16:56:28.835: RADIUS:  Vendor, Cisco       [26]  39
*May  6 16:56:28.835: RADIUS:   Cisco AVpair       [1]   33  "ipsec:xauth-banner="AAA banner""
*May  6 16:56:28.839: RADIUS:  Vendor, Cisco       [26]  30
*May  6 16:56:28.839: RADIUS:   Cisco AVpair       [1]   24  "ipsec:inacl=EZsplitAAA"
*May  6 16:56:28.863: RADIUS(00000013): Received from id 1645/7
*May  6 16:56:28.871: RADIUS/DECODE: parse unknown cisco vsa "xauth-banner" - IGNORE
*May  6 16:56:28.875: AAA/AUTHEN/CACHE: SG profile vpnuser
*May  6 16:56:28.875: AAA/AUTHEN/CACHE: SG block for vpnuser found
*May  6 16:56:28.879: AAA/AUTHEN/CACHE: No matching profile found for R102-EZVPN in vpnuser
*May  6 16:56:28.883: AAA SRV(00000013): protocol reply PASS for Authorization
*May  6 16:56:28.883: AAA SRV(00000013): Return Authorization status=PASS
*May  6 16:56:37.891: AAA/AUTHEN/LOGIN (00000014): Pick method list 'xauth'
*May  6 16:56:37.907: AAA SRV(00000014): process authen req
*May  6 16:56:37.911: AAA SRV(00000014): Authen method=SERVER_GROUP vpnuser-rad
*May  6 16:56:37.915: RADIUS/ENCODE(00000014):Orig. component type = VPN IPSEC
*May  6 16:56:37.919: RADIUS:  AAA Unsupported Attr: interface         [204] 15
*May  6 16:56:37.923: RADIUS:   31 39 32 2E 31 36 38 2E 31 35 39 2E 31     [ 192.168.159.1]
*May  6 16:56:37.927: RADIUS/ENCODE(00000014): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*May  6 16:56:37.927: RADIUS(00000014): Config NAS IP: 0.0.0.0
*May  6 16:56:37.931: RADIUS/ENCODE(00000014): acct_session_id: 10
*May  6 16:56:37.935: RADIUS(00000014): sending
*May  6 16:56:37.947: RADIUS/ENCODE: Best Local IP-Address 192.168.159.102 for Radius-Server 192.168.159.41
*May  6 16:56:37.959: RADIUS(00000014): Send Access-Request to 192.168.159.41:1812 id 1645/8, len 86
*May  6 16:56:37.963: RADIUS:  authenticator 39 A7 CB EA 5C 0A F2 81 - 1D 3D E7 76 A7 EA 9D 70
*May  6 16:56:37.967: RADIUS:  User-Name           [1]   13  "kisnovakvpn"
*May  6 16:56:37.971: RADIUS:  User-Password       [2]   18  *
*May  6 16:56:37.971: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*May  6 16:56:37.975: RADIUS:  NAS-Port            [5]   6   0
*May  6 16:56:37.979: RADIUS:  NAS-Port-Id         [87]  17  "192.168.159.102"
*May  6 16:56:37.979: RADIUS:  NAS-IP-Address      [4]   6   192.168.159.102
*May  6 16:56:37.987: RADIUS(00000014): Started 4 sec timeout
*May  6 16:56:38.179: RADIUS: Received from id 1645/8 192.168.159.41:1812, Access-Accept, len 63
*May  6 16:56:38.187: RADIUS:  authenticator 02 8C 88 FB CE 82 82 BB - CA DC D4 D5 41 D3 62 85
*May  6 16:56:38.187: RADIUS:  User-Name           [1]   13  "kisnovakvpn"
*May  6 16:56:38.191: RADIUS:  Framed-IP-Address   [8]   6   192.168.102.34
*May  6 16:56:38.195: RADIUS:  Class               [25]  24
*May  6 16:56:38.199: RADIUS:   43 41 43 53 3A 63 73 61 63 73 2F 36 32 35 30 37  [CACS:csacs/62507]
*May  6 16:56:38.203: RADIUS:   35 37 30 2F 35 37            [ 570/57]
*May  6 16:56:38.219: RADIUS(00000014): Received from id 1645/8
*May  6 16:56:38.227: AAA/AUTHEN/CACHE: SG profile vpnuser
*May  6 16:56:38.231: AAA/AUTHEN/CACHE: SG block for vpnuser found
*May  6 16:56:38.231: AAA/AUTHEN/CACHE: matching profile found for kisnovakvpn in vpnuser
*May  6 16:56:38.235: AAA/AUTHEN/CACHE: Dealing with authen_type = 1
*May  6 16:56:38.239: AAA SRV(00000014): protocol reply PASS for Authentication
*May  6 16:56:38.243: AAA SRV(00000014): Return Authentication status=PASS
*May  6 16:56:38.323: AAA/AUTHOR (0x14): Pick method list 'xauth'
*May  6 16:56:38.339: AAA SRV(00000014): process author req
*May  6 16:56:38.343: AAA SRV(00000014): Author method=SERVER_GROUP vpnuser-rad
*May  6 16:56:38.347: RADIUS/ENCODE(00000014):Orig. component type = VPN IPSEC
*May  6 16:56:38.351: RADIUS:  AAA Unsupported Attr: interface         [204] 15
*May  6 16:56:38.355: RADIUS:   31 39 32 2E 31 36 38 2E 31 35 39 2E 31     [ 192.168.159.1]
*May  6 16:56:38.359: RADIUS(00000014): Config NAS IP: 0.0.0.0
*May  6 16:56:38.359: RADIUS/ENCODE(00000014): acct_session_id: 10
*May  6 16:56:38.363: RADIUS(00000014): sending
*May  6 16:56:38.379: RADIUS/ENCODE: Best Local IP-Address 192.168.159.102 for Radius-Server 192.168.159.41
*May  6 16:56:38.395: RADIUS(00000014): Send Access-Request to 192.168.159.41:1812 id 1645/9, len 97
*May  6 16:56:38.399: RADIUS:  authenticator F0 57 0A A3 30 44 2A 4F - 20 C6 A8 FD 43 53 59 7C
*May  6 16:56:38.399: RADIUS:  User-Name           [1]   12  "R102-EZVPN"
*May  6 16:56:38.403: RADIUS:  User-Password       [2]   18  *
*May  6 16:56:38.407: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*May  6 16:56:38.407: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*May  6 16:56:38.411: RADIUS:  NAS-Port            [5]   6   0
*May  6 16:56:38.415: RADIUS:  NAS-Port-Id         [87]  17  "192.168.159.102"
*May  6 16:56:38.415: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
*May  6 16:56:38.419: RADIUS:  NAS-IP-Address      [4]   6   192.168.159.102
*May  6 16:56:38.431: RADIUS(00000014): Started 4 sec timeout
*May  6 16:56:38.451: RADIUS: Received from id 1645/9 192.168.159.41:1812, Access-Accept, len 298
*May  6 16:56:38.455: RADIUS:  authenticator 1C 8D AA 96 F1 C0 32 AF - 91 FA 4C 45 5F 16 81 79
*May  6 16:56:38.455: RADIUS:  User-Name           [1]   12  "R102-EZVPN"
*May  6 16:56:38.459: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
*May  6 16:56:38.463: RADIUS:  Class               [25]  24
*May  6 16:56:38.467: RADIUS:   43 41 43 53 3A 63 73 61 63 73 2F 36 32 35 30 37  [CACS:csacs/62507]
*May  6 16:56:38.471: RADIUS:   35 37 30 2F 35 38            [ 570/58]
*May  6 16:56:38.471: RADIUS:  Vendor, Cisco       [26]  29
*May  6 16:56:38.475: RADIUS:   Cisco AVpair       [1]   23  "ipsec:tunnel-type*ESP"
*May  6 16:56:38.475: RADIUS:  Vendor, Cisco       [26]  30
*May  6 16:56:38.479: RADIUS:   Cisco AVpair       [1]   24  "ipsec:key-exchange=ike"
*May  6 16:56:38.483: RADIUS:  Vendor, Cisco       [26]  33
*May  6 16:56:38.483: RADIUS:   Cisco AVpair       [1]   27  "ipsec:tunnel-password=lab"
*May  6 16:56:38.487: RADIUS:  Vendor, Cisco       [26]  32
*May  6 16:56:38.487: RADIUS:   Cisco AVpair       [1]   26  "ipsec:addr-pool=R102_AAA"
*May  6 16:56:38.491: RADIUS:  Vendor, Cisco       [26]  43
*May  6 16:56:38.495: RADIUS:   Cisco AVpair       [1]   37  "ipsec:dns-servers=10.1.1.1 10.2.2.2"
*May  6 16:56:38.495: RADIUS:  Vendor, Cisco       [26]  39
*May  6 16:56:38.499: RADIUS:   Cisco AVpair       [1]   33  "ipsec:xauth-banner="AAA banner""
*May  6 16:56:38.503: RADIUS:  Vendor, Cisco       [26]  30
*May  6 16:56:38.503: RADIUS:   Cisco AVpair       [1]   24  "ipsec:inacl=EZsplitAAA"
*May  6 16:56:38.531: RADIUS(00000014): Received from id 1645/9
*May  6 16:56:38.539: RADIUS/DECODE: parse unknown cisco vsa "xauth-banner" - IGNORE
*May  6 16:56:38.543: AAA/AUTHEN/CACHE: SG profile vpnuser
*May  6 16:56:38.547: AAA/AUTHEN/CACHE: SG block for vpnuser found
*May  6 16:56:38.547: AAA/AUTHEN/CACHE: No matching profile found for R102-EZVPN in vpnuser
*May  6 16:56:38.551: AAA SRV(00000014): protocol reply PASS for Authorization
*May  6 16:56:38.551: AAA SRV(00000014): Return Authorization status=PASS
*May  6 16:56:38.843: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down
*May  6 16:56:48.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up

R102#sh crypto session det
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: Virtual-Access2
Username: kisnovakvpn
Profile: EZVPN
Group: R102-EZVPN
Assigned address: 192.168.102.34
Uptime: 00:00:19
Session status: UP-ACTIVE
Peer: 192.168.159.128 port 1074 fvrf: (none) ivrf: (none)
Phase1_id: R102-EZVPN
Desc: (none)
IKE SA: local 192.168.159.102/500 remote 192.168.159.128/1074 Active
Capabilities:CX connid:1003 lifetime:23:59:29
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 192.168.102.34
Active SAs: 2, origin: crypto map
Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 4590696/3580
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4590696/3580

R102#sh aaa cache group vpnuser-rad all
----------------------------------------------------------
Entries in Profile dB vpnuser-rad for exact match
----------------------------------------------------------
Profile: kisnovakvpn
Updated: 00:01:50
Parse User: N
Authen User: Y
Query Count: 0
6731B330 0 00000009 username(422) 11 kisnovakvpn, service none, protocol none
6731B340 0 00000001 addr(8) 4 192.168.102.34, service none, protocol none
----------------------------------------------------------
Entries in Profile dB vpnuser-rad for regexp match
----------------------------------------------------------
No entries found for regexp match

Another user connects with Cisco VPN client.
VPN group name: R102-EZVPN
VPN group password: lab
username: toniovpn
password: toniovpn

*May  6 16:59:02.711: AAA/BIND(00000015): Bind i/f
*May  6 16:59:02.943: AAA/AUTHOR (0x15): Pick method list 'xauth'
*May  6 16:59:02.951: AAA SRV(00000015): process author req
*May  6 16:59:02.955: AAA SRV(00000015): Author method=SERVER_GROUP vpnuser-rad
*May  6 16:59:02.959: RADIUS/ENCODE(00000015):Orig. component type = VPN IPSEC
*May  6 16:59:02.963: RADIUS:  AAA Unsupported Attr: interface         [204] 15
*May  6 16:59:02.967: RADIUS:   31 39 32 2E 31 36 38 2E 31 35 39 2E 31     [ 192.168.159.1]
*May  6 16:59:02.971: RADIUS(00000015): Config NAS IP: 0.0.0.0
*May  6 16:59:02.975: RADIUS/ENCODE(00000015): acct_session_id: 11
*May  6 16:59:02.975: RADIUS(00000015): sending
*May  6 16:59:02.987: RADIUS/ENCODE: Best Local IP-Address 192.168.159.102 for Radius-Server 192.168.159.41
*May  6 16:59:02.999: RADIUS(00000015): Send Access-Request to 192.168.159.41:1812 id 1645/10, len 97
*May  6 16:59:03.003: RADIUS:  authenticator 45 98 38 38 9F 55 8B E7 - 3E 07 E1 20 AB BE 6D 1A
*May  6 16:59:03.007: RADIUS:  User-Name           [1]   12  "R102-EZVPN"
*May  6 16:59:03.007: RADIUS:  User-Password       [2]   18  *
*May  6 16:59:03.011: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*May  6 16:59:03.015: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*May  6 16:59:03.015: RADIUS:  NAS-Port            [5]   6   0
*May  6 16:59:03.019: RADIUS:  NAS-Port-Id         [87]  17  "192.168.159.102"
*May  6 16:59:03.023: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
*May  6 16:59:03.027: RADIUS:  NAS-IP-Address      [4]   6   192.168.159.102
*May  6 16:59:03.035: RADIUS(00000015): Started 4 sec timeout
*May  6 16:59:03.239: RADIUS: Received from id 1645/10 192.168.159.41:1812, Access-Accept, len 298
*May  6 16:59:03.243: RADIUS:  authenticator E1 7C 81 B9 79 EC B1 2E - BC 26 DA 3A 1B 26 25 17
*May  6 16:59:03.247: RADIUS:  User-Name           [1]   12  "R102-EZVPN"
*May  6 16:59:03.251: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
*May  6 16:59:03.255: RADIUS:  Class               [25]  24
*May  6 16:59:03.259: RADIUS:   43 41 43 53 3A 63 73 61 63 73 2F 36 32 35 30 37  [CACS:csacs/62507]
*May  6 16:59:03.263: RADIUS:   35 37 30 2F 35 39            [ 570/59]
*May  6 16:59:03.263: RADIUS:  Vendor, Cisco       [26]  29
*May  6 16:59:03.267: RADIUS:   Cisco AVpair       [1]   23  "ipsec:tunnel-type*ESP"
*May  6 16:59:03.271: RADIUS:  Vendor, Cisco       [26]  30
*May  6 16:59:03.271: RADIUS:   Cisco AVpair       [1]   24  "ipsec:key-exchange=ike"
*May  6 16:59:03.275: RADIUS:  Vendor, Cisco       [26]  33
*May  6 16:59:03.275: RADIUS:   Cisco AVpair       [1]   27  "ipsec:tunnel-password=lab"
*May  6 16:59:03.279: RADIUS:  Vendor, Cisco       [26]  32
*May  6 16:59:03.283: RADIUS:   Cisco AVpair       [1]   26  "ipsec:addr-pool=R102_AAA"
*May  6 16:59:03.283: RADIUS:  Vendor, Cisco       [26]  43
*May  6 16:59:03.287: RADIUS:   Cisco AVpair       [1]   37  "ipsec:dns-servers=10.1.1.1 10.2.2.2"
*May  6 16:59:03.291: RADIUS:  Vendor, Cisco       [26]  39
*May  6 16:59:03.291: RADIUS:   Cisco AVpair       [1]   33  "ipsec:xauth-banner="AAA banner""
*May  6 16:59:03.295: RADIUS:  Vendor, Cisco       [26]  30
*May  6 16:59:03.295: RADIUS:   Cisco AVpair       [1]   24  "ipsec:inacl=EZsplitAAA"
*May  6 16:59:03.347: RADIUS(00000015): Received from id 1645/10
*May  6 16:59:03.355: RADIUS/DECODE: parse unknown cisco vsa "xauth-banner" - IGNORE
*May  6 16:59:03.359: AAA/AUTHEN/CACHE: SG profile vpnuser
*May  6 16:59:03.359: AAA/AUTHEN/CACHE: SG block for vpnuser found
*May  6 16:59:03.363: AAA/AUTHEN/CACHE: No matching profile found for R102-EZVPN in vpnuser
*May  6 16:59:03.367: AAA SRV(00000015): protocol reply PASS for Authorization
*May  6 16:59:03.367: AAA SRV(00000015): Return Authorization status=PASS
*May  6 16:59:18.383: AAA/AUTHEN/LOGIN (00000016): Pick method list 'xauth'
*May  6 16:59:18.395: AAA SRV(00000016): process authen req
*May  6 16:59:18.395: AAA SRV(00000016): Authen method=SERVER_GROUP vpnuser-rad
*May  6 16:59:18.399: RADIUS/ENCODE(00000016):Orig. component type = VPN IPSEC
*May  6 16:59:18.407: RADIUS:  AAA Unsupported Attr: interface         [204] 15
*May  6 16:59:18.411: RADIUS:   31 39 32 2E 31 36 38 2E 31 35 39 2E 31     [ 192.168.159.1]
*May  6 16:59:18.411: RADIUS/ENCODE(00000016): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*May  6 16:59:18.415: RADIUS(00000016): Config NAS IP: 0.0.0.0
*May  6 16:59:18.419: RADIUS/ENCODE(00000016): acct_session_id: 12
*May  6 16:59:18.419: RADIUS(00000016): sending
*May  6 16:59:18.431: RADIUS/ENCODE: Best Local IP-Address 192.168.159.102 for Radius-Server 192.168.159.41
*May  6 16:59:18.443: RADIUS(00000016): Send Access-Request to 192.168.159.41:1812 id 1645/11, len 83
*May  6 16:59:18.447: RADIUS:  authenticator 9C 0F 38 BA D6 8A F7 C3 - 94 44 E0 C2 D3 BA 8C A4
*May  6 16:59:18.451: RADIUS:  User-Name           [1]   10  "toniovpn"
*May  6 16:59:18.451: RADIUS:  User-Password       [2]   18  *
*May  6 16:59:18.455: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*May  6 16:59:18.459: RADIUS:  NAS-Port            [5]   6   0
*May  6 16:59:18.459: RADIUS:  NAS-Port-Id         [87]  17  "192.168.159.102"
*May  6 16:59:18.463: RADIUS:  NAS-IP-Address      [4]   6   192.168.159.102
*May  6 16:59:18.471: RADIUS(00000016): Started 4 sec timeout
*May  6 16:59:18.507: RADIUS: Received from id 1645/11 192.168.159.41:1812, Access-Accept, len 54
*May  6 16:59:18.511: RADIUS:  authenticator 92 A3 43 EB 83 7F 3E 8E - 89 F5 59 F0 CB 08 E8 16
*May  6 16:59:18.515: RADIUS:  User-Name           [1]   10  "toniovpn"
*May  6 16:59:18.515: RADIUS:  Class               [25]  24
*May  6 16:59:18.519: RADIUS:   43 41 43 53 3A 63 73 61 63 73 2F 36 32 35 30 37  [CACS:csacs/62507]
*May  6 16:59:18.523: RADIUS:   35 37 30 2F 36 30            [ 570/60]
*May  6 16:59:18.543: RADIUS(00000016): Received from id 1645/11
*May  6 16:59:18.551: AAA/AUTHEN/CACHE: SG profile vpnuser
*May  6 16:59:18.551: AAA/AUTHEN/CACHE: SG block for vpnuser found
*May  6 16:59:18.555: AAA/AUTHEN/CACHE: matching profile found for toniovpn in vpnuser
*May  6 16:59:18.555: AAA/AUTHEN/CACHE: Dealing with authen_type = 1
*May  6 16:59:18.559: AAA SRV(00000016): protocol reply PASS for Authentication
*May  6 16:59:18.563: AAA SRV(00000016): Return Authentication status=PASS
*May  6 16:59:18.635: AAA/AUTHOR (0x16): Pick method list 'xauth'
*May  6 16:59:18.643: AAA SRV(00000016): process author req
*May  6 16:59:18.647: AAA SRV(00000016): Author method=SERVER_GROUP vpnuser-rad
*May  6 16:59:18.651: RADIUS/ENCODE(00000016):Orig. component type = VPN IPSEC
*May  6 16:59:18.655: RADIUS:  AAA Unsupported Attr: interface         [204] 15
*May  6 16:59:18.659: RADIUS:   31 39 32 2E 31 36 38 2E 31 35 39 2E 31     [ 192.168.159.1]
*May  6 16:59:18.663: RADIUS(00000016): Config NAS IP: 0.0.0.0
*May  6 16:59:18.667: RADIUS/ENCODE(00000016): acct_session_id: 12
*May  6 16:59:18.667: RADIUS(00000016): sending
*May  6 16:59:18.679: RADIUS/ENCODE: Best Local IP-Address 192.168.159.102 for Radius-Server 192.168.159.41
*May  6 16:59:18.699: RADIUS(00000016): Send Access-Request to 192.168.159.41:1812 id 1645/12, len 97
*May  6 16:59:18.703: RADIUS:  authenticator E0 80 50 CF 47 09 A8 EB - 1D 6D EB 78 8A AB 5A A4
*May  6 16:59:18.703: RADIUS:  User-Name           [1]   12  "R102-EZVPN"
*May  6 16:59:18.707: RADIUS:  User-Password       [2]   18  *
*May  6 16:59:18.711: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*May  6 16:59:18.711: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*May  6 16:59:18.715: RADIUS:  NAS-Port            [5]   6   0
*May  6 16:59:18.719: RADIUS:  NAS-Port-Id         [87]  17  "192.168.159.102"
*May  6 16:59:18.719: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
*May  6 16:59:18.723: RADIUS:  NAS-IP-Address      [4]   6   192.168.159.102
*May  6 16:59:18.731: RADIUS(00000016): Started 4 sec timeout
*May  6 16:59:18.759: RADIUS: Received from id 1645/12 192.168.159.41:1812, Access-Accept, len 298
*May  6 16:59:18.763: RADIUS:  authenticator E3 E1 53 4F 57 15 B0 81 - 96 43 35 4E CA 4D D5 B1
*May  6 16:59:18.767: RADIUS:  User-Name           [1]   12  "R102-EZVPN"
*May  6 16:59:18.767: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
*May  6 16:59:18.771: RADIUS:  Class               [25]  24
*May  6 16:59:18.775: RADIUS:   43 41 43 53 3A 63 73 61 63 73 2F 36 32 35 30 37  [CACS:csacs/62507]
*May  6 16:59:18.779: RADIUS:   35 37 30 2F 36 31            [ 570/61]
*May  6 16:59:18.783: RADIUS:  Vendor, Cisco       [26]  29
*May  6 16:59:18.783: RADIUS:   Cisco AVpair       [1]   23  "ipsec:tunnel-type*ESP"
*May  6 16:59:18.787: RADIUS:  Vendor, Cisco       [26]  30
*May  6 16:59:18.787: RADIUS:   Cisco AVpair       [1]   24  "ipsec:key-exchange=ike"
*May  6 16:59:18.791: RADIUS:  Vendor, Cisco       [26]  33
*May  6 16:59:18.795: RADIUS:   Cisco AVpair       [1]   27  "ipsec:tunnel-password=lab"
*May  6 16:59:18.795: RADIUS:  Vendor, Cisco       [26]  32
*May  6 16:59:18.799: RADIUS:   Cisco AVpair       [1]   26  "ipsec:addr-pool=R102_AAA"
*May  6 16:59:18.803: RADIUS:  Vendor, Cisco       [26]  43
*May  6 16:59:18.803: RADIUS:   Cisco AVpair       [1]   37  "ipsec:dns-servers=10.1.1.1 10.2.2.2"
*May  6 16:59:18.807: RADIUS:  Vendor, Cisco       [26]  39
*May  6 16:59:18.807: RADIUS:   Cisco AVpair       [1]   33  "ipsec:xauth-banner="AAA banner""
*May  6 16:59:18.811: RADIUS:  Vendor, Cisco       [26]  30
*May  6 16:59:18.815: RADIUS:   Cisco AVpair       [1]   24  "ipsec:inacl=EZsplitAAA"
*May  6 16:59:18.843: RADIUS(00000016): Received from id 1645/12
*May  6 16:59:18.847: RADIUS/DECODE: parse unknown cisco vsa "xauth-banner" - IGNORE
*May  6 16:59:18.851: AAA/AUTHEN/CACHE: SG profile vpnuser
*May  6 16:59:18.855: AAA/AUTHEN/CACHE: SG block for vpnuser found
*May  6 16:59:18.859: AAA/AUTHEN/CACHE: No matching profile found for R102-EZVPN in vpnuser
*May  6 16:59:18.859: AAA SRV(00000016): protocol reply PASS for Authorization
*May  6 16:59:18.863: AAA SRV(00000016): Return Authorization status=PASS

R102#sh crypto session det
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: Virtual-Access2
Username: toniovpn
Profile: EZVPN
Group: R102-EZVPN
Assigned address: 192.168.102.22
Uptime: 00:00:21
Session status: UP-ACTIVE
Peer: 192.168.159.128 port 1085 fvrf: (none) ivrf: (none)
Phase1_id: R102-EZVPN
Desc: (none)
IKE SA: local 192.168.159.102/500 remote 192.168.159.128/1085 Active
Capabilities:CX connid:1004 lifetime:23:59:21
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 192.168.102.22
Active SAs: 2, origin: crypto map
Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 4413345/3578
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4413345/3578

R102#sh aaa cache group vpnuser-rad all
----------------------------------------------------------
Entries in Profile dB vpnuser-rad for exact match
----------------------------------------------------------
Profile: kisnovakvpn
Updated: 00:03:29
Parse User: N
Authen User: Y
Query Count: 0
6731B330 0 00000009 username(422) 11 kisnovakvpn, service none, protocol none
6731B340 0 00000001 addr(8) 4 192.168.102.34, service none, protocol none
Profile: toniovpn
Updated: 00:00:49
Parse User: N
Authen User: Y
Query Count: 0
6731B984 0 00000009 username(422) 8 toniovpn, service none, protocol none
----------------------------------------------------------
Entries in Profile dB vpnuser-rad for regexp match
----------------------------------------------------------
No entries found for regexp match

Not just the kisnovakvpn username but his IP address is cached too. toniovpn has no static IP address on the ACS so only the username is cached.

We are disconnecting the ACS again now.

kisnovakvpn user connects again
VPN group name: R102-EZVPN
VPN group password:  pw1 (to match the password in router config)
username: kisnovakvpn
password: kisnovakvpn

*May  6 17:03:47.255: AAA/BIND(0000001A): Bind i/f
*May  6 17:03:47.551: AAA/AUTHOR (0x1A): Pick method list 'xauth'
*May  6 17:03:47.559: AAA SRV(0000001A): process author req
*May  6 17:03:47.563: AAA SRV(0000001A): Author method=SERVER_GROUP vpnuser-rad
*May  6 17:03:47.567: RADIUS/ENCODE(0000001A):Orig. component type = VPN IPSEC
*May  6 17:03:47.571: RADIUS:  AAA Unsupported Attr: interface         [204] 15
*May  6 17:03:47.575: RADIUS:   31 39 32 2E 31 36 38 2E 31 35 39 2E 31     [ 192.168.159.1]
*May  6 17:03:47.579: RADIUS(0000001A): Config NAS IP: 0.0.0.0
*May  6 17:03:47.583: RADIUS/ENCODE(0000001A): acct_session_id: 16
*May  6 17:03:47.583: RADIUS(0000001A): sending
*May  6 17:03:47.599: RADIUS/ENCODE: Best Local IP-Address 192.168.159.102 for Radius-Server 192.168.159.41
*May  6 17:03:47.623: RADIUS(0000001A): Send Access-Request to 192.168.159.41:1812 id 1645/17, len 97
*May  6 17:03:47.627: RADIUS:  authenticator 38 D8 69 05 C1 EF C9 00 - 65 AB 31 5A 11 5E 72 4D
*May  6 17:03:47.631: RADIUS:  User-Name           [1]   12  "R102-EZVPN"
*May  6 17:03:47.635: RADIUS:  User-Password       [2]   18  *
*May  6 17:03:47.635: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*May  6 17:03:47.639: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*May  6 17:03:47.643: RADIUS:  NAS-Port            [5]   6   0
*May  6 17:03:47.647: RADIUS:  NAS-Port-Id         [87]  17  "192.168.159.102"
*May  6 17:03:47.647: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
*May  6 17:03:47.651: RADIUS:  NAS-IP-Address      [4]   6   192.168.159.102
*May  6 17:03:47.663: RADIUS(0000001A): Started 4 sec timeout
*May  6 17:03:51.279: RADIUS(0000001A): Request timed out
*May  6 17:03:51.283: RADIUS: Retransmit to (192.168.159.41:1812,1813) for id 1645/17
*May  6 17:03:51.291: RADIUS(0000001A): Started 4 sec timeout
*May  6 17:03:54.783: RADIUS(0000001A): Request timed out
*May  6 17:03:54.791: RADIUS: Retransmit to (192.168.159.41:1812,1813) for id 1645/17
*May  6 17:03:54.795: RADIUS(0000001A): Started 4 sec timeout
*May  6 17:03:58.687: RADIUS(0000001A): Request timed out
*May  6 17:03:58.691: RADIUS: Retransmit to (192.168.159.41:1812,1813) for id 1645/17
*May  6 17:03:58.699: RADIUS(0000001A): Started 4 sec timeout
*May  6 17:04:02.539: RADIUS(0000001A): Request timed out
*May  6 17:04:02.543: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.159.41:1812,1813 is not responding.
*May  6 17:04:02.551: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.159.41:1812,1813 is being marked alive.
*May  6 17:04:02.559: RADIUS: No response from (192.168.159.41:1812,1813) for id 1645/17
*May  6 17:04:02.571: RADIUS/DECODE: No response from radius-server; parse response; FAIL
*May  6 17:04:02.575: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
*May  6 17:04:02.579: AAA/AUTHEN/CACHE: Don't cache responses with errors
*May  6 17:04:02.579: AAA SRV(0000001A): protocol reply FAIL for Authorization
*May  6 17:04:02.583: AAA SRV(0000001A): Author method=CACHE vpnuser-rad
*May  6 17:04:02.595: AAA/AUTHEN/CACHE(0000001A): No entry with username R102-EZVPN
*May  6 17:04:02.599: AAA/AUTHEN/CACHE(0000001A): No regexp matching username R102-EZVPN
*May  6 17:04:02.599: AAA SRV(0000001A): protocol reply FAIL for Authorization
*May  6 17:04:02.603: AAA SRV(0000001A): Author method=LOCAL
*May  6 17:04:02.619: AAA SRV(0000001A): protocol reply PASS for Authorization
*May  6 17:04:02.623: AAA SRV(0000001A): Return Authorization status=PASS
*May  6 17:04:02.695: AAA/BIND(0000001B): Bind i/f
*May  6 17:04:19.455: AAA/AUTHEN/LOGIN (0000001B): Pick method list 'xauth'
*May  6 17:04:19.471: AAA SRV(0000001B): process authen req
*May  6 17:04:19.471: AAA SRV(0000001B): Authen method=SERVER_GROUP vpnuser-rad
*May  6 17:04:19.475: RADIUS/ENCODE(0000001B):Orig. component type = VPN IPSEC
*May  6 17:04:19.483: RADIUS:  AAA Unsupported Attr: interface         [204] 15
*May  6 17:04:19.483: RADIUS:   31 39 32 2E 31 36 38 2E 31 35 39 2E 31     [ 192.168.159.1]
*May  6 17:04:19.487: RADIUS/ENCODE(0000001B): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*May  6 17:04:19.491: RADIUS(0000001B): Config NAS IP: 0.0.0.0
*May  6 17:04:19.495: RADIUS/ENCODE(0000001B): acct_session_id: 17
*May  6 17:04:19.495: RADIUS(0000001B): sending
*May  6 17:04:19.507: RADIUS/ENCODE: Best Local IP-Address 192.168.159.102 for Radius-Server 192.168.159.41
*May  6 17:04:19.523: RADIUS(0000001B): Send Access-Request to 192.168.159.41:1812 id 1645/18, len 86
*May  6 17:04:19.527: RADIUS:  authenticator 71 2E 16 7F 6B 31 03 95 - 97 5A 98 20 DB 5B 27 83
*May  6 17:04:19.527: RADIUS:  User-Name           [1]   13  "kisnovakvpn"
*May  6 17:04:19.531: RADIUS:  User-Password       [2]   18  *
*May  6 17:04:19.535: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*May  6 17:04:19.535: RADIUS:  NAS-Port            [5]   6   0
*May  6 17:04:19.539: RADIUS:  NAS-Port-Id         [87]  17  "192.168.159.102"
*May  6 17:04:19.543: RADIUS:  NAS-IP-Address      [4]   6   192.168.159.102
*May  6 17:04:19.551: RADIUS(0000001B): Started 4 sec timeout
*May  6 17:04:23.267: RADIUS(0000001B): Request timed out
*May  6 17:04:23.275: RADIUS: Retransmit to (192.168.159.41:1812,1813) for id 1645/18
*May  6 17:04:23.283: RADIUS(0000001B): Started 4 sec timeout
*May  6 17:04:26.823: RADIUS(0000001B): Request timed out
*May  6 17:04:26.827: RADIUS: Retransmit to (192.168.159.41:1812,1813) for id 1645/18
*May  6 17:04:26.835: RADIUS(0000001B): Started 4 sec timeout
*May  6 17:04:30.515: RADIUS(0000001B): Request timed out
*May  6 17:04:30.519: RADIUS: Retransmit to (192.168.159.41:1812,1813) for id 1645/18
*May  6 17:04:30.527: RADIUS(0000001B): Started 4 sec timeout
*May  6 17:04:34.455: RADIUS(0000001B): Request timed out
*May  6 17:04:34.459: RADIUS: No response from (192.168.159.41:1812,1813) for id 1645/18
*May  6 17:04:34.471: RADIUS/DECODE: No response from radius-server; parse response; FAIL
*May  6 17:04:34.475: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
*May  6 17:04:34.479: AAA/AUTHEN/CACHE: Don't cache responses with errors
*May  6 17:04:34.483: AAA SRV(0000001B): protocol reply FAIL for Authentication
*May  6 17:04:34.483: AAA SRV(0000001B): Authen method=CACHE vpnuser-rad
*May  6 17:04:34.491: AAA/AUTHEN/CACHE(0000001B): Found a match
*May  6 17:04:34.495: AAA/AUTHEN/CACHE(0000001B): PASS  for username kisnovakvpn
*May  6 17:04:34.499: AAA SRV(0000001B): protocol reply PASS for Authentication
*May  6 17:04:34.499: AAA SRV(0000001B): Return Authentication status=PASS
*May  6 17:04:34.723: AAA/AUTHOR (0x1B): Pick method list 'xauth'
*May  6 17:04:34.735: AAA SRV(0000001B): process author req
*May  6 17:04:34.735: AAA SRV(0000001B): Author method=SERVER_GROUP vpnuser-rad
*May  6 17:04:34.743: RADIUS/ENCODE(0000001B):Orig. component type = VPN IPSEC
*May  6 17:04:34.747: RADIUS:  AAA Unsupported Attr: interface         [204] 15
*May  6 17:04:34.751: RADIUS:   31 39 32 2E 31 36 38 2E 31 35 39 2E 31     [ 192.168.159.1]
*May  6 17:04:34.755: RADIUS(0000001B): Config NAS IP: 0.0.0.0
*May  6 17:04:34.755: RADIUS/ENCODE(0000001B): acct_session_id: 17
*May  6 17:04:34.759: RADIUS(0000001B): sending
*May  6 17:04:34.775: RADIUS/ENCODE: Best Local IP-Address 192.168.159.102 for Radius-Server 192.168.159.41
*May  6 17:04:34.791: RADIUS(0000001B): Send Access-Request to 192.168.159.41:1812 id 1645/19, len 97
*May  6 17:04:34.795: RADIUS:  authenticator B6 C3 E2 FD 0A 53 92 52 - E0 9B 72 47 3E 88 22 96
*May  6 17:04:34.795: RADIUS:  User-Name           [1]   12  "R102-EZVPN"
*May  6 17:04:34.799: RADIUS:  User-Password       [2]   18  *
*May  6 17:04:34.803: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*May  6 17:04:34.803: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*May  6 17:04:34.807: RADIUS:  NAS-Port            [5]   6   0
*May  6 17:04:34.811: RADIUS:  NAS-Port-Id         [87]  17  "192.168.159.102"
*May  6 17:04:34.815: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
*May  6 17:04:34.815: RADIUS:  NAS-IP-Address      [4]   6   192.168.159.102
*May  6 17:04:34.823: RADIUS(0000001B): Started 4 sec timeout
*May  6 17:04:38.747: RADIUS(0000001B): Request timed out
*May  6 17:04:38.751: RADIUS: Retransmit to (192.168.159.41:1812,1813) for id 1645/19
*May  6 17:04:38.759: RADIUS(0000001B): Started 4 sec timeout
*May  6 17:04:42.239: RADIUS(0000001B): Request timed out
*May  6 17:04:42.243: RADIUS: Retransmit to (192.168.159.41:1812,1813) for id 1645/19
*May  6 17:04:42.251: RADIUS(0000001B): Started 4 sec timeout
*May  6 17:04:46.227: RADIUS(0000001B): Request timed out
*May  6 17:04:46.231: RADIUS: Retransmit to (192.168.159.41:1812,1813) for id 1645/19
*May  6 17:04:46.239: RADIUS(0000001B): Started 4 sec timeoutTraffic Shaping feature not supported in input policy.

