Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1141
Views
0
Helpful
2
Replies

VPN Tunnel w/ 802.1X port authentication against remote RADIUS server

chrismayhewcanada
Level 1
Level 1

‎02-03-2014 01:28 PM

I have a Cisco 892 setup as a VPN client connecting to an ASA 5515-X.  The tunnel works fine and comes up if theirs correct traffic.  I have two RADIUS servers I want to use certificate based authentication to, that are located behind the ASA 5515-X.

If I connect a computer that has the correct certificates to ports FA0 through 3, authentication won't work.  I'll see the following.  This happens even if the VPN tunnel is established already by doing something such as connecting a VOIP phone.  No entrys are located in the RADIUS logs, and I also cannot ping the RADIUS servers from VLAN10.

*Jan 30 19:46:01.435: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.1.100:1812,1813 is not responding.

*Jan 30 19:46:01.435: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.1.100:1812,1813 is being marked alive.

*Jan 30 19:46:21.659: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.26.10:1812,1813 is not responding.

*Jan 30 19:46:21.659: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.26.10:1812,1813 is being marked alive.

If I connect a second PC to an interface with 802.1X disabled, such as FA6, the VPN tunnel will establish itself correctly.  In this situation, I can ping the RADIUS servers from VLAN10.  If I go ahead and connect another PC with correct certificates to a port with 802.1X enabled such as port FA0 through 3, then 802.1X will suceed.

Current configuration : 6199 bytes

!

! Last configuration change at 15:40:11 EST Mon Feb 3 2014 by

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname router1

!

boot-start-marker

boot-end-marker

!

!

!

aaa new-model

aaa local authentication default authorization default

!

!

aaa authentication login default local

aaa authentication dot1x default group radius

aaa authorization network default group radius

!

!

!

!

!

aaa session-id common

clock timezone EST -5 0

clock summer-time EDT recurring

!

ip cef

!

!

!

!

!

!

ip dhcp pool pool

import all

network 192.168.28.0 255.255.255.248

bootfile PXEboot.com

default-router 192.168.28.1

dns-server 192.168.26.10 192.168.1.100 8.8.8.8 4.2.2.2

domain-name domain.local

option 66 ip 192.168.23.10

option 67 ascii PXEboot.com

option 150 ip 192.168.23.10

lease 0 2

!

ip dhcp pool phonepool

network 192.168.28.128 255.255.255.248

default-router 192.168.28.129

dns-server 192.168.26.10 192.168.1.100

option 150 ip 192.168.1.132

domain-name domain.local

lease 0 2

!

ip dhcp pool guestpool

network 10.254.0.0 255.255.255.0

dns-server 8.8.8.8 4.2.2.2

domain-name local

default-router 10.254.0.1

lease 0 2

!

!

!

no ip domain lookup

ip domain name remote.domain.local

no ipv6 cef

!

!

!

!

!

multilink bundle-name authenticated

!

!

!

!

!

!

license udi pid CISCO892-K9

!

!

dot1x system-auth-control

username somebody privilege 15 password 0 password

!

redundancy

!

!

!

!

!

!

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5

crypto isakmp key secretpassword address 123.123.123.123

!

!

crypto ipsec transform-set pix-set esp-aes 256 esp-sha-hmac

mode tunnel

!

!

!

crypto map pix 10 ipsec-isakmp

set peer 123.123.123.123

set transform-set pix-set

match address 110

!

!

!

!

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

isdn termination multidrop

!

interface FastEthernet0

switchport access vlan 10

switchport voice vlan 11

no ip address

authentication port-control auto

dot1x pae authenticator

spanning-tree portfast

!

interface FastEthernet1

switchport access vlan 10

switchport voice vlan 11

no ip address

authentication port-control auto

dot1x pae authenticator

spanning-tree portfast

!

interface FastEthernet2

switchport access vlan 10

switchport voice vlan 11

no ip address

authentication port-control auto

dot1x pae authenticator

spanning-tree portfast

!

interface FastEthernet3

switchport access vlan 10

switchport voice vlan 11

no ip address

authentication port-control auto

dot1x pae authenticator

spanning-tree portfast

!

interface FastEthernet4

switchport access vlan 10

switchport voice vlan 11

no ip address

spanning-tree portfast

!

interface FastEthernet5

switchport access vlan 12

switchport voice vlan 11

no ip address

spanning-tree portfast

!

interface FastEthernet6

switchport access vlan 10

switchport voice vlan 11

no ip address

spanning-tree portfast

!

interface FastEthernet7

switchport access vlan 10

switchport voice vlan 11

no ip address

authentication port-control auto

dot1x pae authenticator

spanning-tree portfast

!

interface FastEthernet8

no ip address

shutdown

duplex auto

speed auto

!

interface GigabitEthernet0

ip address dhcp

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map pix

!

interface Vlan1

no ip address

!

interface Vlan10

ip address 192.168.28.1 255.255.255.248

ip nat inside

ip virtual-reassembly in

!

interface Vlan11

ip address 192.168.28.129 255.255.255.248

!

interface Vlan12

ip address 10.254.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

!

ip nat inside source list 101 interface GigabitEthernet0 overload

ip route 0.0.0.0 0.0.0.0 dhcp

!

ip radius source-interface Vlan10

ip sla auto discovery

access-list 101 deny   ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 101 permit ip 192.168.28.0 0.0.0.255 any

access-list 101 permit ip 10.254.0.0 0.0.0.255 any

access-list 110 permit ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 110 permit ip 192.168.29.0 0.0.0.255 192.168.0.0 0.0.255.255

!

!

radius-server host 192.168.1.100 auth-port 1812 acct-port 1813 key secretkey

radius-server host 192.168.26.10 auth-port 1812 acct-port 1813 key secretkey

!

!

!

control-plane

!

!

!

!

mgcp profile default

!

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

transport input all

!

ntp source FastEthernet0

ntp server 192.168.26.10

ntp server 192.168.1.100

!

end

Labels:
0 Helpful
2 Replies 2

rabindrapanda
Level 1
Level 1

‎02-04-2014 01:41 AM

As per my knowledge you have to enable 802.1x authentication on pc network adapter, after that pc can able to ping.

To enable 802.1x on pc do the following,

on PC..>start/run/services.msc......>start service wiredconfig, goto network adapter properties....>authentication tab...>enable 802.1x.

I hope this will work , if i am wrong then plz clraify me

0 Helpful

chrismayhewcanada
Level 1
Level 1
In response to rabindrapanda

‎02-04-2014 06:29 AM

I have 802.1X certificate authentication enabled on the computers.  As described in my post above, authentication will work if theirs another device on the same VLAN that is connected to a port that bypasses authentication.  It seems like I have a chicken and egg scenario, a device needs to be sucessfully connected to VLAN10 before the router will use it's VLAN10 interface to communicate with my remote RADIUS server.

0 Helpful
Customers Also Viewed These Support Documents