Remote client AUTH to ACS

amar_5664 · ‎12-15-2010

I have been trying to get remote ipsec client get authenticated via ACS, cannot figure out what is causing the issue. Below is the configuration and debugs.

Is there anything specific that needs to be configured on the ACS?? BTW ACS version is 3.3

any input is appreciated

Config on router

aaa authentication login 3Gusers group tacacs+
aaa authorization network 3Gusers group tacacs+

crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group 3Gvpn
key trewq
dns 10.142.171.22 10.142.171.21
pool 3Gpool
netmask 255.255.255.255

crypto isakmp profile 3Gclient
   match identity group 3Gvpn
   client authentication list 3Gusers
   isakmp authorization list 3Gusers
   client configuration address respond
!
!
crypto ipsec transform-set 3G esp-3des esp-md5-hmac
!
crypto dynamic-map 3Gmap 10
set security-association idle-time 86400
set transform-set 3G
set isakmp-profile 3Gclient
reverse-route

debug----

Dec 15 16:21:19.566 EDST: ISAKMP (0): received packet from 10.200.0.106 dport 50
0 sport 3553 Global (N) NEW SA
Dec 15 16:21:19.566 EDST: ISAKMP: Created a peer struct for 10.200.0.106, peer p
ort 3553
Dec 15 16:21:19.566 EDST: ISAKMP: New peer created peer = 0x3AE6B3EC peer_handle
= 0x8000001F
Dec 15 16:21:19.566 EDST: ISAKMP: Locking peer struct 0x3AE6B3EC, refcount 1 for
crypto_isakmp_process_block
Dec 15 16:21:19.566 EDST: ISAKMP[R]: sa->swdb: GigabitEthernet1/2/1
Dec 15 16:21:19.566 EDST: ISAKMP: local port 500, remote port 3553
Dec 15 16:21:19.566 EDST: ISAKMP: Find a dup sa in the avl tree during calling i
sadb_insert sa = 3AFB77A8
Dec 15 16:21:19.566 EDST: ISAKMP:(0): processing SA payload. message ID = 0
Dec 15 16:21:19.566 EDST: ISAKMP:(0): processing ID payload. message ID = 0
Dec 15 16:21:19.566 EDST: ISAKMP (0): ID payload
next-payload : 13
type         : 11
group id     : 3Gvpn
protocol     : 17
port         : 500
length       : 13
Dec 15 16:21:19.566 EDST: ISAKMP:(0):: peer matches 3Gclient profile
Dec 15 16:21:19.566 EDST: ISAKMP:(0):Setting client config settings 3A7D8D0C
Dec 15 16:21:19.566 EDST: ISAKMP:(0):(Re)Setting client xauth list and state
Dec 15 16:21:19.567 EDST: ISAKMP/xauth: initializing AAA request
Dec 15 16:21:19.567 EDST: ISAKMP:(0): processing vendor id payload
Dec 15 16:21:19.567 EDST: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mi
smatch
Dec 15 16:21:19.567 EDST: ISAKMP:(0): vendor ID is XAUTH
Dec 15 16:21:19.567 EDST: ISAKMP:(0): processing vendor id payload
Dec 15 16:21:19.567 EDST: ISAKMP:(0): vendor ID is DPD
Dec 15 16:21:19.567 EDST: ISAKMP:(0): processing vendor id payload
Dec 15 16:21:19.567 EDST: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mi
smatch
Dec 15 16:21:19.567 EDST: ISAKMP:(0): processing vendor id payload
Dec 15 16:21:19.567 EDST: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mi
smatch
Dec 15 16:21:19.567 EDST: ISAKMP:(0): vendor ID is NAT-T v2
Dec 15 16:21:19.567 EDST: ISAKMP:(0): processing vendor id payload
Dec 15 16:21:19.567 EDST: ISAKMP:(0): vendor ID is Unity
Dec 15 16:21:19.567 EDST: ISAKMP:(0): Authentication by xauth preshared
Dec 15 16:21:19.567 EDST: ISAKMP:(0):Checking ISAKMP transform 1 against priorit
y 100 policy
Dec 15 16:21:19.567 EDST: ISAKMP:      encryption AES-CBC
Dec 15 16:21:19.567 EDST: ISAKMP:      hash SHA
Dec 15 16:21:19.567 EDST: ISAKMP:      default group 2
Dec 15 16:21:19.567 EDST: ISAKMP:      auth XAUTHInitPreShared
Dec 15 16:21:19.567 EDST: ISAKMP:      life type in seconds
Dec 15 16:21:19.567 EDST: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9

aneelaka · ‎12-16-2010

Hi

On the ACS, you need to check if the Radius Access-request packet are making into the ACS. Please check ACS report and Acitvity to see if there is failed attempts . Check to see what error is displayed, that should help you with initial troubleshooting

Note: Please rate the answer if it was helpful