*May  6 17:04:50.047: RADIUS(0000001B): Request timed out
*May  6 17:04:50.051: RADIUS: No response from (192.168.159.41:1812,1813) for id 1645/19
*May  6 17:04:50.063: RADIUS/DECODE: No response from radius-server; parse response; FAIL
*May  6 17:04:50.067: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
*May  6 17:04:50.071: AAA/AUTHEN/CACHE: Don't cache responses with errors
*May  6 17:04:50.075: AAA SRV(0000001B): protocol reply FAIL for Authorization
*May  6 17:04:50.075: AAA SRV(0000001B): Author method=CACHE vpnuser-rad
*May  6 17:04:50.083: AAA/AUTHEN/CACHE(0000001B): No entry with username R102-EZVPN
*May  6 17:04:50.087: AAA/AUTHEN/CACHE(0000001B): No regexp matching username R102-EZVPN
*May  6 17:04:50.091: AAA SRV(0000001B): protocol reply FAIL for Authorization
*May  6 17:04:50.091: AAA SRV(0000001B): Author method=LOCAL
*May  6 17:04:50.107: AAA SRV(0000001B): protocol reply PASS for Authorization
*May  6 17:04:50.107: AAA SRV(0000001B): Return Authorization status=PASS
*May  6 17:04:50.427: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down
*May  6 17:05:00.239: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up

R102#sh cry session det
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: Virtual-Access2
Username: kisnovakvpn
Profile: EZVPN
Group: R102-EZVPN
Assigned address: 192.168.102.34
Uptime: 00:00:24
Session status: UP-ACTIVE
Peer: 192.168.159.128 port 1113 fvrf: (none) ivrf: (none)
Phase1_id: R102-EZVPN
Desc: (none)
IKE SA: local 192.168.159.102/500 remote 192.168.159.128/1113 Active
Capabilities:CX connid:1007 lifetime:23:58:31
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 192.168.102.34
Active SAs: 2, origin: crypto map
Inbound:  #pkts dec'ed 23 drop 0 life (KB/Sec) 4533701/3575
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4533706/3575


Cached credentials and IP address are applied to kisnovakvpn while toniovpn gets an address from the local R102_Loopback1 pool which differs from the pool given on the ACS.

If you add an attribute to a user in ACS (an IP address for example) and he is already cached in the router then the cache is not updated with the new information. (No outputs here but this is my experience.) You have to clear the cache then let the new data be cached.

Up to this point, only admin users and VPN users were allowed to be cached. But as you can see, the group name is authenticated in RADIUS too so why not try to cache its authentication and authorization data?

R102(config)#aaa cache profile vpnuser
R102(config-profile-map)# regexp .*vpn any
R102(config-profile-map)# regexp .*EZVPN any
R102(config-profile-map)#^Z
R102#
R102#clear aaa cache group vpnuser-rad all

*May  9 14:51:16.090: AAA/BIND(00000012): Bind i/f
*May  9 14:51:17.642: AAA SRV(00000012): process author req
*May  9 14:51:17.646: AAA SRV(00000012): Author method=SERVER_GROUP vpnuser-rad
*May  9 14:51:17.650: RADIUS/ENCODE(00000012):Orig. component type = VPN IPSEC
*May  9 14:51:17.654: RADIUS:  AAA Unsupported Attr: interface         [204] 15
*May  9 14:51:17.658: RADIUS:   31 39 32 2E 31 36 38 2E 31 35 39 2E 31     [ 192.168.159.1]
*May  9 14:51:17.662: RADIUS(00000012): Config NAS IP: 0.0.0.0
*May  9 14:51:17.662: RADIUS/ENCODE(00000012): acct_session_id: 8
*May  9 14:51:17.666: RADIUS(00000012): sending
*May  9 14:51:17.678: RADIUS/ENCODE: Best Local IP-Address 192.168.159.102 for Radius-Server 192.168.159.41
*May  9 14:51:17.690: RADIUS(00000012): Send Access-Request to 192.168.159.41:1812 id 1645/4, len 97
*May  9 14:51:17.694: RADIUS:  authenticator 3C 5B 2C 21 26 FB 32 01 - 81 10 CF 51 3D E9 DD B4
*May  9 14:51:17.694: RADIUS:  User-Name           [1]   12  "R102-EZVPN"
*May  9 14:51:17.698: RADIUS:  User-Password       [2]   18  *
*May  9 14:51:17.702: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*May  9 14:51:17.702: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*May  9 14:51:17.706: RADIUS:  NAS-Port            [5]   6   0
*May  9 14:51:17.710: RADIUS:  NAS-Port-Id         [87]  17  "192.168.159.102"
*May  9 14:51:17.710: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
*May  9 14:51:17.714: RADIUS:  NAS-IP-Address      [4]   6   192.168.159.102
*May  9 14:51:17.722: RADIUS(00000012): Started 4 sec timeout
*May  9 14:51:19.106: RADIUS: Received from id 1645/4 192.168.159.41:1812, Access-Accept, len 297
*May  9 14:51:19.110: RADIUS:  authenticator 2E 29 2F C2 61 69 7B C9 - 19 DF 6F 96 E1 DB 5F 48
*May  9 14:51:19.114: RADIUS:  User-Name           [1]   12  "R102-EZVPN"
*May  9 14:51:19.118: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
*May  9 14:51:19.118: RADIUS:  Class               [25]  23
*May  9 14:51:19.122: RADIUS:   43 41 43 53 3A 63 73 61 63 73 2F 36 32 37 37 31  [CACS:csacs/62771]
*May  9 14:51:19.126: RADIUS:   38 37 33 2F 36             [ 873/6]
*May  9 14:51:19.130: RADIUS:  Vendor, Cisco       [26]  29
*May  9 14:51:19.130: RADIUS:   Cisco AVpair       [1]   23  "ipsec:tunnel-type*ESP"
*May  9 14:51:19.134: RADIUS:  Vendor, Cisco       [26]  30
*May  9 14:51:19.138: RADIUS:   Cisco AVpair       [1]   24  "ipsec:key-exchange=ike"
*May  9 14:51:19.138: RADIUS:  Vendor, Cisco       [26]  33
*May  9 14:51:19.142: RADIUS:   Cisco AVpair       [1]   27  "ipsec:tunnel-password=lab"
*May  9 14:51:19.146: RADIUS:  Vendor, Cisco       [26]  32
*May  9 14:51:19.146: RADIUS:   Cisco AVpair       [1]   26  "ipsec:addr-pool=R102_AAA"
*May  9 14:51:19.150: RADIUS:  Vendor, Cisco       [26]  43
*May  9 14:51:19.150: RADIUS:   Cisco AVpair       [1]   37  "ipsec:dns-servers=10.1.1.1 10.2.2.2"
*May  9 14:51:19.154: RADIUS:  Vendor, Cisco       [26]  39
*May  9 14:51:19.158: RADIUS:   Cisco AVpair       [1]   33  "ipsec:xauth-banner="AAA banner""
*May  9 14:51:19.158: RADIUS:  Vendor, Cisco       [26]  30
*May  9 14:51:19.162: RADIUS:   Cisco AVpair       [1]   24  "ipsec:inacl=EZsplitAAA"
*May  9 14:51:19.182: RADIUS(00000012): Received from id 1645/4
*May  9 14:51:19.190: RADIUS/DECODE: parse unknown cisco vsa "xauth-banner" - IGNORE
*May  9 14:51:19.198: AAA/AUTHEN/CACHE: SG profile vpnuser
*May  9 14:51:19.198: AAA/AUTHEN/CACHE: SG block for vpnuser found
*May  9 14:51:19.202: AAA/AUTHEN/CACHE: matching profile found for R102-EZVPN in vpnuser
*May  9 14:51:19.206: AAA SRV(00000012): protocol reply PASS for Authorization
*May  9 14:51:19.210: AAA SRV(00000012): Return Authorization status=PASS
*May  9 14:51:19.278: AAA/BIND(00000013): Bind i/f
*May  9 14:51:24.746: AAA/AUTHEN/LOGIN (00000013): Pick method list 'xauth'
*May  9 14:51:24.758: AAA SRV(00000013): process authen req
*May  9 14:51:24.762: AAA SRV(00000013): Authen method=SERVER_GROUP vpnuser-rad
*May  9 14:51:24.766: RADIUS/ENCODE(00000013):Orig. component type = VPN IPSEC
*May  9 14:51:24.770: RADIUS:  AAA Unsupported Attr: interface         [204] 15
*May  9 14:51:24.774: RADIUS:   31 39 32 2E 31 36 38 2E 31 35 39 2E 31     [ 192.168.159.1]
*May  9 14:51:24.778: RADIUS/ENCODE(00000013): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*May  9 14:51:24.782: RADIUS(00000013): Config NAS IP: 0.0.0.0
*May  9 14:51:24.782: RADIUS/ENCODE(00000013): acct_session_id: 9
*May  9 14:51:24.786: RADIUS(00000013): sending
*May  9 14:51:24.798: RADIUS/ENCODE: Best Local IP-Address 192.168.159.102 for Radius-Server 192.168.159.41
*May  9 14:51:24.810: RADIUS(00000013): Send Access-Request to 192.168.159.41:1812 id 1645/5, len 86
*May  9 14:51:24.814: RADIUS:  authenticator F6 8B 01 52 87 24 0B 40 - CE 86 F4 8F 94 39 7E F5
*May  9 14:51:24.818: RADIUS:  User-Name           [1]   13  "kisnovakvpn"
*May  9 14:51:24.822: RADIUS:  User-Password       [2]   18  *
*May  9 14:51:24.822: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*May  9 14:51:24.826: RADIUS:  NAS-Port            [5]   6   0
*May  9 14:51:24.830: RADIUS:  NAS-Port-Id         [87]  17  "192.168.159.102"
*May  9 14:51:24.830: RADIUS:  NAS-IP-Address      [4]   6   192.168.159.102
*May  9 14:51:26.014: RADIUS: Received from id 1645/5 192.168.159.41:1812, Access-Accept, len 62
*May  9 14:51:26.018: RADIUS:  authenticator DB DB 24 9E 07 0C 9F E7 - 04 4D FB D7 A3 3F CE 6A
*May  9 14:51:26.022: RADIUS:  User-Name           [1]   13  "kisnovakvpn"
*May  9 14:51:26.022: RADIUS:  Framed-IP-Address   [8]   6   192.168.102.34
*May  9 14:51:26.026: RADIUS:  Class               [25]  23
*May  9 14:51:26.030: RADIUS:   43 41 43 53 3A 63 73 61 63 73 2F 36 32 37 37 31  [CACS:csacs/62771]
*May  9 14:51:26.034: RADIUS:   38 37 33 2F 37             [ 873/7]
*May  9 14:51:26.058: RADIUS(00000013): Received from id 1645/5
*May  9 14:51:26.062: AAA/AUTHEN/CACHE: SG profile vpnuser
*May  9 14:51:26.066: AAA/AUTHEN/CACHE: SG block for vpnuser found
*May  9 14:51:26.070: AAA/AUTHEN/CACHE: matching profile found for kisnovakvpn in vpnuser
*May  9 14:51:26.070: AAA/AUTHEN/CACHE: Dealing with authen_type = 1
*May  9 14:51:26.074: AAA SRV(00000013): protocol reply PASS for Authentication
*May  9 14:51:26.078: AAA SRV(00000013): Return Authentication status=PASS
*May  9 14:51:26.998: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down
*May  9 14:51:27.110: AAA SRV(00000013): process author req
*May  9 14:51:27.114: AAA SRV(00000013): Author method=SERVER_GROUP vpnuser-rad
*May  9 14:51:27.118: RADIUS/ENCODE(00000013):Orig. component type = VPN IPSEC
*May  9 14:51:27.122: RADIUS:  AAA Unsupported Attr: interface         [204] 15
*May  9 14:51:27.126: RADIUS:   31 39 32 2E 31 36 38 2E 31 35 39 2E 31     [ 192.168.159.1]
*May  9 14:51:27.130: RADIUS(00000013): Config NAS IP: 0.0.0.0
*May  9 14:51:27.134: RADIUS/ENCODE(00000013): acct_session_id: 9
*May  9 14:51:27.134: RADIUS(00000013): sending
*May  9 14:51:27.154: RADIUS/ENCODE: Best Local IP-Address 192.168.159.102 for Radius-Server 192.168.159.41
*May  9 14:51:27.170: RADIUS(00000013): Send Access-Request to 192.168.159.41:1812 id 1645/6, len 97
*May  9 14:51:27.174: RADIUS:  authenticator 0B 65 CB E8 DC FF 3E 2B - 87 0B AC 64 CD 61 6D 83
*May  9 14:51:27.174: RADIUS:  User-Name           [1]   12  "R102-EZVPN"
*May  9 14:51:27.178: RADIUS:  User-Password       [2]   18  *
*May  9 14:51:27.182: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*May  9 14:51:27.182: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*May  9 14:51:27.186: RADIUS:  NAS-Port            [5]   6   0
*May  9 14:51:27.190: RADIUS:  NAS-Port-Id         [87]  17  "192.168.159.102"
*May  9 14:51:27.190: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
*May  9 14:51:27.194: RADIUS:  NAS-IP-Address      [4]   6   192.168.159.102
*May  9 14:51:27.202: RADIUS(00000013): Started 4 sec timeout
*May  9 14:51:27.902: RADIUS: Received from id 1645/6 192.168.159.41:1812, Access-Accept, len 297
*May  9 14:51:27.906: RADIUS:  authenticator 9E 3B 05 BA 97 22 52 30 - 40 F7 99 C8 79 32 E0 71
*May  9 14:51:27.910: RADIUS:  User-Name           [1]   12  "R102-EZVPN"
*May  9 14:51:27.914: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
*May  9 14:51:27.914: RADIUS:  Class               [25]  23
*May  9 14:51:27.918: RADIUS:   43 41 43 53 3A 63 73 61 63 73 2F 36 32 37 37 31  [CACS:csacs/62771]
*May  9 14:51:27.922: RADIUS:   38 37 33 2F 38             [ 873/8]
*May  9 14:51:27.926: RADIUS:  Vendor, Cisco       [26]  29
*May  9 14:51:27.926: RADIUS:   Cisco AVpair       [1]   23  "ipsec:tunnel-type*ESP"
*May  9 14:51:27.930: RADIUS:  Vendor, Cisco       [26]  30
*May  9 14:51:27.934: RADIUS:   Cisco AVpair       [1]   24  "ipsec:key-exchange=ike"
*May  9 14:51:27.934: RADIUS:  Vendor, Cisco       [26]  33
*May  9 14:51:27.938: RADIUS:   Cisco AVpair       [1]   27  "ipsec:tunnel-password=lab"
*May  9 14:51:27.942: RADIUS:  Vendor, Cisco       [26]  32
*May  9 14:51:27.942: RADIUS:   Cisco AVpair       [1]   26  "ipsec:addr-pool=R102_AAA"
*May  9 14:51:27.946: RADIUS:  Vendor, Cisco       [26]  43
*May  9 14:51:27.946: RADIUS:   Cisco AVpair       [1]   37  "ipsec:dns-servers=10.1.1.1 10.2.2.2"
*May  9 14:51:27.950: RADIUS:  Vendor, Cisco       [26]  39
*May  9 14:51:27.950: RADIUS:   Cisco AVpair       [1]   33  "ipsec:xauth-banner="AAA banner""
*May  9 14:51:27.954: RADIUS:  Vendor, Cisco       [26]  30
*May  9 14:51:27.958: RADIUS:   Cisco AVpair       [1]   24  "ipsec:inacl=EZsplitAAA"
*May  9 14:51:27.982: RADIUS(00000013): Received from id 1645/6
*May  9 14:51:27.990: RADIUS/DECODE: parse unknown cisco vsa "xauth-banner" - IGNORE
*May  9 14:51:27.994: AAA/AUTHEN/CACHE: SG profile vpnuser
*May  9 14:51:27.998: AAA/AUTHEN/CACHE: SG block for vpnuser found
*May  9 14:51:27.998: AAA/AUTHEN/CACHE: matching profile found for R102-EZVPN in vpnuser
*May  9 14:51:28.002: AAA/AUTHEN/CACHE: Could not add entry into cache
*May  9 14:51:28.002: AAA SRV(00000013): protocol reply PASS for Authorization
*May  9 14:51:28.006: AAA SRV(00000013): Return Authorization status=PASS
*May  9 14:51:36.278: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
R102#
R102#
R102#
R102#sh aaa cache group vpnuser-rad all
----------------------------------------------------------
Entries in Profile dB vpnuser-rad for exact match
----------------------------------------------------------
Profile: R102-EZVPN
Updated: 00:00:29
Parse User: N
Authen User: Y
Query Count: 1
6731B184 0 00000009 username(422) 10 R102-EZVPN, service none, protocol none
6731B194 0 00000001 service-type(322) 4 Outbound, service none, protocol none
6731B1A4 0 00000002 tunnel-type(420) 4 esp, service none, protocol ipsec
6731B1B4 0 00000009 key-exchange(212) 3 ike, service none, protocol ipsec
6731B1C4 0 00000009 tunnel-password(413) 3 <opaque value>, service none, protocol ipsec
6731B118 0 00000009 addr-pool(11) 8 R102_AAA, service none, protocol ipsec
6731B128 0 00000009 dns-servers(83) 17 10.1.1.1 10.2.2.2, service none, protocol ipsec
6731B138 0 00000009 inacl(143) 10 EZsplitAAA, service none, protocol ipsec
Profile: kisnovakvpn
Updated: 00:00:22
Parse User: N
Authen User: Y
Query Count: 0
6731AD4C 0 00000009 username(422) 11 kisnovakvpn, service none, protocol none
6731AD5C 0 00000001 addr(8) 4 192.168.102.34, service none, protocol none
----------------------------------------------------------
Entries in Profile dB vpnuser-rad for regexp match
----------------------------------------------------------
No entries found for regexp match

R102#### ACS disconnect
R102#
R102#
*May  9 14:53:23.702: AAA/BIND(00000014): Bind i/f
*May  9 14:53:23.878: AAA SRV(00000014): process author req
*May  9 14:53:23.882: AAA SRV(00000014): Author method=SERVER_GROUP vpnuser-rad
*May  9 14:53:23.886: RADIUS/ENCODE(00000014):Orig. component type = VPN IPSEC
*May  9 14:53:23.890: RADIUS:  AAA Unsupported Attr: interface         [204] 15
*May  9 14:53:23.894: RADIUS:   31 39 32 2E 31 36 38 2E 31 35 39 2E 31     [ 192.168.159.1]
*May  9 14:53:23.898: RADIUS(00000014): Config NAS IP: 0.0.0.0
*May  9 14:53:23.902: RADIUS/ENCODE(00000014): acct_session_id: 10
*May  9 14:53:23.902: RADIUS(00000014): sending
*May  9 14:53:23.918: RADIUS/ENCODE: Best Local IP-Address 192.168.159.102 for Radius-Server 192.168.159.41
*May  9 14:53:23.934: RADIUS(00000014): Send Access-Request to 192.168.159.41:1812 id 1645/7, len 97
*May  9 14:53:23.938: RADIUS:  authenticator 7A 4C 4C B0 59 DE 4D B6 - 04 90 A1 6F 52 A4 DD B2
*May  9 14:53:23.942: RADIUS:  User-Name           [1]   12  "R102-EZVPN"
*May  9 14:53:23.946: RADIUS:  User-Password       [2]   18  *
*May  9 14:53:23.946: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*May  9 14:53:23.950: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*May  9 14:53:23.954: RADIUS:  NAS-Port            [5]   6   0
*May  9 14:53:23.954: RADIUS:  NAS-Port-Id         [87]  17  "192.168.159.102"
*May  9 14:53:23.958: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
*May  9 14:53:23.962: RADIUS:  NAS-IP-Address      [4]   6   192.168.159.102
*May  9 14:53:23.966: RADIUS(00000014): Started 4 sec timeout
*May  9 14:53:27.934: RADIUS(00000014): Request timed out
*May  9 14:53:27.938: RADIUS: Retransmit to (192.168.159.41:1812,1813) for id 1645/7
*May  9 14:53:27.946: RADIUS(00000014): Started 4 sec timeout
*May  9 14:53:31.394: RADIUS(00000014): Request timed out
*May  9 14:53:31.398: RADIUS: Retransmit to (192.168.159.41:1812,1813) for id 1645/7
*May  9 14:53:31.406: RADIUS(00000014): Started 4 sec timeout
*May  9 14:53:35.394: RADIUS(00000014): Request timed out
*May  9 14:53:35.402: RADIUS: Retransmit to (192.168.159.41:1812,1813) for id 1645/7
*May  9 14:53:35.406: RADIUS(00000014): Started 4 sec timeout
*May  9 14:53:39.002: RADIUS(00000014): Request timed out
*May  9 14:53:39.006: RADIUS: No response from (192.168.159.41:1812,1813) for id 1645/7
*May  9 14:53:39.022: RADIUS/DECODE: No response from radius-server; parse response; FAIL
*May  9 14:53:39.026: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
*May  9 14:53:39.030: AAA/AUTHEN/CACHE: Don't cache responses with errors
*May  9 14:53:39.030: AAA SRV(00000014): protocol reply FAIL for Authorization
*May  9 14:53:39.034: AAA SRV(00000014): Author method=CACHE vpnuser-rad
*May  9 14:53:39.046: AAA SRV(00000014): protocol reply PASS for Authorization
*May  9 14:53:39.050: AAA SRV(00000014): Return Authorization status=PASS
*May  9 14:53:39.150: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 192.168.159.128 was not encrypted and it should've been.
*May  9 14:53:39.158: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 192.168.159.128 was not encrypted and it should've been.
*May  9 14:54:32.330: AAA/BIND(00000015): Bind i/f
*May  9 14:54:32.602: AAA SRV(00000015): process author req
*May  9 14:54:32.602: AAA SRV(00000015): Author method=SERVER_GROUP vpnuser-rad
*May  9 14:54:32.606: RADIUS/ENCODE(00000015):Orig. component type = VPN IPSEC
*May  9 14:54:32.614: RADIUS:  AAA Unsupported Attr: interface         [204] 15
*May  9 14:54:32.618: RADIUS:   31 39 32 2E 31 36 38 2E 31 35 39 2E 31     [ 192.168.159.1]
*May  9 14:54:32.618: RADIUS(00000015): Config NAS IP: 0.0.0.0
*May  9 14:54:32.622: RADIUS/ENCODE(00000015): acct_session_id: 11
*May  9 14:54:32.626: RADIUS(00000015): sending
*May  9 14:54:32.634: RADIUS/ENCODE: Best Local IP-Address 192.168.159.102 for Radius-Server 192.168.159.41
*May  9 14:54:32.654: RADIUS(00000015): Send Access-Request to 192.168.159.41:1812 id 1645/8, len 97
*May  9 14:54:32.658: RADIUS:  authenticator C7 43 1D 49 D5 DD 9E DC - AC F8 8C 94 13 0C 9A 8C
*May  9 14:54:32.658: RADIUS:  User-Name           [1]   12  "R102-EZVPN"
*May  9 14:54:32.662: RADIUS:  User-Password       [2]   18  *
*May  9 14:54:32.666: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*May  9 14:54:32.666: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*May  9 14:54:32.670: RADIUS:  NAS-Port            [5]   6   0
*May  9 14:54:32.674: RADIUS:  NAS-Port-Id         [87]  17  "192.168.159.102"
*May  9 14:54:32.678: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
*May  9 14:54:32.678: RADIUS:  NAS-IP-Address      [4]   6   192.168.159.102
*May  9 14:54:32.686: RADIUS(00000015): Started 4 sec timeout
*May  9 14:54:36.286: RADIUS(00000015): Request timed out
*May  9 14:54:36.290: RADIUS: Retransmit to (192.168.159.41:1812,1813) for id 1645/8
*May  9 14:54:36.298: RADIUS(00000015): Started 4 sec timeout
*May  9 14:54:40.258: RADIUS(00000015): Request timed out
*May  9 14:54:40.262: RADIUS: Retransmit to (192.168.159.41:1812,1813) for id 1645/8
*May  9 14:54:40.270: RADIUS(00000015): Started 4 sec timeout
*May  9 14:54:43.986: RADIUS(00000015): Request timed out
*May  9 14:54:43.990: RADIUS: Retransmit to (192.168.159.41:1812,1813) for id 1645/8
*May  9 14:54:43.998: RADIUS(00000015): Started 4 sec timeout
*May  9 14:54:47.478: RADIUS(00000015): Request timed out
*May  9 14:54:47.482: RADIUS: No response from (192.168.159.41:1812,1813) for id 1645/8
*May  9 14:54:47.490: RADIUS/DECODE: No response from radius-server; parse response; FAIL
*May  9 14:54:47.490: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
*May  9 14:54:47.490: AAA/AUTHEN/CACHE: Don't cache responses with errors
*May  9 14:54:47.494: AAA SRV(00000015): protocol reply FAIL for Authorization
*May  9 14:54:47.494: AAA SRV(00000015): Author method=CACHE vpnuser-rad
*May  9 14:54:47.502: AAA SRV(00000015): protocol reply PASS for Authorization
*May  9 14:54:47.506: AAA SRV(00000015): Return Authorization status=PASS
*May  9 14:54:47.698: AAA/BIND(00000016): Bind i/f
*May  9 14:54:55.534: AAA/AUTHEN/LOGIN (00000016): Pick method list 'xauth'
*May  9 14:54:55.546: AAA SRV(00000016): process authen req
*May  9 14:54:55.550: AAA SRV(00000016): Authen method=SERVER_GROUP vpnuser-rad
*May  9 14:54:55.554: RADIUS/ENCODE(00000016):Orig. component type = VPN IPSEC
*May  9 14:54:55.558: RADIUS:  AAA Unsupported Attr: interface         [204] 15
*May  9 14:54:55.562: RADIUS:   31 39 32 2E 31 36 38 2E 31 35 39 2E 31     [ 192.168.159.1]
*May  9 14:54:55.566: RADIUS/ENCODE(00000016): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*May  9 14:54:55.566: RADIUS(00000016): Config NAS IP: 0.0.0.0
*May  9 14:54:55.570: RADIUS/ENCODE(00000016): acct_session_id: 12
*May  9 14:54:55.574: RADIUS(00000016): sending
*May  9 14:54:55.586: RADIUS/ENCODE: Best Local IP-Address 192.168.159.102 for Radius-Server 192.168.159.41
*May  9 14:54:55.610: RADIUS(00000016): Send Access-Request to 192.168.159.41:1812 id 1645/9, len 86
*May  9 14:54:55.614: RADIUS:  authenticator 4F 01 8A 6F 2D 4B EE 22 - AE 83 3A 31 75 93 02 53
*May  9 14:54:55.614: RADIUS:  User-Name           [1]   13  "kisnovakvpn"
*May  9 14:54:55.618: RADIUS:  User-Password       [2]   18  *
*May  9 14:54:55.622: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*May  9 14:54:55.622: RADIUS:  NAS-Port            [5]   6   0
*May  9 14:54:55.626: RADIUS:  NAS-Port-Id         [87]  17  "192.168.159.102"
*May  9 14:54:55.630: RADIUS:  NAS-IP-Address      [4]   6   192.168.159.102
*May  9 14:54:55.638: RADIUS(00000016): Started 4 sec timeout
*May  9 14:54:59.338: RADIUS(00000016): Request timed out
*May  9 14:54:59.342: RADIUS: Retransmit to (192.168.159.41:1812,1813) for id 1645/9
*May  9 14:54:59.350: RADIUS(00000016): Started 4 sec timeout
*May  9 14:55:03.370: RADIUS(00000016): Request timed out
*May  9 14:55:03.374: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.159.41:1812,1813 is not responding.
*May  9 14:55:03.382: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.159.41:1812,1813 is being marked alive.
*May  9 14:55:03.386: RADIUS: Retransmit to (192.168.159.41:1812,1813) for id 1645/9
*May  9 14:55:03.394: RADIUS(00000016): Started 4 sec timeout
*May  9 14:55:07.078: RADIUS(00000016): Request timed out
*May  9 14:55:07.082: RADIUS: Retransmit to (192.168.159.41:1812,1813) for id 1645/9
*May  9 14:55:07.090: RADIUS(00000016): Started 4 sec timeout
*May  9 14:55:11.102: RADIUS(00000016): Request timed out
*May  9 14:55:11.106: RADIUS: No response from (192.168.159.41:1812,1813) for id 1645/9
*May  9 14:55:11.118: RADIUS/DECODE: No response from radius-server; parse response; FAIL
*May  9 14:55:11.122: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
*May  9 14:55:11.126: AAA/AUTHEN/CACHE: Don't cache responses with errors
*May  9 14:55:11.130: AAA SRV(00000016): protocol reply FAIL for Authentication
*May  9 14:55:11.130: AAA SRV(00000016): Authen method=CACHE vpnuser-rad
*May  9 14:55:11.134: AAA/AUTHEN/CACHE(00000016): Found a match
*May  9 14:55:11.134: AAA/AUTHEN/CACHE(00000016): PASS  for username kisnovakvpn
*May  9 14:55:11.134: AAA SRV(00000016): protocol reply PASS for Authentication
*May  9 14:55:11.134: AAA SRV(00000016): Return Authentication status=PASS
*May  9 14:55:11.238: AAA SRV(00000016): process author req
*May  9 14:55:11.238: AAA SRV(00000016): Author method=SERVER_GROUP vpnuser-rad
*May  9 14:55:11.246: RADIUS/ENCODE(00000016):Orig. component type = VPN IPSEC
*May  9 14:55:11.250: RADIUS:  AAA Unsupported Attr: interface         [204] 15
*May  9 14:55:11.254: RADIUS:   31 39 32 2E 31 36 38 2E 31 35 39 2E 31     [ 192.168.159.1]
*May  9 14:55:11.258: RADIUS(00000016): Config NAS IP: 0.0.0.0
*May  9 14:55:11.258: RADIUS/ENCODE(00000016): acct_session_id: 12
*May  9 14:55:11.262: RADIUS(00000016): sending
*May  9 14:55:11.342: RADIUS/ENCODE: Best Local IP-Address 192.168.159.102 for Radius-Server 192.168.159.41
*May  9 14:55:11.358: RADIUS(00000016): Send Access-Request to 192.168.159.41:1812 id 1645/10, len 97
*May  9 14:55:11.362: RADIUS:  authenticator 10 F2 44 93 F7 43 22 32 - 98 91 D0 51 91 93 80 57
*May  9 14:55:11.362: RADIUS:  User-Name           [1]   12  "R102-EZVPN"
*May  9 14:55:11.366: RADIUS:  User-Password       [2]   18  *
*May  9 14:55:11.370: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*May  9 14:55:11.370: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*May  9 14:55:11.374: RADIUS:  NAS-Port            [5]   6   0
*May  9 14:55:11.378: RADIUS:  NAS-Port-Id         [87]  17  "192.168.159.102"
*May  9 14:55:11.378: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
*May  9 14:55:11.382: RADIUS:  NAS-IP-Address      [4]   6   192.168.159.102
*May  9 14:55:11.390: RADIUS(00000016): Started 4 sec timeout
*May  9 14:55:15.382: RADIUS(00000016): Request timed out
*May  9 14:55:15.386: RADIUS: Retransmit to (192.168.159.41:1812,1813) for id 1645/10
*May  9 14:55:15.394: RADIUS(00000016): Started 4 sec timeout
*May  9 14:55:19.186: RADIUS(00000016): Request timed out
*May  9 14:55:19.190: RADIUS: Retransmit to (192.168.159.41:1812,1813) for id 1645/10
*May  9 14:55:19.198: RADIUS(00000016): Started 4 sec timeout
*May  9 14:55:23.070: RADIUS(00000016): Request timed out
*May  9 14:55:23.074: RADIUS: Retransmit to (192.168.159.41:1812,1813) for id 1645/10
*May  9 14:55:26.674: RADIUS(00000016): Request timed out
*May  9 14:55:26.678: RADIUS: No response from (192.168.159.41:1812,1813) for id 1645/10
*May  9 14:55:26.690: RADIUS/DECODE: No response from radius-server; parse response; FAIL
*May  9 14:55:26.694: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
*May  9 14:55:26.694: AAA/AUTHEN/CACHE: Don't cache responses with errors
*May  9 14:55:26.694: AAA SRV(00000016): protocol reply FAIL for Authorization
*May  9 14:55:26.694: AAA SRV(00000016): Author method=CACHE vpnuser-rad
*May  9 14:55:26.698: AAA SRV(00000016): protocol reply PASS for Authorization
*May  9 14:55:26.698: AAA SRV(00000016): Return Authorization status=PASS
*May  9 14:55:27.558: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down
*May  9 14:55:36.838: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
R102#
R102#
R102#sh crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: Virtual-Access2
Username: kisnovakvpn
Profile: EZVPN
Group: R102-EZVPN
Assigned address: 192.168.102.34
Uptime: 00:00:52
Session status: UP-ACTIVE
Peer: 192.168.159.128 port 1098 fvrf: (none) ivrf: (none)
Phase1_id: R102-EZVPN
Desc: (none)
IKE SA: local 192.168.159.102/500 remote 192.168.159.128/1098 Active
Capabilities:CX connid:1004 lifetime:23:58:12
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 192.168.102.34
Active SAs: 2, origin: crypto map
Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 4584070/3547
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4584070/3547


