Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2334
Views
0
Helpful
6
Replies

Easy VPN Server w.Radius not working with Iphone

SindbyVejle
Level 1
Level 1

‎10-13-2010 01:07 AM

Hi there,

I have a Easy VPN server configured with Radius, and everything works with the newest Cisco VPN Client on windows.

But I can't get it working on the build in iphone.

Windows Client pref.

Connection Entry: Sindby

Description:

Host: xx.xxx.xxx.xx

> Group authentication

Name: Sindby

Password: ******************

Confirm Password: ******************

Thats is on the Windows, and then it pops up with user xauth and everything works.

On the Iphone I have problems figuring out which information goes where.

IPHONE                              I think it is like this:

Description: ?                      Sindby

Server: ?                             xx.xxx.xxx.xx

Account: ?                          xauth Username

Password: ?                        Ask every time

Certificate not enabled          Certificate not enabled

Groupname: ?                      Sindby

Key: ?                                 Preshared Secret Key

In the server log, it seems like it connects fine, and the Iphone pops up with: username & password, I type in my xauth credentials, but it fails and pops up again, and after 3-4 failed trys, it drops the connection.

What am I doing wrong here ?

/Jesper

Labels:
0 Helpful
6 Replies 6

SindbyVejle
Level 1
Level 1

‎10-13-2010 01:22 AM

In the server debug, I see this:

*Oct 13 09:25:46.662: ISAKMP:(2013): retransmitting phase 2 CONF_XAUTH    -2020890165 ...

*Oct 13 09:25:46.662: ISAKMP (2013): incrementing error counter on node, attempt 1 of 5: retransmit phase 2

*Oct 13 09:25:46.662: ISAKMP (2013): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2

*Oct 13 09:25:46.662: ISAKMP:(2013): retransmitting phase 2 -2020890165 CONF_XAUTH

*Oct 13 09:25:46.662: ISAKMP:(2013): sending packet to 109.59.232.39 my_port 500 peer_port 500 (R) CONF_XAUTH

*Oct 13 09:25:46.662: ISAKMP:(2013):Sending an IKE IPv4 Packet.

*Oct 13 09:25:49.850: ISAKMP (2013): received packet from 109.59.232.39 dport 500 sport 500 Global (R) CONF_XAUTH

*Oct 13 09:25:49.850: ISAKMP:(2013):processing transaction payload from 109.59.232.39. message ID = -2020890165

*Oct 13 09:25:49.850: ISAKMP: Config payload REPLY

*Oct 13 09:25:49.850: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2

*Oct 13 09:25:49.850: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2

*Oct 13 09:25:49.850: ISAKMP/xauth: Expected attribute XAUTH_TYPE_V2 not received

*Oct 13 09:25:49.850: ISAKMP:(2013):peer does not do paranoid keepalives.

Is it something with the above line ?
/Jesper

0 Helpful

Praveena Shanubhogue
Level 1
Level 1

‎10-13-2010 01:28 AM

Hi Jesper,

Config on Iphone looks ok.

do you see anything special in "debug aaa authentication" and  "debug radius".

Regards,

Praveen

0 Helpful

SindbyVejle
Level 1
Level 1
In response to Praveena Shanubhogue

‎10-13-2010 01:35 AM

Hi Preveen,

I know the radius is working, because everything works with the Windows Client.

*Oct 13 10:26:39.373: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2

*Oct 13 10:26:39.373: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2

*Oct 13 10:26:39.373: ISAKMP/xauth: Expected attribute XAUTH_TYPE_V2 not received

*Oct 13 10:26:39.373: ISAKMP: set new node 1284665358 to CONF_XAUTH

*Oct 13 10:26:39.373: ISAKMP/xauth: request attribute XAUTH_TYPE_V2

*Oct 13 10:26:39.373: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2

*Oct 13 10:26:39.373: ISAKMP/xauth: request attribute XAUTH_DOMAIN_V2

*Oct 13 10:26:39.373: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2

As far as I read this from the debug, the server request 4 things, but only gets 2, which might be the reason... Am I right or wrong ?

/Jesper

0 Helpful

Komil Shamgunov
Level 1
Level 1

‎01-19-2011 03:36 AM

Hi Jesper.

It seems that you are using password-expiry in your aaa configuration, this requires XAUTH-TYPE attribute which is not sent by iphone\ipad.

Try to change your aaa configuration from something like:

aaa authentication login ciscocp_vpn_xauth_ml_1 passwd-expiry group sdm-vpn-server-group-1

To something like:

aaa authentication login ciscocp_vpn_xauth_ml_1 group sdm-vpn-server-group-1

It should work.

BR,

Kamil

0 Helpful

cdhartnett
Level 1
Level 1
In response to Komil Shamgunov

‎02-20-2012 01:57 PM

I know I'm a little behind on this, but is there a way to get the iPhone to work with passwd-expiry?  Or is there a way to create 2 different radius authentications?  One with passwd-expiry, one without?  I only ask because, I have many laptops that connect that need to be prompted to change password, but phones that do not require this function.  Any ideas on a work around for this scenario?

0 Helpful

Cameron Webster
Level 1
Level 1

‎08-27-2013 08:37 AM

I'd be interested in a solution for to allow iphones/ipads as well if it is possible.

In fact, I never successfully managed to allow password changes with the windows cisco vpn client when the password has already expired anyway but removing passwd-expiry now breaks my config for all devices.

0 Helpful
Customers Also Viewed These Support Documents