我在7200模拟上配置了pppoe服务器,在pc上拨号,在7200上使用了radius来认证pppoe的用户,radius服务器使用acs 3.2,同时对认证的用户使用downloadable ip acl来分配网络访问的权利,但是,我发现认证可以正常通过,但是acl却无法下载到7200路由器。我的7200版本是12.4(8)T,应该是满足ios版本要求的吧,并且我在7200上debug aaa authori,是可以看到acs服务器是将acl的属性发送到路由器上了的,但是却为什么不能成功下载?
以下是我的路由器配置
xixin-cisco-7200-1# xixin-cisco-7200-1#show run Building configuration... Current configuration : 2274 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname xixin-cisco-7200-1 ! boot-start-marker boot-end-marker ! enable secret 5 $1$J4O/$LnQZnXMLnvvtWu/rXLPFi. ! aaa new-model ! ! aaa authentication login default group radius local aaa authentication enable default group tacacs+ enable aaa authentication ppp pppoe group radius aaa authorization exec default group tacacs+ local aaa authorization commands 15 default group tacacs+ local aaa authorization network default group radius local aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ ! aaa session-id common ! resource policy ! ip subnet-zero ip cef ! ! no ip dhcp use vrf connected ! ! ip domain name sc-troy.com ip ssh authentication-retries 2 no ip ips deny-action ips-interface vpdn enable ! vpdn-group pppoe_1 accept-dialin protocol pppoe virtual-template 1 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! username admin password 7 1304131F0202 ! ! ! ! ! ! interface Loopback1 ip address 192.168.10.1 255.255.255.0 ! interface Loopback2 ip address 172.16.0.1 255.255.255.0 ! interface FastEthernet0/0 ip address 192.168.102.27 255.255.255.0 duplex half pppoe enable ! interface FastEthernet1/0 no ip address shutdown duplex half ! interface FastEthernet2/0 no ip address shutdown duplex half ! interface Serial3/0 no ip address shutdown serial restart-delay 0 ! interface Serial3/1 no ip address shutdown serial restart-delay 0 ! interface Serial3/2 no ip address shutdown serial restart-delay 0 ! interface Serial3/3 no ip address shutdown serial restart-delay 0 ! interface Virtual-Template1 mtu 1492 ip unnumbered Loopback1 peer default ip address pool pppoe_pool ppp authentication chap pppoe ! ip local pool pppoe_pool 192.168.10.200 192.168.100.205 ip classless no ip http server no ip http secure-server ! ! ! ! ! ! tacacs-server host 192.168.102.33 key 7 111D180B10051E080D tacacs-server directed-request radius-server host 192.168.102.33 auth-port 1645 acct-port 1646 key 7 03105A0501 18344847 ! control-plane ! ! ! ! ! ! gatekeeper shutdown ! ! line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 password 7 01425F53025B505D75 ! ! end xixin-cisco-7200-1#
debug aaa authe xixin-cisco-7200-1#debug aaa autho xixin-cisco-7200-1#debug aaa authorization AAA Authorization debugging is on xixin-cisco-7200-1# *Jun 29 16:20:38.943: AAA/BIND(0000000D): Bind i/f Virtual-Template1 *Jun 29 16:20:38.947: ppp5 AAA/AUTHOR/LCP: Authorization succeeds trivially *Jun 29 16:20:39.131: AAA/ATTR: unrecognized attribute prefix: "ACS" (WARNING) *Jun 29 16:20:39.131: ppp5 PPP/AAA: Check Attr: addr *Jun 29 16:20:39.131: ppp5 PPP/AAA: Check Attr: CiscoSecure-Defined-ACL *Jun 29 16:20:39.143: AAA/BIND(0000000D): Bind i/f Virtual-Access1.1 *Jun 29 16:20:39.143: Vi1.1 AAA/AUTHOR/LCP: Process Author *Jun 29 16:20:39.147: Vi1.1 AAA/AUTHOR/IPCP: FSM authorization not needed *Jun 29 16:20:39.147: Vi1.1 AAA/AUTHOR/FSM: We can start IPCP *Jun 29 16:20:39.159: Vi1.1 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we wan t 0.0.0.0 *Jun 29 16:20:39.159: Vi1.1 AAA/AUTHOR/IPCP: No remote address; FIP = Use peer p rovided address *Jun 29 16:20:39.159: Vi1.1 AAA/AUTHOR/IPCP: Processing AV addr *Jun 29 16:20:39.159: Vi1.1 AAA/AUTHOR/IPCP: Authorization succeeded *Jun 29 16:20:39.159: Vi1.1 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.0, we want 0.0.0.0 *Jun 29 16:20:39.163: Vi1.1 AAA/AUTHOR/IPCP: no author-info for primary dns *Jun 29 16:20:39.163: Vi1.1 AAA/AUTHOR/IPCP: no author-info for primary wins *Jun 29 16:20:39.163: Vi1.1 AAA/AUTHOR/IPCP: no author-info for seconday dns *Jun 29 16:20:39.163: Vi1.1 AAA/AUTHOR/IPCP: no author-info for seconday wins xixin-cisco-7200-1# xixin-cisco-7200-1#show aaa ? attributes Show attributes supported by AAA subsystem cache Show contents of AAA caches dead-criteria Show what criteria will be applied to mark the specified server dead local Show AAA local method options method-lists Show method lists defined in the AAA subsystem servers Show All AAA Servers as seen by the AAA Server MIB sessions Show AAA Sessions as seen by AAA Session MIB user Show users active in the AAA subsystem xixin-cisco-7200-1#show aaa cach xixin-cisco-7200-1#show aaa cache fi xixin-cisco-7200-1#show aaa cache filterserver ac xixin-cisco-7200-1#show aaa cache filterserver acl xixin-cisco-7200-1#
