Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1178
Views
0
Helpful
3
Replies

Authentication error - 5505 8.3 setup client vpn to windows RAIDUS server

Go to solution
RichardJewell
Level 1
Level 1

‎11-07-2011 08:46 AM

Hi,

I'm trying to set up a 5505 (running 8.3) so that i can use the client vpn through RADIUS authentication

I have set up a new local RAIDUS windows box and used the ASDM asistant and a few other guides to setup the 5505.

I'm getting the following error:

INFO: Attempting Authentication test to IP address <10.0.0.92> (timeout: 12 seconds)

ERROR: Authentication Rejected: AAA failure

any help would be greatly appreciated

here is my sanitised config:

lit5505-02# sh run

: Saved

:

ASA Version 8.3(1)

!

hostname lit5505-02

no names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.0.100 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

banner motd ****************************************

banner motd No Unauthorised Access Is Allowed

banner motd ****************************************

ftp mode passive

dns server-group DefaultDNS

domain-name

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network lotus_notes

host 10.0.0.3

object network sonicwall_ssl_2000

host 10.0.0.12

object network NETWORK_OBJ_10.0.0.0_24

subnet 10.0.0.0 255.255.255.0

object network ABD_LAN

subnet 10.7.0.0 255.255.0.0

object network LIT_LAN

subnet 10.0.0.0 255.255.0.0

object network LIT_LAN_vlan101

subnet 10.0.1.0 255.255.255.0

object network LIT_LAN_vlan102

subnet 10.0.2.0 255.255.255.0

object network LIT_LAN_vlan103

subnet 10.0.3.0 255.255.255.0

object network LIT_LAN_vlan104

subnet 10.0.4.0 255.255.255.0

object network LIT_LAN_vlan105

subnet 10.0.5.0 255.255.255.0

object network LIT_LAN_vlan106

subnet 10.0.6.0 255.255.255.0

object network LIT_LAN_vlan109

subnet 10.0.9.0 255.255.255.0

object network LIT_LAN_vlan112

subnet 10.0.112.0 255.255.255.0

object network LIT_LAN_vlan114

subnet 10.0.114.0 255.255.255.0

object network LIT_LAN_vlan120

subnet 10.0.20.0 255.255.255.0

object network LIT_LAN_vlan121

subnet 10.0.21.0 255.255.255.0

object network LIT_LAN_vlan100

subnet 10.0.0.0 255.255.255.0

object network LIT_LAN_vlan107

subnet 10.0.7.0 255.255.255.0

object network LIT_LAN_vlan108

subnet 10.0.8.0 255.255.255.0

object network BER_vlan1

subnet 10.8.0.0 255.255.255.0

object-group network LIT_VLANS

network-object object LIT_LAN_vlan100

network-object object LIT_LAN_vlan101

network-object object LIT_LAN_vlan102

network-object object LIT_LAN_vlan103

network-object object LIT_LAN_vlan104

network-object object LIT_LAN_vlan105

network-object object LIT_LAN_vlan106

network-object object LIT_LAN_vlan107

network-object object LIT_LAN_vlan108

network-object object LIT_LAN_vlan109

network-object object LIT_LAN_vlan112

network-object object LIT_LAN_vlan114

network-object object LIT_LAN_vlan120

network-object object LIT_LAN_vlan121

object-group network BER_VLANS

network-object object BER_vlan1

access-list out-in extended permit icmp any any

access-list out-in extended permit tcp any object sonicwall_ssl_2000 eq https

access-list out-in extended permit tcp any object lotus_notes eq smtp

access-list any-in-out extended permit ip any any

access-list outside_1_cryptomap extended permit ip object-group LIT_VLANS object ABD_LAN

access-list outside_2_cryptomap extended permit ip object-group LIT_VLANS object-group BER_VLANS

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static LIT_VLANS LIT_VLANS destination static ABD_LAN ABD_LAN

nat (inside,outside) source static LIT_VLANS LIT_VLANS destination static BER_VLANS BER_VLANS

!

object network obj_any

nat (inside,outside) dynamic interface

object network lotus_notes

nat (inside,outside) static

object network sonicwall_ssl_2000

nat (inside,outside) static

access-group any-in-out in interface inside

access-group out-in in interface outside

route outside 0.0.0.0 0.0.0.0

route inside 10.0.1.0 255.255.255.0 10.0.0.254 1

route inside 10.0.2.0 255.255.255.0 10.0.0.254 1

route inside 10.0.3.0 255.255.255.0 10.0.0.254 1

route inside 10.0.4.0 255.255.255.0 10.0.0.254 1

route inside 10.0.5.0 255.255.255.0 10.0.0.254 1

route inside 10.0.6.0 255.255.255.0 10.0.0.254 1

route inside 10.0.7.0 255.255.255.0 10.0.0.254 1

route inside 10.0.8.0 255.255.255.0 10.0.0.254 1

route inside 10.0.9.0 255.255.255.0 10.0.0.254 1

route inside 10.0.20.0 255.255.255.0 10.0.0.254 1

route inside 10.0.21.0 255.255.255.0 10.0.0.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server litvms03 protocol radius

aaa-server litvms03 (inside) host 10.0.0.92

key *****

radius-common-pw *****

aaa authentication ssh console LOCAL

http server enable

http 10.0.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs group1

crypto map outside_map 2 set peer

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet timeout 5

ssh 10.0.0.0 255.255.0.0 inside

ssh 10.7.0.0 255.255.0.0 inside

ssh timeout 5

ssh version 2

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 216.14.98.234 source outside prefer

ntp server 204.15.208.61 source outside prefer

webvpn

group-policy jdr_littleport_employee_vpn internal

group-policy jdr_littleport_employee_vpn attributes

banner value

wins-server value 10.0.0.8 10.100.1.141

dns-server value 10.0.0.8 10.100.1.141

split-tunnel-policy tunnelall

default-domain value jdrcables.com

split-dns value jdrcables.com

ipv6-address-pools none

tunnel-group  type ipsec-l2l

tunnel-group  ipsec-attributes

pre-shared-key *****

tunnel-group  type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key *****

!

!

prompt hostname context

Cryptochecksum:6d1868630c83f17fe0c7de41006a1526

: end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to RichardJewell

‎11-08-2011 06:38 AM

Rich

I checked the route statements but missed the VLAN address. Sorry about that.

I am glad to see that you fixed the problem and am not surprised that the issue seems to have been some mismatch in the server serttings. I believe that you should be able to close the thread based on your response. Give it a try.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎11-07-2011 10:39 AM

according to your config the radius server is at 10.0.0.92 and is accessed through the inside interface. But there is no route for the subnet 10.0.0.0. Once you have a route to that subnet the chances of getting to the server are greatly improved

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
RichardJewell
Level 1
Level 1
In response to Richard Burts

‎11-08-2011 01:14 AM

Hi Rick,

Its directly connected

C    10.0.0.0 255.255.255.0 is directly connected, inside

theres not connectivity issues between litmvs03 (RAIDUS and the asa) as both can ping each other fine etc.

any other ideas?

EDIT: all fixed, deleted all of the settings on the windows box, used the same settings and its working. nothing cisco side. Can a mod close the thread? thanks though!

Rich

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to RichardJewell

‎11-08-2011 06:38 AM

Rich

I checked the route statements but missed the VLAN address. Sorry about that.

I am glad to see that you fixed the problem and am not surprised that the issue seems to have been some mismatch in the server serttings. I believe that you should be able to close the thread based on your response. Give it a try.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents