Cisco Community
English
Register
Congratulate December's Spotlight Awardees. CLICK HERE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
272
Views
0
Helpful
0
Replies
Highlighted
pamirian76
Beginner
Beginner
‎01-30-2014 08:28 AM
‎01-30-2014 08:28 AM

eazyvpn / freeradius authentication issue

hi,

I've configured freeradius as such and I know it works.

asa version is Version 9.1(3)

               

FREERAD CONFIG  

client myasa {

        ipaddr = <ipofasa>

        netmask = 24

        secret = cisco123

        nastype = cisco

}

testuser Cleartext-Password := "testuser"

  Service-Type = NAS-Prompt-User

from the ASA

myasa # test aaa-server authentication FREERAD

Server IP Address or name: 10.80.250.13

Username: testuser

Password: ********

INFO: Attempting Authentication test to IP address <10.80.250.13> (timeout: 10 seconds)

INFO: Authentication Successful

interesting ASA config,

aaa-server FREERAD protocol radius

aaa-server FREERAD (inside) host 10.80.250.13

timeout 5

key *****

authentication-port 1812

group-policy EZVPN internal

group-policy EZVPN attributes

dns-server value 10.x.x.x

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value EZVPN_splitTunnelAcl

default-domain value somedomain.com

nem enable

tunnel-group EZVPN type remote-access

tunnel-group EZVPN general-attributes

address-pool EZVPNPOOL

authentication-server-group FREERAD

default-group-policy EZVPN

tunnel-group EZVPN ipsec-attributes

ikev1 pre-shared-key *****

anyways the response the ASA gets from the FREERADIUS is,

%ASA-6-113005: AAA user authentication Rejected : reason = AAA failure : server = 10.80.250.13 : user = testuser

but when I do it using the TEST command it works just fine and I just can't figure out why.

thanks for any help.

this is what I get from freeradius logs,

Thu Jan 30 11:18:49 2014 : Auth: Login incorrect: [testuser/testuser] (from client MYASA port 4317184 cli x.x.x.x)

Labels:
0 Helpful
Reply
0 REPLIES 0
Latest Contents
#CiscoChat Live: Accelerating your security maturation journ...
Created by Kelli Glass on 01-15-2021 04:48 PM
0
0
0
0
Join us live on Tuesday, January 19 at 10:00 am PT (and on demand after) as we discuss the latest version of ATT&CK and the expansion of TTPs in v8.  As a security expert, you are tasked with protecting your environment. You see the value of... view more
#CiscoChat Live: Accelerating your security maturation journ...
Created by Kelli Glass on 01-15-2021 04:46 PM
0
0
0
0
Join us live on Tuesday, January 19 at 10:00 am PT (and on demand after) as we discuss the latest version of ATT&CK and the expansion of TTPs in v8.  As a security expert, you are tasked with protecting your environment. You see the value of... view more
What's New for Cisco Defense Orchestrator (CDO)
Created by Andrew Mallio on 01-15-2021 06:09 AM
1
40
1
40
Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that manages security products like Adaptive Security Appliance (ASA), Firepower Threat Defense next-generation firewall, and Meraki devices, to name a few.  We make improvement... view more
Serious problem with Object Groups + Access Policies in FMC
Created by mhmservice on 01-15-2021 04:31 AM
0
0
0
0
Hi allI've been having a major problem with Object Groups in FMC access policiesIf I have a pre-existing line in a policy with an Object Group which contains a list of IPs, if I add an additional IP to that object group, then deploy, the traffic is still ... view more
No cts dot1x command in interface configuration mode
Created by tanzhy on 01-14-2021 01:49 AM
3
0
3
0
Anyone know why there are no cts dot1x command in interface configure mode?I  just find cts manual and cts role-based command      Hardware is  C9300-48PSoftware is   Cisco IOS XE Software, Version 16.12.04License i... view more
Content for Community-Ad