Ho un problemino con un router, sul quale c'e' configurato un po di tutto... doppio ssid con wpa e peap/radius (per avere accesso o su una dmz o sulla rete locale), canale vpn, ips, ecc, ecc...
Ed ho un problemuccio...
Premetto che la parte che mi sta dando problemi è configurata (ai miei occhi) nella stessa mededima maniera di altri 2 ruoter dove tutto pero' funziona correttamente... Pure IOS identiche (12.24 T2).
Funziona tutto quanto, i client si collegano sia all'ssid in dmz (gli indirizzi li da il router stesso in dhcp) sia all'ssid in rete locale (quella in peap/radius, ed è lo stesso server 2003 che dovrebbe dare gli indirizzi) ma per qualche motivo sembra che il router non passi le risposte dhcp del server ai client wireless, percio' gli stessi non ricevono l'indirizzo ip.
Ho provato a debuggare i pacchetti udp, ed ho visto questo:
Codice: Seleziona tutto
033600: Jan 28 16:33:32.043 Asti: UDP: rcvd src=0.0.0.0(68), dst=255.255.255.255(67), length=308
033601: Jan 28 16:33:32.043 Asti: UDP: rcvd src=192.168.201.7(67), dst=255.255.255.255(68), length=320
Il bello è che se configuro gli ip manualmente il pc naviga alla perfezione, ed i pacchetti udp vanno e vengono a meraviglia, da e verso qualunque origine/destinazione (ovviamente anche lo stesso server dhcp 192.168.201.7).
La config è la seguente:
Codice: Seleziona tutto
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname PippoPluto
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 Blabla
!
aaa new-model
!
!
aaa group server radius VPNDialIn
server 192.168.201.7 auth-port 1012 acct-port 1013
!
aaa authentication attempts login 5
aaa authentication login console none
aaa authentication login telnet local
aaa authentication login eap_wifi group VPNDialIn
aaa authentication ppp default group VPNDialIn
aaa authorization exec default local
aaa authorization network default group VPNDialIn
!
!
aaa session-id common
clock timezone Asti 1
clock summer-time Asti recurring last Sun Mar 2:00 last Sun Oct 3:00
clock calendar-valid
!
crypto pki trustpoint TP-self-signed-xxxxxx
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-xxxxxx
revocation-check none
rsakeypair TP-self-signed-xxxxxx
!
!
crypto pki certificate chain TP-self-signed-xxxxxx
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
dot11 syslog
dot11 vlan-name PSK vlan 1
dot11 vlan-name Radius vlan 2
!
dot11 ssid PippoPluto
vlan Radius
authentication open eap eap_wifi
authentication network-eap eap_wifi
authentication key-management wpa
accounting aaa
mbssid guest-mode
!
dot11 ssid PippoPlutoPSK
vlan PSK
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 Blabla
!
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.1.1 10.0.1.10
!
ip dhcp pool PippoDMZ
import all
network 10.0.1.0 255.255.255.0
dns-server xxxxxxxxxxxxxxx
default-router 10.0.1.2
!
!
ip cef
no ip bootp server
ip domain name pippopluto.it
ip name-server xxxxxxxxxxxx
ip ips config location flash://ips-store/ retries 1
ip ips name IPSRULE
!
ip ips signature-category
category all
retired true
event-action reset-tcp-connection deny-packet-inline produce-alert
category ios_ips advanced
retired false
category ddos
retired false
category dos
retired false
category other_services ftp
retired false
category other_services ssh
retired false
category other_services https
retired true
category other_services http
!
ip inspect max-incomplete low 250
ip inspect max-incomplete high 300
ip inspect one-minute low 300
ip inspect one-minute high 400
ip inspect hashtable-size 2048
ip inspect tcp synwait-time 20
ip inspect tcp max-incomplete host 300 block-time 60
ip inspect name inspection-out tcp router-traffic
ip inspect name inspection-out udp router-traffic
ip inspect name inspection-out ftp
ip inspect name inspection-out https
ip inspect name inspection-out dns
ip inspect name inspection-out ntp
ip inspect name inspection-out icmp router-traffic
ip inspect name inspection-out bittorrent
ip inspect name inspection-out edonkey
ip inspect name inspection-out http java-list 50
ip inspect name inspection-out imap
ip inspect name inspection-out irc
ip inspect name inspection-out l2tp
ip inspect name inspection-out pptp
ip inspect name inspection-out pop3
ip inspect name inspection-out smtp
ip inspect name inspection-out telnet
login block-for 300 attempts 3 within 30
login delay 3
login quiet-mode access-class 190
login on-failure log every 10
login on-success log every 10
no ipv6 cef
!
multilink bundle-name authenticated
!
isdn switch-type basic-net3
!
