Radius connection Problem (Routing wrong?)

Markus Thun · ‎11-14-2013

Hello Community,

VPN over IPSec (Site-2-Site)

Here is the Configuration of the Cisco 1841 Router:

//Login Credentails

enable secret xxxxxx

username admin privilege 15 password xxxxxx

//ACL for VPN and NAT

access-list 102 permit ip 192.168.192.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 102 permit ip 192.168.192.0 0.0.0.255 172.20.0.0 0.0.0.255

access-list 150 deny ip 192.168.192.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 150 deny ip 192.168.192.0 0.0.0.255 172.20.0.0 0.0.0.255

access-list 150 permit ip 192.168.192.0 0.0.0.255 any

//ACL

ip access-list extended inboundfilter

evaluate reflectacl

permit udp any host <<WANIP>> eq isakmp

permit tcp any host <<WANIP>> eq 22

permit icmp any host <<WANIP>>

!

ip access-list extended outboundfilter

permit ip any 192.168.0.0 0.0.255.255 reflect reflectacl

permit ip any 172.20.0.0 0.0.0.255 reflect reflectacl

deny udp 192.168.XXX.0 0.0.0.255 any

permit ip any any reflect reflectacl

//VPN settings

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

crypto isakmp key xxxxxxxxx address xxxx.xxx.xxx.226

crypto isakmp keepalive 30

crypto ipsec transform-set SET esp-aes esp-sha-hmac

crypto map B2B 10 ipsec-isakmp

description b2b-fw-ushou-1

set peer xxx.xxx.xxx.xxx

set security-association lifetime seconds 86400

set transform-set SET

match address 102

//Interface configuration

interface FastEthernet0/0

description wan_primary

ip access-group inboundfilter in

ip access-group outboundfilter out

crypto map B2B

interface FastEthernet0/1

ip nat inside

route-map nonat permit 10

match ip address 150

ip nat inside source route-map nonat interface FastEthernet0/0 overload

The cisco 1841 router will you for ssh the aaa authentication method. But the router can not ping over the VPN in the remote LAN. The router can not reach the Radius server. Have anybody an idea to solve this issue?

Best Regards

Markus Thun

Richard Burts · ‎11-14-2013

There are some details that you have not included in your post that would have been helpful, such as the IP address of the interfaces, and whether you have specified a source address in attempts to access the Radius server. But based on the symptoms you describe I will make a guess that the router is using the IP address of its public interface as the source address for these attempts and that this address is not included in your crypto access list and so is not encrypted. If you specify a source address of the inside interface does it work better?

HTH

Rick

HTH

Rick

Markus Thun · ‎11-14-2013

Hi, here are some other informations:

aaa group server radius LOGIN

server 192.168.5.24 auth-port 1812 acct-port 1813

ip radius source-interface FastEthernet0/1

!

aaa authentication login LOGIN group radius local

!

interface FastEthernet0/0

description wan_primary

ip address 255.255.255.248

ip access-group inboundfilter in

ip access-group outboundfilter out

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map B2B

!

interface FastEthernet0/1

description besidjakr1_lan

ip address 192.168.192.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

If i use the command: ping 192.168.5.24 source fastethernet 0/1 , i an ping the radius but if i use only ping 192.168.5.24 i cannot reach this server.

Best regards

Markus

Richard Burts · ‎11-14-2013

Markus

That is exactly the issue that I described. If you just ping 192.168.5.24 the router by default will choose the outbound interface as the source address and the ping will not go through the VPN tunnel. If the ping does not go through the VPN tunnel then 192.168.5 is not routable through the Internet. So the ping will work only if you choose a source address that will match the crypto access list and will go through the tunnel.

The good thing is that the additional information included in this post does show that you have specified the source address for Radius. So the Radius request should match the crypto access list and should go through the VPN tunnel. I am guessing that the reason that Radius is not working may be related to the fact that you gave the Radius server group a name but do not use that name in the aaa commands. I suggest that either you change

aaa group server radius LOGIN

to

aaa group server radius

or change this

aaa authentication login LOGIN group radius local

to

aaa authentication login LOGIN group LOGIN local

or maybe to

aaa authentication login default group LOGIN local

HTH

Rick

HTH

Rick

Markus Thun · ‎11-14-2013

Hi

my changes:

aaa authentication login LOGIN group LOGIN local

!

access-list 102 permit ip 192.168.192.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 102 permit ip 192.168.192.0 0.0.0.255 172.20.0.0 0.0.0.255

access-list 102 permit ip 192.168.192.0 0.0.0.255 host 192.168.5.24

access-list 150 deny ip 192.168.192.0 0.0.0.255 host 192.168.5.24

access-list 150 deny ip 192.168.192.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 150 deny ip 192.168.192.0 0.0.0.255 172.20.0.0 0.0.0.255

access-list 150 permit ip 192.168.192.0 0.0.0.255 any

Still the same Problem.

Richard Burts · ‎11-14-2013

Markus

Please post the configuration for line con 0 and for all of your vty lines.

