cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2304
Views
0
Helpful
6
Replies

Easy VPN Server w.Radius not working with Iphone

SindbyVejle
Level 1
Level 1

Hi there,

I have a Easy VPN server configured with Radius, and everything works with the newest Cisco VPN Client on windows.

But I can't get it working on the build in iphone.

Windows Client pref.

Connection Entry: Sindby

Description:

Host: xx.xxx.xxx.xx

> Group authentication

Name: Sindby

Password: ******************

Confirm Password: ******************

Thats is on the Windows, and then it pops up with user xauth and everything works.

On the Iphone I have problems figuring out which information goes where.

IPHONE                              I think it is like this:

Description: ?                      Sindby

Server: ?                             xx.xxx.xxx.xx

Account: ?                          xauth Username

Password: ?                        Ask every time

Certificate not enabled          Certificate not enabled

Groupname: ?                      Sindby

Key: ?                                 Preshared Secret Key

In the server log, it seems like it connects fine, and the Iphone pops up with: username & password, I type in my xauth credentials, but it fails and pops up again, and after 3-4 failed trys, it drops the connection.

What am I doing wrong here ?

/Jesper

6 Replies 6

SindbyVejle
Level 1
Level 1

In the server debug, I see this:

*Oct 13 09:25:46.662: ISAKMP:(2013): retransmitting phase 2 CONF_XAUTH    -2020890165 ...

*Oct 13 09:25:46.662: ISAKMP (2013): incrementing error counter on node, attempt 1 of 5: retransmit phase 2

*Oct 13 09:25:46.662: ISAKMP (2013): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2

*Oct 13 09:25:46.662: ISAKMP:(2013): retransmitting phase 2 -2020890165 CONF_XAUTH

*Oct 13 09:25:46.662: ISAKMP:(2013): sending packet to 109.59.232.39 my_port 500 peer_port 500 (R) CONF_XAUTH

*Oct 13 09:25:46.662: ISAKMP:(2013):Sending an IKE IPv4 Packet.

*Oct 13 09:25:49.850: ISAKMP (2013): received packet from 109.59.232.39 dport 500 sport 500 Global (R) CONF_XAUTH

*Oct 13 09:25:49.850: ISAKMP:(2013):processing transaction payload from 109.59.232.39. message ID = -2020890165

*Oct 13 09:25:49.850: ISAKMP: Config payload REPLY

*Oct 13 09:25:49.850: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2

*Oct 13 09:25:49.850: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2

*Oct 13 09:25:49.850: ISAKMP/xauth: Expected attribute XAUTH_TYPE_V2 not received

*Oct 13 09:25:49.850: ISAKMP:(2013):peer does not do paranoid keepalives.

Is it something with the above line ?
/Jesper

Hi Jesper,

Config on Iphone looks ok.

do you see anything special in "debug aaa authentication" and  "debug radius".

Regards,

Praveen

Hi Preveen,

I know the radius is working, because everything works with the Windows Client.

*Oct 13 10:26:39.373: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2

*Oct 13 10:26:39.373: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2

*Oct 13 10:26:39.373: ISAKMP/xauth: Expected attribute XAUTH_TYPE_V2 not received

*Oct 13 10:26:39.373: ISAKMP: set new node 1284665358 to CONF_XAUTH

*Oct 13 10:26:39.373: ISAKMP/xauth: request attribute XAUTH_TYPE_V2

*Oct 13 10:26:39.373: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2

*Oct 13 10:26:39.373: ISAKMP/xauth: request attribute XAUTH_DOMAIN_V2

*Oct 13 10:26:39.373: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2

As far as I read this from the debug, the server request 4 things, but only gets 2, which might be the reason... Am I right or wrong ?

/Jesper

Komil Shamgunov
Level 1
Level 1

Hi Jesper.

It seems that you are using password-expiry in your aaa configuration, this requires XAUTH-TYPE attribute which is not sent by iphone\ipad.

Try to change your aaa configuration from something like:

aaa authentication login ciscocp_vpn_xauth_ml_1 passwd-expiry group sdm-vpn-server-group-1

To something like:

aaa authentication login ciscocp_vpn_xauth_ml_1 group sdm-vpn-server-group-1

It should work.

BR,

Kamil

I know I'm a little behind on this, but is there a way to get the iPhone to work with passwd-expiry?  Or is there a way to create 2 different radius authentications?  One with passwd-expiry, one without?  I only ask because, I have many laptops that connect that need to be prompted to change password, but phones that do not require this function.  Any ideas on a work around for this scenario?

Cameron Webster
Level 1
Level 1

I'd be interested in a solution for to allow iphones/ipads as well if it is possible.

In fact, I never successfully managed to allow password changes with the windows cisco vpn client when the password has already expired anyway but removing passwd-expiry now breaks my config for all devices.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: