cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1177
Views
0
Helpful
3
Replies

Authentication error - 5505 8.3 setup client vpn to windows RAIDUS server

RichardJewell
Level 1
Level 1

Hi,

I'm trying to set up a 5505 (running 8.3) so that i can use the client vpn through RADIUS authentication

I have set up a new local RAIDUS windows box and used the ASDM asistant and a few other guides to setup the 5505.

I'm getting the following error:

INFO: Attempting Authentication test to IP address <10.0.0.92> (timeout: 12 seconds)

ERROR: Authentication Rejected: AAA failure

any help would be greatly appreciated

here is my sanitised config:

lit5505-02# sh run

: Saved

:

ASA Version 8.3(1)

!

hostname lit5505-02

no names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.0.100 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

banner motd ****************************************

banner motd No Unauthorised Access Is Allowed

banner motd ****************************************

ftp mode passive

dns server-group DefaultDNS

domain-name

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network lotus_notes

host 10.0.0.3

object network sonicwall_ssl_2000

host 10.0.0.12

object network NETWORK_OBJ_10.0.0.0_24

subnet 10.0.0.0 255.255.255.0

object network ABD_LAN

subnet 10.7.0.0 255.255.0.0

object network LIT_LAN

subnet 10.0.0.0 255.255.0.0

object network LIT_LAN_vlan101

subnet 10.0.1.0 255.255.255.0

object network LIT_LAN_vlan102

subnet 10.0.2.0 255.255.255.0

object network LIT_LAN_vlan103

subnet 10.0.3.0 255.255.255.0

object network LIT_LAN_vlan104

subnet 10.0.4.0 255.255.255.0

object network LIT_LAN_vlan105

subnet 10.0.5.0 255.255.255.0

object network LIT_LAN_vlan106

subnet 10.0.6.0 255.255.255.0

object network LIT_LAN_vlan109

subnet 10.0.9.0 255.255.255.0

object network LIT_LAN_vlan112

subnet 10.0.112.0 255.255.255.0

object network LIT_LAN_vlan114

subnet 10.0.114.0 255.255.255.0

object network LIT_LAN_vlan120

subnet 10.0.20.0 255.255.255.0

object network LIT_LAN_vlan121

subnet 10.0.21.0 255.255.255.0

object network LIT_LAN_vlan100

subnet 10.0.0.0 255.255.255.0

object network LIT_LAN_vlan107

subnet 10.0.7.0 255.255.255.0

object network LIT_LAN_vlan108

subnet 10.0.8.0 255.255.255.0

object network BER_vlan1

subnet 10.8.0.0 255.255.255.0

object-group network LIT_VLANS

network-object object LIT_LAN_vlan100

network-object object LIT_LAN_vlan101

network-object object LIT_LAN_vlan102

network-object object LIT_LAN_vlan103

network-object object LIT_LAN_vlan104

network-object object LIT_LAN_vlan105

network-object object LIT_LAN_vlan106

network-object object LIT_LAN_vlan107

network-object object LIT_LAN_vlan108

network-object object LIT_LAN_vlan109

network-object object LIT_LAN_vlan112

network-object object LIT_LAN_vlan114

network-object object LIT_LAN_vlan120

network-object object LIT_LAN_vlan121

object-group network BER_VLANS

network-object object BER_vlan1

access-list out-in extended permit icmp any any

access-list out-in extended permit tcp any object sonicwall_ssl_2000 eq https

access-list out-in extended permit tcp any object lotus_notes eq smtp

access-list any-in-out extended permit ip any any

access-list outside_1_cryptomap extended permit ip object-group LIT_VLANS object ABD_LAN

access-list outside_2_cryptomap extended permit ip object-group LIT_VLANS object-group BER_VLANS

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static LIT_VLANS LIT_VLANS destination static ABD_LAN ABD_LAN

nat (inside,outside) source static LIT_VLANS LIT_VLANS destination static BER_VLANS BER_VLANS

!

object network obj_any

nat (inside,outside) dynamic interface

object network lotus_notes

nat (inside,outside) static

object network sonicwall_ssl_2000

nat (inside,outside) static

access-group any-in-out in interface inside

access-group out-in in interface outside

route outside 0.0.0.0 0.0.0.0

route inside 10.0.1.0 255.255.255.0 10.0.0.254 1

route inside 10.0.2.0 255.255.255.0 10.0.0.254 1

route inside 10.0.3.0 255.255.255.0 10.0.0.254 1

route inside 10.0.4.0 255.255.255.0 10.0.0.254 1

route inside 10.0.5.0 255.255.255.0 10.0.0.254 1

route inside 10.0.6.0 255.255.255.0 10.0.0.254 1

route inside 10.0.7.0 255.255.255.0 10.0.0.254 1

route inside 10.0.8.0 255.255.255.0 10.0.0.254 1

route inside 10.0.9.0 255.255.255.0 10.0.0.254 1

route inside 10.0.20.0 255.255.255.0 10.0.0.254 1

route inside 10.0.21.0 255.255.255.0 10.0.0.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server litvms03 protocol radius

aaa-server litvms03 (inside) host 10.0.0.92

key *****

radius-common-pw *****

aaa authentication ssh console LOCAL

http server enable

http 10.0.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs group1

crypto map outside_map 2 set peer

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet timeout 5

ssh 10.0.0.0 255.255.0.0 inside

ssh 10.7.0.0 255.255.0.0 inside

ssh timeout 5

ssh version 2

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 216.14.98.234 source outside prefer

ntp server 204.15.208.61 source outside prefer

webvpn

group-policy jdr_littleport_employee_vpn internal

group-policy jdr_littleport_employee_vpn attributes

banner value

wins-server value 10.0.0.8 10.100.1.141

dns-server value 10.0.0.8 10.100.1.141

split-tunnel-policy tunnelall

default-domain value jdrcables.com

split-dns value jdrcables.com

ipv6-address-pools none

tunnel-group  type ipsec-l2l

tunnel-group  ipsec-attributes

pre-shared-key *****

tunnel-group  type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key *****

!

!

prompt hostname context

Cryptochecksum:6d1868630c83f17fe0c7de41006a1526

: end

1 Accepted Solution

Accepted Solutions

Rich

I checked the route statements but missed the VLAN address. Sorry about that.

I am glad to see that you fixed the problem and am not surprised that the issue seems to have been some mismatch in the server serttings. I believe that you should be able to close the thread based on your response. Give it a try.

HTH

Rick

HTH

Rick

View solution in original post

3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

according to your config the radius server is at 10.0.0.92 and is accessed through the inside interface. But there is no route for the subnet 10.0.0.0. Once you have a route to that subnet the chances of getting to the server are greatly improved

HTH

Rick

HTH

Rick

Hi Rick,

Its directly connected

C    10.0.0.0 255.255.255.0 is directly connected, inside

theres not connectivity issues between litmvs03 (RAIDUS and the asa) as both can ping each other fine etc.

any other ideas?

EDIT: all fixed, deleted all of the settings on the windows box, used the same settings and its working. nothing cisco side. Can a mod close the thread? thanks though!

Rich

Rich

I checked the route statements but missed the VLAN address. Sorry about that.

I am glad to see that you fixed the problem and am not surprised that the issue seems to have been some mismatch in the server serttings. I believe that you should be able to close the thread based on your response. Give it a try.

HTH

Rick

HTH

Rick