10-13-2010 01:07 AM
Hi there,
I have a Easy VPN server configured with Radius, and everything works with the newest Cisco VPN Client on windows.
But I can't get it working on the build in iphone.
Windows Client pref.
Connection Entry: Sindby
Description:
Host: xx.xxx.xxx.xx
> Group authentication
Name: Sindby
Password: ******************
Confirm Password: ******************
Thats is on the Windows, and then it pops up with user xauth and everything works.
On the Iphone I have problems figuring out which information goes where.
IPHONE I think it is like this:
Description: ? Sindby
Server: ? xx.xxx.xxx.xx
Account: ? xauth Username
Password: ? Ask every time
Certificate not enabled Certificate not enabled
Groupname: ? Sindby
Key: ? Preshared Secret Key
In the server log, it seems like it connects fine, and the Iphone pops up with: username & password, I type in my xauth credentials, but it fails and pops up again, and after 3-4 failed trys, it drops the connection.
What am I doing wrong here ?
/Jesper
10-13-2010 01:22 AM
In the server debug, I see this:
*Oct 13 09:25:46.662: ISAKMP:(2013): retransmitting phase 2 CONF_XAUTH -2020890165 ...
*Oct 13 09:25:46.662: ISAKMP (2013): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
*Oct 13 09:25:46.662: ISAKMP (2013): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
*Oct 13 09:25:46.662: ISAKMP:(2013): retransmitting phase 2 -2020890165 CONF_XAUTH
*Oct 13 09:25:46.662: ISAKMP:(2013): sending packet to 109.59.232.39 my_port 500 peer_port 500 (R) CONF_XAUTH
*Oct 13 09:25:46.662: ISAKMP:(2013):Sending an IKE IPv4 Packet.
*Oct 13 09:25:49.850: ISAKMP (2013): received packet from 109.59.232.39 dport 500 sport 500 Global (R) CONF_XAUTH
*Oct 13 09:25:49.850: ISAKMP:(2013):processing transaction payload from 109.59.232.39. message ID = -2020890165
*Oct 13 09:25:49.850: ISAKMP: Config payload REPLY
*Oct 13 09:25:49.850: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
*Oct 13 09:25:49.850: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
*Oct 13 09:25:49.850: ISAKMP/xauth: Expected attribute XAUTH_TYPE_V2 not received
*Oct 13 09:25:49.850: ISAKMP:(2013):peer does not do paranoid keepalives.
10-13-2010 01:28 AM
Hi Jesper,
Config on Iphone looks ok.
do you see anything special in "debug aaa authentication" and "debug radius".
Regards,
Praveen
10-13-2010 01:35 AM
Hi Preveen,
I know the radius is working, because everything works with the Windows Client.
*Oct 13 10:26:39.373: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
*Oct 13 10:26:39.373: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
*Oct 13 10:26:39.373: ISAKMP/xauth: Expected attribute XAUTH_TYPE_V2 not received
*Oct 13 10:26:39.373: ISAKMP: set new node 1284665358 to CONF_XAUTH
*Oct 13 10:26:39.373: ISAKMP/xauth: request attribute XAUTH_TYPE_V2
*Oct 13 10:26:39.373: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
*Oct 13 10:26:39.373: ISAKMP/xauth: request attribute XAUTH_DOMAIN_V2
*Oct 13 10:26:39.373: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
As far as I read this from the debug, the server request 4 things, but only gets 2, which might be the reason... Am I right or wrong ?
/Jesper
01-19-2011 03:36 AM
Hi Jesper.
It seems that you are using password-expiry in your aaa configuration, this requires XAUTH-TYPE attribute which is not sent by iphone\ipad.
Try to change your aaa configuration from something like:
aaa authentication login ciscocp_vpn_xauth_ml_1 passwd-expiry group sdm-vpn-server-group-1
To something like:
aaa authentication login ciscocp_vpn_xauth_ml_1 group sdm-vpn-server-group-1
It should work.
BR,
Kamil
02-20-2012 01:57 PM
I know I'm a little behind on this, but is there a way to get the iPhone to work with passwd-expiry? Or is there a way to create 2 different radius authentications? One with passwd-expiry, one without? I only ask because, I have many laptops that connect that need to be prompted to change password, but phones that do not require this function. Any ideas on a work around for this scenario?
08-27-2013 08:37 AM
I'd be interested in a solution for to allow iphones/ipads as well if it is possible.
In fact, I never successfully managed to allow password changes with the windows cisco vpn client when the password has already expired anyway but removing passwd-expiry now breaks my config for all devices.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: