UC520 VPN with Radius extended auth passes VPN group name

chris@routerguy.com · ‎01-28-2011

I am trying to get radius authentication on UC520 for ipsec vpn clients. I have the radius server responding and the VPN client will attempt to connect. However, using crypto isakmp profiles, it seems that instead of using the pre-share key for the isakmp phase 1 and then asking for the user's credentials for phase 1.5 it is firing off the VPN group name and the pre-share key to the radius server for authentication. What "one line" in the config am I missing?

Attached is a sample of the debug radius authentication output.

013635: Jan 28 18:36:41.929: RADIUS/ENCODE(0000E00C):Orig. component type = VPN IPSEC
013636: Jan 28 18:36:41.929: RADIUS: AAA Unsupported Attr: interface         [204] 11
013637: Jan 28 18:36:41.929: RADIUS:   36 34 2E 36 30 2E 32 30 34         [ 64.60.204]
013638: Jan 28 18:36:41.929: RADIUS(0000E00C): Config NAS IP: 192.168.10.1
013639: Jan 28 18:36:41.929: RADIUS/ENCODE(0000E00C): acct_session_id: 57346
013640: Jan 28 18:36:41.929: RADIUS(0000E00C): sending
013641: Jan 28 18:36:41.929: RADIUS(0000E00C): Send Access-Request to 192.168.10.20:1645 id 1645/15, len 94
013642: Jan 28 18:36:41.929: RADIUS: authenticator EF 8E 31 1F D0 DB 2B 2E - EE 00 8E 31 32 34 54 66
013643: Jan 28 18:36:41.929: RADIUS: User-Name           [1]   13 "VPNprofile" <-- This is the VPN Group name

013644: Jan 28 18:36:41.929: RADIUS: User-Password       [2]   18 *
013645: Jan 28 18:36:41.929: RADIUS: NAS-Port-Type       [61] 6   Virtual                   [5]
013646: Jan 28 18:36:41.929: RADIUS: NAS-Port-Type       [61] 6   Virtual                   [5]
013647: Jan 28 18:36:41.929: RADIUS: NAS-Port            [5]   6   1
013648: Jan 28 18:36:41.929: RADIUS: NAS-Port-Id         [87] 13 "64.60.204.2"
013649: Jan 28 18:36:41.929: RADIUS: Service-Type        [6]   6   Outbound                  [5]
013650: Jan 28 18:36:41.929: RADIUS: NAS-IP-Address      [4]   6   192.168.10.1
013651: Jan 28 18:36:41.933: RADIUS(0000E00C): Started 5 sec timeout
013652: Jan 28 18:36:46.866: RADIUS(0000E00C): Request timed out
013653: Jan 28 18:36:46.866: RADIUS: Retransmit to (192.168.10.20:1645,1646) for id 1645/15
013654: Jan 28 18:36:46.866: RADIUS(0000E00C): Started 5 sec timeout
013655: Jan 28 18:36:47.914: RADIUS: Received from id 1645/15 192.168.10.20:1645, Access-Reject, len 20
013656: Jan 28 18:36:47.914: RADIUS: authenticator 3C 80 AE 10 20 97 A1 A0 - 98 B2 C1 E9 21 6B 56 C3
013657: Jan 28 18:36:47.914: RADIUS: Received from id 1645/15 192.168.10.20:1645, Access-Reject, len 20
013658: Jan 28 18:36:47.914: RADIUS: Response for non-existent request ident
013659: Jan 28 18:36:47.914: RADIUS(0000E00C): Received from id 1645/15

We do see the access-request going to the server, and later, the subsequent response from the radius server saying "reject"

So needless to say, this will fail. The group name is NOT what is supposed to be sent to the radius server.

Any input is welcome.

andamani · ‎01-28-2011

Hi,

please attach the AAA configuration and the crypto configuration.

Regards,
Anisha

chris@routerguy.com · ‎01-29-2011

Hello Anisha;

Attached is the file with the AAA and the crypto map sections...

THanks for the help...

Chris

andamani · ‎01-29-2011

Hi Chris,

I don't see the VPN group "VPNprofile" as mentioned by you on the config attached. Am i missing something? Could you sent the tunnel-group configurations as well.

Also what are you using radius server as? i.e. IAS, NPS, ACS?

Also please let me know the error message you see in the event viewer of the server.

Regards,

Anisha Damani

chris@routerguy.com · ‎01-29-2011

Sorry - I had "cleaned up" the config - VPNprofile was bogus. The one in the txt file is sent up was ISAK profile FarmshopVPN-profile

If it involves the name FarmshopVPN - it is it...

chris@routerguy.com · ‎01-30-2011

And on another note - I ripped out all of the VPN configurations. Then i used the Cisco Configuration Assistant, added users and rebuilt the VPN.

It does not even authenticate against the local database.

i then ripped out all of that and then added VPN configurations that are KNOWN to work. It involves the old-style crypto maps. I can attempt to add the following command:

crypto map VPN2 65535 ipsec-isakmp dynamic DYNAMAP

All of the parts are there, including the profile DYNAMAP, etc.

But when you attempt to apply the map VPN2 to the external interface, the system complains that you cannot apply an empty crypto map. well sure enough, no matter how you try to add the crypto map statement as above, it will not "stick" - the IOS simply discards it. This is the version:

Cisco IOS Software, UC500 Software (UC500-ADVIPSERVICESK9-M), Version 15.0(1)XA3a, SBTG Special

andamani · ‎01-30-2011

hmmmm...

to be honest with you i am not an expert with UC500 series. I work on VPN and AAA. so i am checking the configuration.

From the configuration i don't see any thing wrong and it should prompt you for authentication and not pass the profile name.

please give the configuration of interfaces as well.. let me go through the configuration once again and see what is going on.

Regards,

Anisha

chris@routerguy.com · ‎01-31-2011

Hello Anisha;

Last night, I updated the IOS to Cisco IOS Software, UC500 Software (UC500-ADVIPSERVICESK9-M), Version 15.1(2)T2, RELEASE SOFTWARE (fc1)

Now, I am at least able to add the crypto map ipsec-isakmp dynamic-map line in there. However, it still does NOT behave properly.

Here's the interfaces (all of them) but the real outside IP has been removed...

interface Loopback0
description $FW_INSIDE$
ip address 10.1.10.2 255.255.255.252
ip access-group 101 in
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/0
description $FW_OUTSIDE$
ip address x.x.x.x 255.255.255.240
ip access-group Allow-In in
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly in
duplex auto
speed auto
!
interface Integrated-Service-Engine0/0
description cue is initialized with default IMAP group
ip unnumbered Loopback0
ip nat inside
ip virtual-reassembly in
service-module ip address 10.1.10.1 255.255.255.252
service-module ip default-gateway 10.1.10.2
!
interface FastEthernet0/1/0
switchport voice vlan 100
macro description cisco-phone | cisco-phone | cisco-phone
spanning-tree portfast
!
interface FastEthernet0/1/1
switchport voice vlan 100
macro description cisco-phone | cisco-phone | cisco-phone
spanning-tree portfast
!
interface FastEthernet0/1/2
switchport voice vlan 100
macro description cisco-phone | cisco-phone | cisco-phone
spanning-tree portfast
!
interface FastEthernet0/1/3
switchport voice vlan 100
macro description cisco-phone | cisco-phone | cisco-phone
spanning-tree portfast
!
interface FastEthernet0/1/4
switchport voice vlan 100
macro description cisco-phone | cisco-phone | cisco-phone
spanning-tree portfast
!
interface FastEthernet0/1/5
switchport voice vlan 100
macro description cisco-phone | cisco-phone | cisco-phone
spanning-tree portfast
!
interface FastEthernet0/1/6
switchport voice vlan 100
macro description cisco-phone | cisco-phone | cisco-phone
spanning-tree portfast
!
interface FastEthernet0/1/7
switchport voice vlan 100
macro description cisco-phone | cisco-phone | cisco-phone
spanning-tree portfast
!
interface FastEthernet0/1/8
description Switch Main Level
switchport mode trunk
macro description cisco-switch | cisco-switch | cisco-switch
!
interface Serial0/2/0:23
no ip address
encapsulation hdlc
isdn switch-type primary-ni
isdn incoming-voice voice
isdn supp-service name calling
isdn sending-complete
trunk-group ALL_T1E1
no cdp enable
!
interface Virtual-Template1 type tunnel
ip unnumbered BVI1
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Virtual-Template2 type tunnel
ip unnumbered BVI1
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN
!
interface Vlan1
no ip address
bridge-group 1
!
interface Vlan100
no ip address
bridge-group 100
!
interface BVI1
description $FW_INSIDE$
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface BVI100
description $FW_INSIDE$
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in

chris@routerguy.com · ‎01-31-2011

FYI - i also discovered that the unit is not authenticating to the local database.

I opened a ticket with cisco TAC to get to the bottom of this. I do believe i have an IOS issue - since it was CCA that configured my test profile...

csacontract · ‎07-27-2011

Was there an answer to this?

I am currently experiencing the same problem.

I can authenticate to the Local database fine, but when I enable Radius Server Groups my VPN router passes the VPN Group as the Radius username as the OP described.

Luke