10-13-2010 01:07 AM
Hi there,
I have a Easy VPN server configured with Radius, and everything works with the newest Cisco VPN Client on windows.
But I can't get it working on the build in iphone.
Windows Client pref.
Connection Entry: Sindby
Description:
Host: xx.xxx.xxx.xx
> Group authentication
Name: Sindby
Password: ******************
Confirm Password: ******************
Thats is on the Windows, and then it pops up with user xauth and everything works.
On the Iphone I have problems figuring out which information goes where.
IPHONE I think it is like this:
Description: ? Sindby
Server: ? xx.xxx.xxx.xx
Account: ? xauth Username
Password: ? Ask every time
Certificate not enabled Certificate not enabled
Groupname: ? Sindby
Key: ? Preshared Secret Key
In the server log, it seems like it connects fine, and the Iphone pops up with: username & password, I type in my xauth credentials, but it fails and pops up again, and after 3-4 failed trys, it drops the connection.
What am I doing wrong here ?
/Jesper
10-13-2010 01:22 AM
In the server debug, I see this:
*Oct 13 09:25:46.662: ISAKMP:(2013): retransmitting phase 2 CONF_XAUTH -2020890165 ...
*Oct 13 09:25:46.662: ISAKMP (2013): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
*Oct 13 09:25:46.662: ISAKMP (2013): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
*Oct 13 09:25:46.662: ISAKMP:(2013): retransmitting phase 2 -2020890165 CONF_XAUTH
*Oct 13 09:25:46.662: ISAKMP:(2013): sending packet to 109.59.232.39 my_port 500 peer_port 500 (R) CONF_XAUTH
*Oct 13 09:25:46.662: ISAKMP:(2013):Sending an IKE IPv4 Packet.
*Oct 13 09:25:49.850: ISAKMP (2013): received packet from 109.59.232.39 dport 500 sport 500 Global (R) CONF_XAUTH
*Oct 13 09:25:49.850: ISAKMP:(2013):processing transaction payload from 109.59.232.39. message ID = -2020890165
*Oct 13 09:25:49.850: ISAKMP: Config payload REPLY
*Oct 13 09:25:49.850: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
*Oct 13 09:25:49.850: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
*Oct 13 09:25:49.850: ISAKMP/xauth: Expected attribute XAUTH_TYPE_V2 not received
*Oct 13 09:25:49.850: ISAKMP:(2013):peer does not do paranoid keepalives.
10-13-2010 01:28 AM
Hi Jesper,
Config on Iphone looks ok.
do you see anything special in "debug aaa authentication" and "debug radius".
Regards,
Praveen
10-13-2010 01:35 AM
Hi Preveen,
I know the radius is working, because everything works with the Windows Client.
*Oct 13 10:26:39.373: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
*Oct 13 10:26:39.373: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
*Oct 13 10:26:39.373: ISAKMP/xauth: Expected attribute XAUTH_TYPE_V2 not received
*Oct 13 10:26:39.373: ISAKMP: set new node 1284665358 to CONF_XAUTH
*Oct 13 10:26:39.373: ISAKMP/xauth: request attribute XAUTH_TYPE_V2
*Oct 13 10:26:39.373: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
*Oct 13 10:26:39.373: ISAKMP/xauth: request attribute XAUTH_DOMAIN_V2
*Oct 13 10:26:39.373: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
As far as I read this from the debug, the server request 4 things, but only gets 2, which might be the reason... Am I right or wrong ?
/Jesper
01-19-2011 03:36 AM
Hi Jesper.
It seems that you are using password-expiry in your aaa configuration, this requires XAUTH-TYPE attribute which is not sent by iphone\ipad.
Try to change your aaa configuration from something like:
aaa authentication login ciscocp_vpn_xauth_ml_1 passwd-expiry group sdm-vpn-server-group-1
To something like:
aaa authentication login ciscocp_vpn_xauth_ml_1 group sdm-vpn-server-group-1
It should work.
BR,
Kamil
02-20-2012 01:57 PM
I know I'm a little behind on this, but is there a way to get the iPhone to work with passwd-expiry? Or is there a way to create 2 different radius authentications? One with passwd-expiry, one without? I only ask because, I have many laptops that connect that need to be prompted to change password, but phones that do not require this function. Any ideas on a work around for this scenario?
08-27-2013 08:37 AM
I'd be interested in a solution for to allow iphones/ipads as well if it is possible.
In fact, I never successfully managed to allow password changes with the windows cisco vpn client when the password has already expired anyway but removing passwd-expiry now breaks my config for all devices.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide