VPN Series 9: Router permissions caused by PPTP dialing user names

VPN Series 9: Router permissions caused by PPTP dialing user names

The pptp test started successfully today, and then the end user test started to fail.

Figure:

 

 

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0IP51609-0.jpg "/>

 

Then you can find the problem and check the Configuration:

Server # show run Building configuration...   Current configuration: 1668 bytes ! ! Last configuration change at 17:09:46 UTC Wed May 16 2012 Upgrade fpd auto Version 15.1: Service timestamps debug datetime msec Service timestamps log datetime msec No service password-encryption ! Hostname server ! Boot-start-marker Boot-end-marker ! Enable secret 5 $1 $ I9G8 $ C3lOYoEc6oxVnwzSEu. Iu1 ! Aaa new-model ! Aaa authentication login local Aaa authentication ppp default local ! Aaa session-id common ! Ip source-route Ip cef ! No ip domain lookup No ipv6 cef ! Multilink bundle-name authenticated Vpdn enable ! Vpdn-group 1 ! Default pptp vpdn group Accept-dialin Protocol pptp Virtual-template 1 L2tp tunnel timeout no-session 15 ! Crypto pki token default removal timeout 0 ! Username pptp password 0 123456 ! Redundancy ! Interface Loopback0 Ip address 172.18.100.1 255.255.255.0 ! Interface FastEthernet0/0 Ip address 172.18.10.1 255.255.255.0 Duplex auto Speed auto ! Interface FastEthernet0/1 No ip address Shutdown Duplex auto Speed auto ! Interface Virtual-Template1 Ip unnumbered FastEthernet0/0 Peer default ip address pool pptp. pool Ppp authentication chap pap ! Ip local pool pptp. pool 172.18.10.100 172.18.10.200 Ip forward-protocol nd Ip http server No ip http secure-server ! Ip route 0.0.0.0 0.0.0.0 172.18.10.2 ! Control-plane ! Mgcp profile default ! Keeper Shutdown ! Line con 0 Exec-timeout 0 0 Logging synchronous Login authentication login Stopbits 1 Line aux 0 Login authentication login Stopbits 1 Line vty 0 4 Login authentication login Transport input all ! End

 

New users and passwords cannot be created. After half an hour at 1 minute 1 second, the configuration was redone again. The problem persists. google found that error code 691 may be insufficient permissions, not just a superficial user name and password error, OK, then a 15-level user will be configured. Try it first.

Username sos privilege 15 secret A123SO

Next, start vpn dialing, And the exciting time is coming.

Result:

Server # show vpdn

% No active L2TP tunnels

PPTP Tunnel and Session Information Total tunnels 1 sessions 1

LocID Remote Name State Remote Address Port Sessions VPDN Group
12710 estabd 172.18.101.3 61202 1 1

LocID RemID TunID Intf Username State Last Chg Uniq ID
56753 2777 12710 Vi2.1 sos estabd 00:00:26 10

Client

Bytes

 

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0IP56309-1.jpg "/>

 

But the trouble also comes. A 15-level user can do too many things and can do whatever he wants. But do I have to configure 15 levels? Of course not. In fact, you only need to change the command:

Username sos privilege 1 password a123ver

That is to say, you can add a special keyword. If you create a user like this:

Username sos password a123ver

The error 691 must be reported. The pptp user name, no matter whether you grant level 1 or level 15 permissions, will report a 691 error, so do not use this name)

In fact, Cisco manages privilege levels from 1 to 15. You can use commands in Cisco ACS or IOS to manage them. For example, the following command:

Privilege exec level ping

Assign the ping command to level 5, so that the user account level 1 can no longer use the ping command.

In this case, we add telnet, ssh, and other remote access commands to Level 6, and create a pptp dial-up account of level 1, so we do not have to worry about the creation of the pptp dial-up account will maliciously log on to the router. This is a simple and effective method.

 

This article is from the "server & security" blog, please be sure to keep this source http://ciscoart.blog.51cto.com/1066670/865291