Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3098
Views
0
Helpful
3
Replies

Unable to configure IPSec clients authentication with RADIUS

Go to solution
laotalax579
Level 1
Level 1

‎03-22-2010 09:07 AM - edited ‎02-21-2020 04:33 PM

Hello,

I configured IPSec VPN server for remote clients on Cisco 2811 with XAuth (see attached cisco vpn configuration). At first I configured clients extended authentication (Xauth) using local IOS users database and it worked ok, but then I tried to configure clients authentication via FreeRADIUS and got authentication errors (see a part of attached freeradius log): in fact, instead of client's username/password sent via Xauth, Cisco sends a VPN-Group/pre-shared key combination to FreeRADIUS. Obviously FreeRADIUS can't find such username/password in it's database and replies with an error. Is it possible somehow to reconfigure Cisco in such a way that it would sent username/password insead of VPN-Group/Pre-shared key, or to reconfigure FreeRADIUS so that it would interpret VPN-Group/Pre-shared key parameters?

Labels:
62499-cisco-vpn-config.txt.zip
62492-freeradius.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎03-22-2010 10:59 PM

xauth to radius server should not really be sending the group name and password towards the radius. xauth should send the username and password when user authenticates.

1) You can try to authenticate to the radius server from the router itself, using the "test aaa" command --> check if the authentication works.

2) When you are connecting with the vpn client, did you get prompted for username and password, and what did you enter?

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎03-22-2010 10:59 PM

xauth to radius server should not really be sending the group name and password towards the radius. xauth should send the username and password when user authenticates.

1) You can try to authenticate to the radius server from the router itself, using the "test aaa" command --> check if the authentication works.

2) When you are connecting with the vpn client, did you get prompted for username and password, and what did you enter?

0 Helpful

Go to solution
laotalax579
Level 1
Level 1
In response to Jennifer Halim

‎03-24-2010 11:57 PM

Hello,

I tested FreeRADIUS authentication with "test aaa" command as you suggested and it worked ok. Then I changed the Cisco AAA network authorization to local: "aaa authorization network vpnauth local" and it could normally authenticate with RADIUS (Cisco sent username/password and not VPN-group/pre-shared key parameters). Thanks a lot!

0 Helpful

Go to solution
tf2-conky
Level 1
Level 1
In response to laotalax579

‎03-29-2010 03:02 PM

Very timely thread. I was having the exact same issue with radius(freeradius) trying to auth IKE, when I only wanted user authentication by radius.

I've applied the changes suggested, and it's fixed my problem also.  Thanks =)


## OLD


aaa authentication login vpn-test-users group radius local         
aaa authorization network vpn-test-group group radius local

## NEW


aaa authentication login vpn-test-users group radius local

aaa authorization network vpn-test-group local


Would you mind posting what radius attributes you've set?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents