EzVPN and Radius

Answered Question
Apr 24th, 2009
User Badges:

I have configured a Router to use Radius ( MS IAS ) for console and telnet logins . I also want the vpn users connecting to that router to be authenticated with the Radius server . I have configured the router however I am not able to get the vpn client connected to the Router ( ezvpn server )


The configuration is below of the Router:







Router#sh run

Building configuration...


Current configuration : 1585 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

!

aaa new-model

!

!

aaa group server radius AUTH

server 172.16.1.243 auth-port 1645 acct-port 1646

!

aaa authentication login AUTH group radius

aaa authorization exec default group radius

aaa authorization network AUTH group radius

!

aaa session-id common

memory-size iomem 5

!

!

ip cef

!

!

ip address-pool dhcp-pool

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group AAA

key vpnuser

dns 10.0.1.13 10.0.1.14

domain cisco.com

pool Remote-Pool

save-password

!

!

crypto ipsec transform-set VPNTRANSFORM esp-3des esp-sha-hmac

!

crypto dynamic-map Dynamic-Map 10

set transform-set VPNTRANSFORM

reverse-route

!

!

crypto map ClientMap client authentication list AUTH

crypto map ClientMap isakmp authorization list AUTH

crypto map ClientMap client configuration address respond

crypto map ClientMap 65535 ipsec-isakmp dynamic Dynamic-Map

!

!

!

!

interface FastEthernet0/0

ip address 172.16.1.241 255.255.255.0

duplex auto

speed auto

crypto map ClientMap

!

ip local pool Remote-Pool 10.0.1.100 10.0.1.150

ip http server

no ip http secure-server

!

!

!

ip radius source-interface FastEthernet0/0

!

!

radius-server host 172.16.1.243 auth-port 1645 acct-port 1646 key xxxxxx

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

exec-timeout 0 0

line aux 0

line vty 0 4

login authentication AUTH

!

!

end






When I dial using the Cisco Easy VPN Client i get a debug error of :

%CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 172.16.1.242 was not encrypted and it should've been.



I have searched on google and thought that the problem would have been with the Group ID and Password

In my case the Group ID is AAA and password is vpnuser.


But still I cant VPN into the router.

I think it is a problem associated with AAA because in books I have read and seen configuration of EzVPN using the local database and here I am authenticating them with IAS . But it should work fine as I am able to telnet into the router using my Active Directory/IAS account i.e. [email protected]




Please help



Correct Answer by Ivan Martinon about 8 years 1 month ago

Change this line:


aaa authorization network AUTH group radius


to be


aaa authorization network AUTH local

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Correct Answer
Ivan Martinon Fri, 04/24/2009 - 09:34
User Badges:
  • Cisco Employee,

Change this line:


aaa authorization network AUTH group radius


to be


aaa authorization network AUTH local

Alcides Miguel Tue, 12/14/2010 - 09:08
User Badges:

I was working on this with no success and you help me a lot... thanks for your help

Actions

This Discussion