01-28-2009 04:05 PM
Hi There!
I have created a VPN group (PIX v8.0(3))to the corporate iPhones, they work fine if the authentication is LOCAL, but if I request them to authenticate within ACS, it fails. What should I do?
01-29-2009 04:18 AM
Perform a authentication check from the PIX/ASA using the uid/pwd that is configured in the ACS to make sure the details are valid.
HTH>
01-29-2009 04:27 AM
Yes they are valid. Works fine from my desktop.
01-29-2009 04:29 AM
OK - is the config in the PIX/ASA valid?
Have you added the PIX/ASA in the ACS as a valid network device?
01-29-2009 04:48 AM
So far it is.
Yes, I have added the PIX in the ACS. I have about 300 L2L Dynamic connection, 3 PIX x PIX/ASA and about 150 remote access.
Here is the set pointing to ACS:
aaa-server PIX protocol radius
aaa-server PIX (Corp) host 10.0.30.3
timeout 5
key auditor
01-29-2009 04:56 AM
The the only thing left to test - is to log in via a remote VPN connection using the same details the iPhone is using. If it passes - the issue is with the iPhone - it if fails, then you need to check the ACS logs for the failure reason.
HTH>
01-29-2009 07:35 AM
This group has access via remote VPN and via iPhone.
Here is mu configuration:
object-group network Painel
network-object 172.30.23.0 255.255.255.0
!
access-list Outside_cryptomap extended permit ip any object-group Painel
access-list Corp_NAT_0_out extended permit tcp host 10.0.30.102 object-group Painel eq 7778
access-list Corp_NAT_0_out extended permit tcp host 10.0.30.109 object-group Painel eq www
access-list Corp_NAT_0_out extended permit tcp host 10.0.30.169 object-group Painel eq 8080
access-list Corp_NAT_0_out extended permit tcp host 10.0.30.191 object-group Painel eq 8080
access-list Corp_NAT_0_out extended permit tcp host 10.0.30.235 object-group Painel eq www
access-list Corp_NAT_0_out extended permit tcp host 10.0.30.253 object-group Painel eq www
!
access-list Painel_SplittunnelAcl standard permit host 10.0.30.102
access-list Painel_SplittunnelAcl standard permit host 10.0.30.109
access-list Painel_SplittunnelAcl standard permit host 10.0.30.169
access-list Painel_SplittunnelAcl standard permit host 10.0.30.191
access-list Painel_SplittunnelAcl standard permit host 10.0.30.235
access-list Painel_SplittunnelAcl standard permit host 10.0.30.253
!
ip local pool PainelACCESS 172.30.23.1-172.30.23.254 mask 255.255.255.0
!
group-policy Painel internal
group-policy Painel attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Painel_SplittunnelAcl
!
tunnel-group Painel type ipsec-ra
tunnel-group Painel general-attributes
address-pool PainelACCESS
authentication-server-group PIX
authorization-server-group PIX
accounting-server-group PIX
default-group-policy Painel
tunnel-group Painel ipsec-attributes
pre-shared-key *
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide