Re: Radius - Odd Problem

Little_Wing · ‎07-06-2006

Hello all,

I am having a problem with radius authentication for vpn clients. It seems as though the router (871w, adv.security 12.4) is not sending authentication requests to the radius server, a Win2k3 member server running IAS.

Below is a snip of the config:

aaa new-model

aaa authentication login default local

aaa authentication login vpn_user group radius local

radius-server host A.B.C.D auth-port 1645 acct-port 1646 key 7 xyz

radius-server retransmit 4

The problem is that the router does not seem to be sending any authentication requests to the radius server.

Show radius stat displays no packets sent or received to the radius sever.

The router has a isa profile for vpn clients that specifies the vpn_user group for authentication, e.g.:

crypto isakmp profile vpn_client

match identity group vpn_access

client authentication list vpn_user

I can see in cry isa debugs that the VPN clients are being matched to the vpn_client isakmp profile. And local user/passwords allows vpn access, but Windows user/passwords don't.

I have tried using different ports (1812, 1813), creating a radius server group, and trying a DC instead of a Windows member server. The logs on the Windows servers appear to show no radius authentication requests. I have also tried ip radius source f0 and ip radius source vlan1 as the interface facing the server is a switchport on the 871w.

But it seems to not even be sending any authentication requests to the radius server.

I have set up radius in a similar way at several other sites, without any similar difficulties, although using different Cisco routers (2611, 2821).

Are there any possible issues relating to the switchports on the 871w and radius? Or am I missing something in the config?

Thanks for the help,

Little_Wing

a.kiprawih · ‎07-06-2006

Hi,

Can you ping the server from the router, and vice-versa? Also, check whether the router has been added into radius as AAA client.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a0080205a54.html#wp597030

Rgds,

AK

annnguy · ‎07-06-2006

It's possible that you may need to have "isakmp authorization list" under your isakmp profile. This *may* make a difference since it needs this to look up the information within the client group, and is also needed to get mode config information either locally or from radius. Check out this sample:

=========

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008032cd24.shtml

aaa authentication login userauth group radius local

aaa authorization network groupauthor local

crypto isakmp profile softclient

match identity group tennis

client authentication list userauth

isakmp authorization list groupauthor

client configuration address respond

=========

If this doesn't help, what I would also do is turn on "debug radius" to see what radius packets are being sent from the router, if at all.

Also, make sure radius is working. You can use the "test" global exec mode to see if communication to radius is even working:

# test aaa group vpn_user new-code

Sincerely,

Annie

annnguy · ‎07-06-2006

Sorry, that test command would be:

teset aaa group radius new-code

This command should be available in later versions of IOS.

Little_Wing · ‎07-06-2006

I can ping the server(s) used for radius, and from server to router. The router terminates 2 GRE/IPSec tunnels and 4 IPSec connections, plus the VPN clients. End to end connectivity is good, hosts can ping from site to site without problem, so basic connectivity appears to be solid.

The configuration includes:

aaa authorization network vpn1 local

-and the appropriate

commands in the isakmp profile.

debug radius produces no output. debug ip packet (with an access list to display only packets destined for the server) also produces no output.

Thanks for the test command, I haven't seen that command before.

I am resonable certain the Windows servers are configured correctly, IAS is running, radius client info for the router is set, etc.

I must be missing something, I'll try some more testing and go over the various documents and try to see what I might have overlooked.

Thanks,

Little_Wing

annnguy · ‎07-07-2006

Another thing to do would be to turn on "debug crypto isakmp" and "debug crypto ipsec" to see if it is actually finishing IKE Phase 1 and even doing Xauth.

Sincerely,

Annie

Little_Wing · ‎07-07-2006

The test aaa command was very useful. At least I was able to confirm that the Win2K3 radius side was working.

debug cry isa/ips shows the clients connecting without a problem.

debug aaa authe has revealed the problem - the vpn clients are using the default aaa authentication (which is local) and not the aaa authentication list specified in the isakmp profile.

Setting the default aaa authentication to group radius local, and connecting, shows radius traffic and clients are authenticated against AD.

It is a bit odd - the isakmp debugs show that the vpn clients are being matched to the correct isakmp profile. And the profile specifies a aaa authentication list, which matches the aaa authentication statement specifying radius. But the clients still are only authenticated against the default aaa authentication method.

Config looks like this:

aaa authen login default local

aaa authen login vpn_users group radius local

cry isa profile vpn_clients

match ident group xyz

client authen list vpn_users

debug cry isa shows that clients are matched to the vpn_client profile, but debug aaa auth shows that they are being authenticated against the default, not vpn_users.

Still, as a workaround I have set the default to:

aaa authentication login default group radius local

- and everything seems to work fine.

Thanks,

Little_Wing

annnguy · ‎07-07-2006

Hmm... to me, something still seems amiss. What version of IOS is the router running? In any case, I'm glad to hear that it is looking better.

Little_Wing · ‎07-07-2006

The router is running advanced security 12.4(6)T2

Little_Wing