!
username router privilege 15 secret 5 blablabla
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
key-string
CUTTONE!!!!
quit
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key kakakakakak address xxxxxxxxxxxxxx
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel topippopluto
set peer xxxxxxxxxxx
set transform-set ESP-3DES-SHA
match address 100
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh version 2
bridge irb
!
!
!
interface ATM0
mtu 1492
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
dsl operating-mode itu-dmt
!
interface ATM0.1 point-to-point
ip address xxxxxxxxxxxxx 255.255.255.224
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip ips IPSRULE in
ip ips IPSRULE out
ip inspect inspection-out out
ip virtual-reassembly
pvc 8/35
encapsulation aal5snap
!
snmp trap ip verify drop-rate
crypto map SDM_CMAP_1
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
encapsulation hdlc
shutdown
isdn switch-type basic-net3
isdn point-to-point-setup
!
interface Dot11Radio0
no ip address
!
encryption vlan Radius mode ciphers aes-ccm tkip
!
encryption vlan PSK mode ciphers aes-ccm tkip
!
!
broadcast-key change 300
!
!
ssid PippoPluto
!
ssid PippoPlutoPSK
!
mbssid
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.2
encapsulation dot1Q 2
no cdp enable
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
!
interface Dot11Radio1
no ip address
shutdown
speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
station-role root
!
interface FastEthernet0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip virtual-reassembly
duplex auto
speed auto
bridge-group 1
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$FW_INSIDE$
no ip address
ip tcp adjust-mss 1452
bridge-group 2
!
interface BVI1
description Lan DMZ
ip address 10.0.1.2 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface BVI2
description LAN INTERNA
ip address 192.168.201.200 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat inside source static udp 192.168.201.1 4672 interface ATM0.1 4672
ip nat inside source static tcp 192.168.201.1 4662 interface ATM0.1 4662
ip nat inside source static tcp 192.168.201.7 3389 interface ATM0.1 3389
ip nat inside source route-map SDM_RMAP_1 interface ATM0.1 overload
!
!
logging trap debugging
access-list 50 remark Permette java nel CBAC
access-list 50 permit any
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.201.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 101 remark *** ACL GENERALE DELLA ADSL ***
access-list 101 remark *** ACL per accessi esterni ***
access-list 101 permit ip host xxxxxxxxxx any
access-list 101 permit ip host xxxxxxxxxx any
access-list 101 remark *** ACL Anti-Spoofing ***
access-list 101 deny ip host 0.0.0.0 any log
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip 192.0.2.0 0.0.0.255 any log
access-list 101 deny ip 224.0.0.0 31.255.255.255 any log
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 remark *** ACL dei servizi ***
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any gt 1023 any eq ftp-data
access-list 101 permit tcp any eq ftp-data any gt 1023
access-list 101 remark *** ACL emule ***
access-list 101 permit tcp any any eq 4662
access-list 101 permit udp any any eq 4672
access-list 101 remark *** ACL per VPN ***
access-list 101 permit tcp any any eq 1723
access-list 101 permit udp any eq isakmp any eq isakmp
access-list 101 permit gre any any
access-list 101 remark *** ACL per bloccare tutto il resto ***
access-list 101 deny ip any any
access-list 102 remark *** ACL per accessi Telnet ***
access-list 102 remark *** Disabilito accesso da DMZ ***
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 105 remark SDM_ACL Category=2
access-list 105 remark IPSec Rule
access-list 105 deny ip 192.168.201.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 105 permit ip 192.168.201.0 0.0.0.255 any
access-list 105 permit ip 10.0.1.0 0.0.0.255 any
access-list 190 remark Whitelist per il login-block
access-list 190 permit ip 192.168.200.0 0.0.0.255 any log
access-list 190 permit ip 192.168.1.0 0.0.0.255 any log
no cdp run
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 105
!
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.201.7 auth-port 1012 acct-port 1013 key 7 025455095D5459
radius-server vsa send accounting
radius-server vsa send authentication
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
banner login Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 102 in
exec-timeout 0 0
transport input telnet ssh
!
scheduler interval 500
ntp master
ntp update-calendar
ntp server 193.204.114.232 prefer
ntp server 193.204.114.233
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
Ricordo che ho altre 2 configurazioni che ad occhio mi sembrano identiche e funzionano alla grande....
Grazie mille a ciunque possa fare un po di luce su questa storia, che ci sono sopra da tutto il giorno e non ho ancora trovato la quadra!!!
