Cisco ASA的Windows Azure(电话因素)多重身份验证问题

时间:2015-08-12 02:55:02

标签: authentication azure vpn cisco radius

我有一个Cisco ASA安全设备,我正在尝试在域成员(虚拟)服务器(Windows Server 2012 R2)上使用Azure MFA服务器。 MAM服务器已根据我的知识正确安装和配置。

当我从Cisco CLI运行AAA测试时,它运行正常:

测试aaa-server身份验证RADIUS

它要求我提供服务器IP地址和我的域凭据。 MFA系统呼叫我的手机,我输入我的PIN码,我得到了成功的测试,如下(调试输出)

Attempting Authentication test to IP address <192.168.100.3> (timeout: 62 seconds)
alloc_rip 0xac1a30a4
    new request 0x80000005 --> 29 (0xac1a30a4)
got user 'Morgan'
got password
add_req 0xac1a30a4 session 0x80000005 id 29
RADIUS_REQUEST
radius.c: rad_mkpkt

RADIUS packet decode (authentication request)

--------------------------------------
Raw packet data (length = 80).....
01 1d 00 50 2c 0d 72 e7 3e d9 0a d2 a8 19 45 d4    |  ...P,.r.>.....E.
4c 33 b9 1d 01 08 4d 6f 72 67 61 6e 02 22 80 0c    |  L3....Morgan."..
4c b3 ba fc 66 68 e7 f2 26 db 32 45 2a 0a 47 e1    |  L...fh..&.2E*.G.
5a 19 7a 35 e3 07 e1 00 49 1a 5c c9 75 71 04 06    |  Z.z5....I.\.uq..
c0 a8 64 fd 05 06 00 00 00 08 3d 06 00 00 00 05    |  ..d.......=.....

Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 29 (0x1D)
Radius: Length = 80 (0x0050)
Radius: Vector: 2C0D72E73ED90AD2A81945D44C33B91D
Radius: Type = 1 (0x01) User-Name
Radius: Length = 8 (0x08)
Radius: Value (String) = 
4d 6f 72 67 61 6e                                  |  Morgan
Radius: Type = 2 (0x02) User-Password
Radius: Length = 34 (0x22)
Radius: Value (String) = 
80 0c 4c b3 ba fc 66 68 e7 f2 26 db 32 45 2a 0a    |  ..L...fh..&.2E*.
47 e1 5a 19 7a 35 e3 07 e1 00 49 1a 5c c9 75 71    |  G.Z.z5....I.\.uq
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 192.168.100.253 (0xC0A864FD)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x8
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
send pkt 192.168.100.3/1645
radius.c: rad_mkpkt

RADIUS packet decode (authentication request (retransmission))

--------------------------------------
Raw packet data (length = 80).....
01 1d 00 50 2c 0d 72 e7 3e d9 0a d2 a8 19 45 d4    |  ...P,.r.>.....E.
4c 33 b9 1d 01 08 4d 6f 72 67 61 6e 02 22 80 0c    |  L3....Morgan."..
4c b3 ba fc 66 68 e7 f2 26 db 32 45 2a 0a 47 e1    |  L...fh..&.2E*.G.
5a 19 7a 35 e3 07 e1 00 49 1a 5c c9 75 71 04 06    |  Z.z5....I.\.uq..
c0 a8 64 fd 05 06 00 00 00 09 3d 06 00 00 00 05    |  ..d.......=.....

Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 29 (0x1D)
Radius: Length = 80 (0x0050)
Radius: Vector: 2C0D72E73ED90AD2A81945D44C33B91D
Radius: Type = 1 (0x01) User-Name
Radius: Length = 8 (0x08)
Radius: Value (String) = 
4d 6f 72 67 61 6e                                  |  Morgan
Radius: Type = 2 (0x02) User-Password
Radius: Length = 34 (0x22)
Radius: Value (String) = 
80 0c 4c b3 ba fc 66 68 e7 f2 26 db 32 45 2a 0a    |  ..L...fh..&.2E*.
47 e1 5a 19 7a 35 e3 07 e1 00 49 1a 5c c9 75 71    |  G.Z.z5....I.\.uq
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 192.168.100.253 (0xC0A864FD)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x9
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
send pkt 192.168.100.3/1645
rip 0xac1a30a4 state 7 id 29
rad_vrfy() : response message verified
rip 0xac1a30a4
 : chall_state ''
 : state 0x7
 : reqauth:
     2c 0d 72 e7 3e d9 0a d2 a8 19 45 d4 4c 33 b9 1d 
 : info 0xac1a31dc
     session_id 0x80000005
     request_id 0x1d
     user 'Morgan'
     response '***'
     app 0
     reason 0
     skey 'cisco'
     sip 192.168.100.3
     type 1

RADIUS packet decode (response)

--------------------------------------
Raw packet data (length = 20).....
02 1d 00 14 4f b4 3f 0d 47 3e 85 48 c0 f2 eb 6f    |  ....O.?.G>.H...o
7d 92 19 14                                        |  }...

Parsed packet data.....
Radius: Code = 2 (0x02)
Radius: Identifier = 29 (0x1D)
Radius: Length = 20 (0x0014)
Radius: Vector: 4FB43F0D473E8548C0F2EB6F7D921914
rad_procpkt: ACCEPT
RADIUS_ACCESS_ACCEPT: normal termination
RADIUS_DELETE
remove_req 0xac1a30a4 session 0x80000005 id 29
free_rip 0xac1a30a4
radius: send queue empty
INFO: Authentication Successful

万岁!有用!但是,不是那么快。

当我从远程客户端(只是Windows 7 x64 DUN)拨入时,MFA RADIUS服务器拒绝我(相同的凭据)。即:

radius mkreq: 0x8d9
alloc_rip 0xac1a30a4
    new request 0x8d9 --> 22 (0xac1a30a4)
got user 'Morgan'
got password
add_req 0xac1a30a4 session 0x8d9 id 22
RADIUS_REQUEST
radius.c: rad_mkpkt

RADIUS packet decode (authentication request)

--------------------------------------
Raw packet data (length = 191).....
01 16 00 bf 38 24 5e c4 67 f8 67 f6 df a4 45 ad    |  ....8$^.g.g...E.
d9 bb 37 ca 01 08 4d 6f 72 67 61 6e 05 06 00 34    |  ..7...Morgan...4
d0 00 06 06 00 00 00 02 07 06 00 00 00 01 3d 06    |  ..............=.
00 00 00 05 42 11 31 39 32 2e 31 36 38 2e 31 30    |  ....B.192.168.10
30 2e 32 35 33 1a 18 00 00 01 37 0b 12 93 4e 09    |  0.253.....7...N.
d3 05 63 7b d1 7f 27 08 60 2e 8b a4 68 1a 3a 00    |  ..c{.'.`...h.:.
00 01 37 19 34 01 00 64 74 e0 85 42 cc b2 0a 93    |  ..7.4..dt..B....
34 89 9e 8e 9e 3c aa 00 00 00 00 00 00 00 00 00    |  4....<..........
28 e9 58 f7 0e bf b1 15 43 c5 f8 79 a8 c8 4f 3f    |  (.X.....C..y..O?
08 e5 4f 13 a3 c9 c5 04 06 c0 a8 64 fd 1a 16 00    |  ..O........d....
00 0c 04 92 10 44 65 66 61 75 6c 74 52 41 47 72    |  .....DefaultRAGr
6f 75 70 1a 0c 00 00 0c 04 96 06 00 00 00 05       |  oup............

Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 22 (0x16)
Radius: Length = 191 (0x00BF)
Radius: Vector: 38245EC467F867F6DFA445ADD9BB37CA
Radius: Type = 1 (0x01) User-Name
Radius: Length = 8 (0x08)
Radius: Value (String) = 
4d 6f 72 67 61 6e                                  |  Morgan
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x34D000
Radius: Type = 6 (0x06) Service-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x2
Radius: Type = 7 (0x07) Framed-Protocol
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x1
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
Radius: Type = 66 (0x42) Tunnel-Client-Endpoint
Radius: Length = 17 (0x11)
Radius: Value (String) = 
31 39 32 2e 31 36 38 2e 31 30 30 2e 32 35 33       |  192.168.100.253
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 24 (0x18)
Radius: Vendor ID = 311 (0x00000137)
Radius: Type = 11 (0x0B) MS-CHAP-Challenge
Radius: Length = 18 (0x12)
Radius: Value (String) = 
93 4e 09 d3 05 63 7b d1 7f 27 08 60 2e 8b a4 68    |  .N...c{.'.`...h
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 58 (0x3A)
Radius: Vendor ID = 311 (0x00000137)
Radius: Type = 25 (0x19) MS-CHAP2-Response
Radius: Length = 52 (0x34)
Radius: Value (String) = 
01 00 64 74 e0 85 42 cc b2 0a 93 34 89 9e 8e 9e    |  ..dt..B....4....
3c aa 00 00 00 00 00 00 00 00 00 28 e9 58 f7 0e    |  <..........(.X..
bf b1 15 43 c5 f8 79 a8 c8 4f 3f 08 e5 4f 13 a3    |  ...C..y..O?..O..
c9 c5                                              |  ..
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 192.168.100.253 (0xC0A864FD)
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 22 (0x16)
Radius: Vendor ID = 3076 (0x00000C04)
Radius: Type = 146 (0x92) Tunnel-Group-Name
Radius: Length = 16 (0x10)
Radius: Value (String) = 
44 65 66 61 75 6c 74 52 41 47 72 6f 75 70          |  DefaultRAGroup
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 12 (0x0C)
Radius: Vendor ID = 3076 (0x00000C04)
Radius: Type = 150 (0x96) Client-Type
Radius: Length = 6 (0x06)
Radius: Value (Integer) = 5 (0x0005)
send pkt 192.168.100.3/1645
rip 0xac1a30a4 state 7 id 22
rad_vrfy() : response message verified
rip 0xac1a30a4
 : chall_state ''
 : state 0x7
 : reqauth:
     38 24 5e c4 67 f8 67 f6 df a4 45 ad d9 bb 37 ca 
 : info 0xac1a31dc
     session_id 0x8d9
     request_id 0x16
     user 'Morgan'
     response '***'
     app 0
     reason 0
     skey 'cisco'
     sip 192.168.100.3
     type 1

RADIUS packet decode (response)

--------------------------------------
Raw packet data (length = 38).....
03 16 00 26 5e fd c0 10 be 94 4b 72 5f 0e 51 a8    |  ...&^.....Kr_.Q.
d3 5b 3a 65 1a 12 00 00 01 37 02 0c 01 45 3d 36    |  .[:e.....7...E=6
39 31 00 52 3d 31                                  |  91.R=1

Parsed packet data.....
Radius: Code = 3 (0x03)
Radius: Identifier = 22 (0x16)
Radius: Length = 38 (0x0026)
Radius: Vector: 5EFDC010BE944B725F0E51A8D35B3A65
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 18 (0x12)
Radius: Vendor ID = 311 (0x00000137)
Radius: Type = 2 (0x02) MS-CHAP-Error
Radius: Length = 12 (0x0C)
Radius: Value (String) = 
01 45 3d 36 39 31 00 52 3d 31                      |  .E=691.R=1
rad_procpkt: REJECT
RADIUS_DELETE
remove_req 0xac1a30a4 session 0x8d9 id 22
free_rip 0xac1a30a4
radius: send queue empty

DUN客户端设置为expusively使用MS-CHAP-V2,并要求加密。我可以从我的syslog条目中看到ASA正在正确建立隧道,因此它不是IKE或L2TP问题。

我会注意到RADIUS请求本身的格式明显不同,如您所见。我从DUN客户端看到(我假设)请求中没有看到任何类型2(用户密码)元素。我真的不太了解RADIUS,我很难过。

我真的需要让我们的员工回到这个VPN。想法?

1 个答案:

答案 0 :(得分:0)

好的,经过进一步的研究,我找到了自己回答问题的答案。

事实证明,要让域验证MS-CHAP-v2请求,需要NTLMv1。为了增强安全性,我们的组策略具有&#34;网络安全性:LAN Manager身份验证级别&#34;设置为5 - 仅发送NTLMv2响应\拒绝LM&amp; NTLM(NTLM在这里意味着NTLMv1)。我将此组策略设置更改为4 - 仅发送NTLMv2响应\拒绝LM(意味着允许NTLMv1请求但仅响应NTLMv2),现在Azure MFA(PhoneFactor)Radius服务器完美运行!

我真的想将其切换回5(为了安全性),所以我仍在寻找一种方法来强制Azure MFA(PhoneFactor)Radius服务器使用NTLMv2对域进行身份验证。如果我找到一种方法来完成这项工作,我会在这里发布。但就目前而言,至少我回到了我们的双因素VPN。

相关问题
最新问题