https://community.cisco.com/t5/network-access-control/l2tp-ipsec-with-pix-using-eap-tls/m-p/638646#M422491 <HTML><HEAD></HEAD><BODY><P>The Cisco Secure PIX Firewall Software Release 6.0 supports VPN connections from the Cisco VPN Client 3.5 for Windows.Refer the following URL for more information</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml#configuringthepixfirewall" target="_blank">http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml#configuringthepixfirewall</A></P><P></P><P></P></BODY></HTML> Thu, 16 Nov 2006 15:33:58 GMT s.jankowski 2006-11-16T15:33:58Z https://community.cisco.com/t5/network-access-control/l2tp-ipsec-with-pix-using-eap-tls/m-p/638645#M422490 <P>Hi,</P><P></P><P>i have big problems with using my PIX515 (SW 7.2.1) for L2TP/IPSec VPN-Connections using EAP-TLS. With the option EAP-Proxy activated on PIX a RADIUS Access-Request Message reaches the configured RADIUS-SERVER (IAS2003), but the request is rejected by Radius. I did inspection of the packets with a sniffer and see following strange behavior:</P><P>- There is a Tunnel-Client-Endpoint AVP with no value and, even stranger, an existing AVP titled User-Password with an encrypted value.</P><P>I dont understand where the encrypted Password comes from in the first RADIUS Access-Request message received from the PIX, since the authentication method should be certificate-based (EAP-TLS). And I dont know either if the Tunnel-Client-Endpoint MUST be present in the message. Fact is the RADIUS responds with an Access-Reject Message.</P><P>The other AVPs in the request seem to be OK, and there is an existend AVP titled EAP-Message (79) that seems alright...</P><P></P><P>Other detail: In the event log on the IAS the request is logged as Type "PAP" (and not EAP as it should be!) and the log tells me about a problem with wrong username/password.</P><P>Tested the same client and Radius configuration using a RRAS-Server from Microsoft instead of the PIX and it worked fine! Could this be a bug of the Pix EAP-Proxy function?</P><P></P><P>EAP-Proxy should pass all EAP packets unmodified to the Radius, right? This seems not to be the case. Comparing the RADIUS Access-Request Message received from the Pix (which fails) with the RADIUS Access-Request Message received from the RRAS-Server (which successes) shows significant differences.</P><P></P><P>Every help appreciated. Please ask me for further infos if needed or if you would like me to post the Packet Capture file (Ethereal format)/Configuration information.</P><P></P><P>Thank you very much!!</P><P></P><P>Best regards,</P><P>Matthias</P> Sun, 10 Mar 2019 21:50:08 GMT https://community.cisco.com/t5/network-access-control/l2tp-ipsec-with-pix-using-eap-tls/m-p/638645#M422490 matthiaseller 2019-03-10T21:50:08Z https://community.cisco.com/t5/network-access-control/l2tp-ipsec-with-pix-using-eap-tls/m-p/638646#M422491 <HTML><HEAD></HEAD><BODY><P>The Cisco Secure PIX Firewall Software Release 6.0 supports VPN connections from the Cisco VPN Client 3.5 for Windows.Refer the following URL for more information</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml#configuringthepixfirewall" target="_blank">http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml#configuringthepixfirewall</A></P><P></P><P></P></BODY></HTML> Thu, 16 Nov 2006 15:33:58 GMT https://community.cisco.com/t5/network-access-control/l2tp-ipsec-with-pix-using-eap-tls/m-p/638646#M422491 s.jankowski 2006-11-16T15:33:58Z