Both the group credentials and the user credentials were successfully cached and used when the ACS became unreachable. All RADIUS attributes were cached so the ‘lab’ group password worked. The ACL and pool values can be verified in the VPN client too.

ACS logs are useful for verification and troubleshooting. You can trace the policy evaluation process steps by clicking on Details symbol.

One VPN client connection initiates 3 RADIUS requests as you can see: VPN group – user – VPN group again. (Also appeared in router RADIUS debug logs.)


The config:

upgrade fpd auto
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R102
!
boot-start-marker
boot-end-marker
!
enable secret c
!
aaa new-model
!
!
aaa group server tacacs+ admin-tac
 server 192.168.159.41
 cache authorization profile admin
 cache authentication profile admin
!
aaa group server radius vpnuser-rad
 server 192.168.159.41 auth-port 1812 acct-port 1813
 cache authorization profile vpnuser
 cache authentication profile vpnuser
!
aaa authentication login default none
aaa authentication login xauth group vpnuser-rad cache vpnuser-rad local
aaa authentication login mtac group admin-tac cache admin-tac local
aaa authentication enable default group admin-tac cache admin-tac enable
aaa authorization exec default group admin-tac cache admin-tac local
aaa authorization network xauth group vpnuser-rad cache vpnuser-rad local
aaa accounting exec default
 action-type start-stop
 group admin-tac
!
aaa cache profile vpnuser
 regexp .*vpn any
!
aaa cache profile admin
 profile aliceadmin
 profile kisnovakadmin
profile peteradmin
!
aaa session-id common
!
ip cef
!
ipv6 unicast-routing
ipv6 cef
!
multilink bundle-name authenticated
!
username user1 password 7 1402010E1E55
username user2@R102-EZVPN password 7 111C0A000540
username user3@gr3 password 7 06131C245E1D
username userloc secret 5 $1$MJIG$up4X8gIhTvDJoYhFFjMqe/
!
redundancy
!
policy-map POL128k
 class class-default
  shape average 128000
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 5
!
crypto isakmp policy 20
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp client configuration group R102-EZVPN
 key pw1
 domain lab.local
 pool R102_Loopback1
 acl EZsplit
 netmask 255.255.255.0
 banner %
  HELLO
 %
crypto isakmp profile EZVPN
 match identity group R102-EZVPN
 client authentication list xauth
 isakmp authorization list xauth
 client configuration address respond
 virtual-template 5
!
crypto ipsec transform-set RA esp-3des esp-md5-hmac
!
crypto ipsec profile EZ
 set transform-set RA
 set isakmp-profile EZVPN
!
interface Loopback1
 ip address 192.168.102.1 255.255.255.0
!
interface FastEthernet1/0
 ip address 10.0.2.102 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet2/0
 ip address 192.168.159.102 255.255.255.0
 ip virtual-reassembly
!
interface FastEthernet2/1
 ip address 192.168.23.102 255.255.255.0
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Virtual-Template5 type tunnel
 ip unnumbered Loopback1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile EZ
 service-policy output POL128k
!
!
ip local pool R102_Loopback1 192.168.102.11 192.168.102.19
ip local pool R102_AAA 192.168.102.21 192.168.102.29
!
ip route 0.0.0.0 0.0.0.0 10.0.2.51 25
!
ip access-list extended EZsplit
 permit ip 10.0.0.0 0.255.255.255 any
 permit ip 192.168.0.0 0.0.255.255 any
ip access-list extended EZsplitAAA
 permit ip 10.0.2.0 0.0.0.255 any
 permit ip 192.168.23.0 0.0.0.255 any
!
tacacs-server host 192.168.159.41 single-connection
tacacs-server timeout 4
tacacs-server key 7 113A3C2625373F5D56797F71
radius-server host 192.168.159.41 auth-port 1812 acct-port 1813
radius-server timeout 4
radius-server key 7 0538232C13697A584B564347
!
!
line con 0
 exec-timeout 1200 0
 stopbits 1
 line aux 0
 stopbits 1
line vty 0 4
 login authentication mtac
!
end

Software versions:
c7200-adventerprisek9-mz.150-1.M.bin
Cisco Secure ACS 5.1.0.44.2

Advertisements

One Response to “IOS Easy VPN with RADIUS, Cisco Secure ACS 5.1 and AAA cache”

  1. Very good additional info on attributes:
    Exploring Remote Access VPN (Easy VPN) on Cisco Router with Cisco Secure Access Control Server 5.x

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: