Stuck in Lab.2.28 Vol.1 Ver5

Hi, I am stuck in Lab.2.28. The debug is seen as normal as written in solution section.

RADIUS authentication request for John Doe is success

RADIUS authentication request for EZVPN_USER is success

RADIUS authentication request for EZVPN_GROUP is success

But after got response for EZVPN_GROUP, authorization for John Doe is failed.

Below are capture of debug output :

Mar 27 02:14:55 [IKEv1]: Group = EZVPN, Username = John Doe, IP = 136.1.100.200, User Authorization failed: John Doe
Mar 27 02:14:55 [IKEv1 DEBUG]: Group = EZVPN, Username = John Doe, IP = 136.1.100.200, IKE TM V6 FSM error history (struct &0xd4516938)  <state>, <event>:  TM_DONE, EV_ERROR-->TM_AUTH, EV_AUTH_STATUS_FAIL-->TM_AUTH, NullEvent-->TM_AUTH, EV_AUTH_OK-->TM_AUTH, NullEvent-->TM_AUTH, EV_DO_AUTH-->TM_START, EV_START_AUTHOR-->TM_START, EV_START_XAUTH
Mar 27 02:14:55 [IKEv1 DEBUG]: Group = EZVPN, Username = John Doe, IP = 136.1.100.200, IKE MM Responder FSM error history (struct &0xd5a430b0)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_TM_INIT_MODECFG_H, EV_TM_FAIL-->MM_TM_INIT_MODECFG_H, NullEvent-->MM_TM_INIT_MODECFG_H, EV_START_TM-->MM_TM_INIT_MODECFG, EV_START_TM-->MM_SND_MSG6_H, EV_IS_REKEYED-->MM_SND_MSG6_H, EV_TEST_TM-->MM_SND_MSG6_H, EV_TEST_CONN_AUTHOR
Mar 27 02:14:55 [IKEv1 DEBUG]: Group = EZVPN, Username = John Doe, IP = 136.1.100.200, IKE SA MM:354397fc terminating:  flags 0x0105c002, refcnt 0, tuncnt 0
Mar 27 02:14:55 [IKEv1 DEBUG]: Group = EZVPN, Username = John Doe, IP = 136.1.100.200, sending delete/delete with reason message
Mar 27 02:14:55 [IKEv1 DEBUG]: Group = EZVPN, Username = John Doe, IP = 136.1.100.200, constructing blank hash payload
Mar 27 02:14:55 [IKEv1 DEBUG]: Group = EZVPN, Username = John Doe, IP = 136.1.100.200, constructing IKE delete payload
Mar 27 02:14:55 [IKEv1 DEBUG]: Group = EZVPN, Username = John Doe, IP = 136.1.100.200, constructing qm hash payload
Mar 27 02:14:55 [IKEv1]: IP = 136.1.100.200, IKE_DECODE SENDING Message (msgid=e8f539c2) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Mar 27 02:14:55 [IKEv1]: Group = EZVPN, Username = John Doe, IP = 136.1.100.200, Removing peer from peer table failed, no match!
Mar 27 02:14:55 [IKEv1]: Group = EZVPN, Username = John Doe, IP = 136.1.100.200, Error: Unable to remove PeerTblEntry

 

For ASA config :

Rack1ASA1# sh run
: Saved
:
ASA Version 8.0(4)
!
hostname Rack1ASA1
domain-name INE.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 136.1.123.12 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 136.1.121.12 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!            
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
!
time-range WEEKDAYS_WORK_HOURS
 periodic weekdays 9:00 to 18:00
!
ftp mode passive
dns server-group DefaultDNS
 domain-name INE.com
access-list OUTSIDE_IN extended permit udp any any eq isakmp
access-list OUTSIDE_IN extended permit esp any any
access-list OUTSIDE_IN extended permit icmp any any
access-list SPLIT_TUNNEL standard permit 136.1.121.0 255.255.255.0
access-list SPLIT_TUNNEL_USER standard permit 150.1.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool EZVPN 20.0.0.1-20.0.0.254
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
access-group OUTSIDE_IN in interface outside
!
router rip
 network 20.0.0.0
 network 136.1.0.0
 version 2
 no auto-summary
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS (outside) host 10.0.0.100
 key CISCO
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYNAMIC 10 set transform-set 3DES_MD5
crypto dynamic-map DYNAMIC 10 set security-association lifetime seconds 28800
crypto dynamic-map DYNAMIC 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map DYNAMIC 10 set reverse-route
crypto map VPN 10 ipsec-isakmp dynamic DYNAMIC
crypto map VPN interface outside
crypto ca trustpoint IE1
 revocation-check crl none
 enrollment url http://10.0.0.100:80/certsrv/mscep/mscep.dll
 subject-name cn=Rack1ASA1,ou=Security,o=INE,st=NV,c=US
 crl configure
crypto ca certificate map MYMAP 10
 subject-name attr ou eq security
crypto ca certificate chain IE1
 certificate ca 0123fe877fee43a34c8e9c79066f27d6
    308202de 30820288 a0030201 02021001 23fe877f ee43a34c 8e9c7906 6f27d630
    0d06092a 864886f7 0d010105 05003081 8f312d30 2b06092a 864886f7 0d010901
    161e7375 70706f72 7440696e 7465726e 6574776f 726b6578 70657274 2e636f6d
    310b3009 06035504 06130255 53310b30 09060355 04081302 4e56310d 300b0603
    55040713 0452656e 6f312230 20060355 040a1319 496e7465 726e6574 776f726b
    20457870 6572742c 20496e63 2e311130 0f060355 04031308 73633034 2d616161
    301e170d 30373130 32393132 33353032 5a170d31 37313032 39313234 3433335a
    30818f31 2d302b06 092a8648 86f70d01 0901161e 73757070 6f727440 696e7465
    726e6574 776f726b 65787065 72742e63 6f6d310b 30090603 55040613 02555331
    0b300906 03550408 13024e56 310d300b 06035504 07130452 656e6f31 22302006
    0355040a 1319496e 7465726e 6574776f 726b2045 78706572 742c2049 6e632e31
    11300f06 03550403 13087363 30342d61 6161305c 300d0609 2a864886 f70d0101
    01050003 4b003048 024100c7 e0ced9f3 a3cdf352 7b2204f2 2f2cf023 01999be7
    797abb9e ada5c34e b9d072fe c7e75b66 3c2ead2b 442aff0e 7f0bcc75 a9b264c7
    bd558adf 45fb6b7d f26b0f02 03010001 a381bd30 81ba300b 0603551d 0f040403
    0201c630 0f060355 1d130101 ff040530 030101ff 301d0603 551d0e04 16041467
    65ba44c1 bf3d6f8d f74c2142 31a971b6 62664930 69060355 1d1f0462 3060302d
    a02ba029 86276874 74703a2f 2f736330 342d6161 612f4365 7274456e 726f6c6c
    2f736330 342d6161 612e6372 6c302fa0 2da02b86 2966696c 653a2f2f 5c5c7363
    30342d61 61615c43 65727445 6e726f6c 6c5c7363 30342d61 61612e63 726c3010
    06092b06 01040182 37150104 03020100 300d0609 2a864886 f70d0101 05050003
    410003b2 6d9c28c4 63f52db7 e8b0797f 82dcb7cd bedb665a 75ab66a0 edc687af
    e8e97c07 434156b0 2bc8c503 90502d40 804c2b40 b84a92d1 ecd189c9 0db73327 b1e4
  quit
 certificate 615ea9c000000000000a
    30820414 308203be a0030201 02020a61 5ea9c000 00000000 0a300d06 092a8648
    86f70d01 01050500 30818f31 2d302b06 092a8648 86f70d01 0901161e 73757070
    6f727440 696e7465 726e6574 776f726b 65787065 72742e63 6f6d310b 30090603
    55040613 02555331 0b300906 03550408 13024e56 310d300b 06035504 07130452
    656e6f31 22302006 0355040a 1319496e 7465726e 6574776f 726b2045 78706572
    742c2049 6e632e31 11300f06 03550403 13087363 30342d61 6161301e 170d3130
    30333236 32333039 33365a17 0d313130 33323632 33313933 365a3071 3120301e
    06092a86 4886f70d 01090213 11526163 6b314153 41312e49 4e452e63 6f6d310b
    30090603 55040613 02555331 0b300906 03550408 13024e56 310c300a 06035504
    0a130349 4e453111 300f0603 55040b13 08536563 75726974 79311230 10060355
    04031309 5261636b 31415341 31305c30 0d06092a 864886f7 0d010101 0500034b
    00304802 41009f96 312d9255 f3882527 0fc90f8b 71c19eed 500eb0c8 d62509d6
    a888a930 a80360ee b72f2a1f f39ca596 d94efaf5 5ce86d3e 7fd0a471 80b8ff06
    b9d53a62 80c10203 010001a3 82021730 82021330 0b060355 1d0f0404 030205a0
    301c0603 551d1104 15301382 11526163 6b314153 41312e49 4e452e63 6f6d301d
    0603551d 0e041604 14ad0387 014b07ee e2983047 68d19cb1 f14abd25 603081cb
    0603551d 230481c3 3081c080 146765ba 44c1bf3d 6f8df74c 214231a9 71b66266
    49a18195 a4819230 818f312d 302b0609 2a864886 f70d0109 01161e73 7570706f
    72744069 6e746572 6e657477 6f726b65 78706572 742e636f 6d310b30 09060355
    04061302 5553310b 30090603 55040813 024e5631 0d300b06 03550407 13045265
    6e6f3122 30200603 55040a13 19496e74 65726e65 74776f72 6b204578 70657274
    2c20496e 632e3111 300f0603 55040313 08736330 342d6161 61821001 23fe877f
    ee43a34c 8e9c7906 6f27d630 69060355 1d1f0462 3060302d a02ba029 86276874
    74703a2f 2f736330 342d6161 612f4365 7274456e 726f6c6c 2f736330 342d6161
    612e6372 6c302fa0 2da02b86 2966696c 653a2f2f 5c5c7363 30342d61 61615c43
    65727445 6e726f6c 6c5c7363 30342d61 61612e63 726c3081 8d06082b 06010505
    07010104 8180307e 303c0608 2b060105 05073002 86306874 74703a2f 2f736330
    342d6161 612f4365 7274456e 726f6c6c 2f736330 342d6161 615f7363 30342d61
    61612e63 7274303e 06082b06 01050507 30028632 66696c65 3a2f2f5c 5c736330
    342d6161 615c4365 7274456e 726f6c6c 5c736330 342d6161 615f7363 30342d61
    61612e63 7274300d 06092a86 4886f70d 01010505 00034100 1645c0cd e4984a0e
    26a6af0d 2b293493 78cfbbdd 0ff579ed 9e0bc152 d81540be 8c99fd1f 0abd780d
    453f8c40 bb27b081 9e73dc8d 123c6408 66a77262 13c05755
  quit
crypto isakmp enable outside
crypto isakmp policy 10
 authentication rsa-sig
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign local
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.0.0.100
group-policy EZVPN_USER external server-group RADIUS password *
group-policy EZVPN_GROUP external server-group RADIUS password *
group-policy EZVPN internal
group-policy EZVPN attributes
 dns-server value 10.0.0.100
 dhcp-network-scope 20.0.0.12
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT_TUNNEL
username CISCO password 8O1Lztqd.GfWUrOI encrypted
username CISCO attributes
 group-lock value EZVPN
tunnel-group EZVPN type remote-access
tunnel-group EZVPN general-attributes
 authorization-server-group RADIUS
 default-group-policy EZVPN_GROUP
 dhcp-server 136.1.121.1
 username-from-certificate CN
tunnel-group EZVPN ipsec-attributes
 trust-point IE1
 isakmp ikev1-user-authentication none
tunnel-group-map enable rules
tunnel-group-map MYMAP 10 EZVPN
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:5a9e7886d617d6428ec6b54cb6c5afe1
: end
Rack1ASA1#

 

Anybody can help !!!

thx,

bug

 

 

Sign In or Register to comment.