03-22-2010 09:07 AM - edited 02-21-2020 04:33 PM
Hello,
I configured IPSec VPN server for remote clients on Cisco 2811 with XAuth (see attached cisco vpn configuration). At first I configured clients extended authentication (Xauth) using local IOS users database and it worked ok, but then I tried to configure clients authentication via FreeRADIUS and got authentication errors (see a part of attached freeradius log): in fact, instead of client's username/password sent via Xauth, Cisco sends a VPN-Group/pre-shared key combination to FreeRADIUS. Obviously FreeRADIUS can't find such username/password in it's database and replies with an error. Is it possible somehow to reconfigure Cisco in such a way that it would sent username/password insead of VPN-Group/Pre-shared key, or to reconfigure FreeRADIUS so that it would interpret VPN-Group/Pre-shared key parameters?
Solved! Go to Solution.
03-22-2010 10:59 PM
xauth to radius server should not really be sending the group name and password towards the radius. xauth should send the username and password when user authenticates.
1) You can try to authenticate to the radius server from the router itself, using the "test aaa" command --> check if the authentication works.
2) When you are connecting with the vpn client, did you get prompted for username and password, and what did you enter?
03-22-2010 10:59 PM
xauth to radius server should not really be sending the group name and password towards the radius. xauth should send the username and password when user authenticates.
1) You can try to authenticate to the radius server from the router itself, using the "test aaa" command --> check if the authentication works.
2) When you are connecting with the vpn client, did you get prompted for username and password, and what did you enter?
03-24-2010 11:57 PM
Hello,
I tested FreeRADIUS authentication with "test aaa" command as you suggested and it worked ok. Then I changed the Cisco AAA network authorization to local: "aaa authorization network vpnauth local" and it could normally authenticate with RADIUS (Cisco sent username/password and not VPN-group/pre-shared key parameters). Thanks a lot!
03-29-2010 03:02 PM
Very timely thread. I was having the exact same issue with radius(freeradius) trying to auth IKE, when I only wanted user authentication by radius.
I've applied the changes suggested, and it's fixed my problem also. Thanks =)
## OLD
aaa authentication login vpn-test-users group radius local
aaa authorization network vpn-test-group group radius local
## NEW
aaa authentication login vpn-test-users group radius local
aaa authorization network vpn-test-group local
Would you mind posting what radius attributes you've set?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide