I am having trouble getting my SA540 small business router to authenticate.
Problem 1) Authentication fails with Windows 2008 radius server
Problem 2) Digicert 3rd party SSL certifictate fails to load into Self Signed Certificates
Part I: CONFIGURE WINDOWS 2008 RADIUS & CONNECTION POLICIES
Step 1: Configure Radius client on Windows 2008
In configured the settings for
* Friendly Name: SA540
* IP/DNS: LAN address of Cisco SA540
* Secret: xxxx
I tried two vendor settings: RADIUS Standard and Cisco
I left the boxes unchecked for:
* Require access requests to contain the Message Authentication Attribute
* Nap capable
Step2: Configure Connection Request Policy on Windows 2008
Overview:
* Name: SA540
* Enable policy: checked
* Network Connection Method: Unspecified
Conditions:
* Client Friendly Name (must match Radius Client Name above)
Settings:
* Required Authentication Methods:
- Check box for Override network policy authentication settings
- CHAP (always fails), PAP (a test worked from inside LAN using a radius test utility)
- I would like to use certificates for authentication but my digicert will not load into the SA540 3rd party cert area
* Forwarding Connection Requests:
- Authenticate requests on this server (checked)
* Radius Attributes:
- I want to have a login prompt sent to the Cisco VPN client being authenticated but am unclear what attributes are required
- I chose "Standard: Login-IP-Host" = (IP address of Active Directory Server)"
PART II: CONFIGURE CISCO SA540
Step 1: Use IPSEC VPN Wizard to create IKE and VPN policies
* VPN Type: Remote Access
* Enable Cisco Client (checked)
* Name
* Key
* WAN Interface
* Remote GW: FQDN = URL that is on my 3rd party certificate (vpn5.docvera.com)
Step 2: Change authentication to radius
* VPN - VPN Policies: disable vpn policy
* VPN - IKE Policies: change IKE policy
* Authentication Type: Radius - PAP or Radius - CHAP
* Click Apply
* note that the help file says that there should also be MS-CHAP and MS-CHAPv2 but they do not appear
Step 3: Configure Dynamic IP Range
* VPN - IPSEC - Dynamic IP Range:
- Split tunnel (only remote traffic goes through tunnel)
- Start/End IP address: New IP segment with DHCP for VPN users
* Split DNS Names: Active Directory domain (docvera.local)
Step 4: Add Authentication Certificates (if you use them)
* Administration - Authentication: My digicert 3rd party SSL certificate will not load into the Self Certificates area
Step 5:Configure Radius Server
* Administration - RADIUS server:
* IP address
* Authentication port: 1812 (also tried 1645)
* Secret
* Timeout: 180
* Retries: 3
Part III: CONNECT
* Cisco VPN Client v5.0.07 connects find when using Local Users but always fails to the radius server
* I ran wireshark and could NOT find:
- requests from the SA540 LAN IP address
- packets using UDP port 1812 (or 1645 when I tested it)
* Cisco VPN client gets an error message 413
* Connection tests to the radius server test utility from inside the LAN work with PAP buy not CHAP
Other:
* Clients today failed to connect using local user database.
* I deleted the VPN and IKE policy, added them back and then the users could connect
In sum:
* I hope to get radius authentication working
* I hope to use 3rd party certificates working for authentication