HTH

Rick

HTH

Rick

Markus Thun · ‎11-14-2013

The configuration for the lines are correct.

here the output (debug radius):

*Nov 14 15:43:48.780 CET: RADIUS/ENCODE(0000000B): ask "Password: "

*Nov 14 15:43:48.780 CET: RADIUS/ENCODE(0000000B): send packet; GET_PASSWORD

fw-idjkt-1#

*Nov 14 15:43:55.055 CET: RADIUS/ENCODE(0000000B):Orig. component type = EXEC

*Nov 14 15:43:55.055 CET: RADIUS: AAA Unsupported Attr: interface [157] 6

*Nov 14 15:43:55.059 CET: RADIUS: 74 74 79 31 [tty1]

*Nov 14 15:43:55.059 CET: RADIUS/ENCODE(0000000B): dropping service type, "radiu s-server attribute 6 on-for-login-auth" is off

*Nov 14 15:43:55.059 CET: RADIUS(0000000B): Config NAS IP: 192.168.192.1

*Nov 14 15:43:55.059 CET: RADIUS/ENCODE(0000000B): acct_session_id: 11

*Nov 14 15:43:55.059 CET: RADIUS(0000000B): sending

*Nov 14 15:43:55.059 CET: RADIUS: Long password processing

*Nov 14 15:43:55.059 CET: RADIUS(0000000B): Send Access-Request to 192.168.5.24: 1812 id 1645/10, len 106

*Nov 14 15:43:55.059 CET: RADIUS: authenticator 0C E4 4D 0E B4 E1 13 AB - 96 9D 04 9B EE AF B0 24

*Nov 14 15:43:55.059 CET: RADIUS: User-Name [1] 13 "markus.XXXX"

*Nov 14 15:43:55.059 CET: RADIUS: User-Password [2] 34 *

*Nov 14 15:43:55.059 CET: RADIUS: NAS-Port [5] 6 196

*Nov 14 15:43:55.059 CET: RADIUS: NAS-Port-Id [87] 8 "tty196"

*Nov 14 15:43:55.059 CET: RADIUS: NAS-Port-Type [61] 6 Virtual [5]

*Nov 14 15:43:55.059 CET: RADIUS: Calling-Station-Id [31] 13

fw-idjkt-1#"192.168.5.5"

*Nov 14 15:43:55.059 CET: RADIUS: NAS-IP-Address [4] 6 192.168.192.1

fw-idjkt-1#

*Nov 14 15:43:59.991 CET: RADIUS: no sg in radius-timers: ctx 0x636E3D9 00

*Nov 14 15:43:59.991 CET: RADIUS: Retransmit to (192.168.5.24:1812,1813 1645/10

fw-idjkt-1#

*Nov 14 15:44:04.630 CET: RADIUS: no sg in radius-timers: ctx 0x636E3D9 00

*Nov 14 15:44:04.630 CET: RADIUS: Retransmit to (192.168.5.24:1812,1813 1645/10

fw-idjkt-1#

*Nov 14 15:44:09.430 CET: RADIUS: no sg in radius-timers: ctx 0x636E3D9 00

*Nov 14 15:44:09.430 CET: RADIUS: Retransmit to (192.168.5.24:1812,1813 1645/10

fw-idjkt-1#

*Nov 14 15:44:13.973 CET: RADIUS: no sg in radius-timers: ctx 0x636E3D9 00

*Nov 14 15:44:13.973 CET: RADIUS: No response from (192.168.5.24:1812,1 id 1645/10

*Nov 14 15:44:13.973 CET: RADIUS/DECODE: No response from radius-server esponse; FAIL

*Nov 14 15:44:13.973 CET: RADIUS/DECODE: Case error(no response/ bad pa decode);parse response; FAIL

fw-idjkt-1#

*Nov 14 15:44:16.645 CET: RADIUS/ENCODE(0000000B): ask "Password: "

*Nov 14 15:44:16.645 CET: RADIUS/ENCODE(0000000B): send packet; GET_PAS

Richard Burts · ‎11-14-2013

Markus

The debug shows that your router is sending a request with the source address that you requested and it should match the crypto access list. So I assume that it was sent through the tunnel. If the Radius server is not responding then there appears to be some issue. My first suggestion would be to check the shared secret used to communicate between router and server. If that appears to be correct then I would suggest checking the logs from the server. Did the server see the request? Do the logs show why the server did not send a response? My experience in symptoms like this is that frequently the server does not recognize the request as coming from a valid (configured correctly) client.

HTH

Rick

HTH

Rick

Markus Thun · ‎11-14-2013

Hi,

the radius server get no packets from the 1841. ( There are no logs at the Radius Server) The router send no packets (radius) of the vpn connection.

Richard Burts · ‎11-14-2013

Markus

I am surprised at this. The debug in your previous post looked like it was generating requests to the Radius server. And it looks like the traffic should have matched your crypto access list. So I am not sure why traffic is not going over the VPN tunnel. Perhaps a fresh copy of the current config might help us figure out the issue?

HTH

Rick

HTH

Rick

Markus Thun · ‎11-15-2013

Can i work with route maps?

Richard Burts · ‎11-15-2013

Markus

I do not understand this question. What would you be using route map for?

HTH

Rick

HTH

Rick