cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1367
Views
5
Helpful
3
Replies

EzVPN and Radius

I have configured a Router to use Radius ( MS IAS ) for console and telnet logins . I also want the vpn users connecting to that router to be authenticated with the Radius server . I have configured the router however I am not able to get the vpn client connected to the Router ( ezvpn server )

The configuration is below of the Router:

Router#sh run

Building configuration...

Current configuration : 1585 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

!

aaa new-model

!

!

aaa group server radius AUTH

server 172.16.1.243 auth-port 1645 acct-port 1646

!

aaa authentication login AUTH group radius

aaa authorization exec default group radius

aaa authorization network AUTH group radius

!

aaa session-id common

memory-size iomem 5

!

!

ip cef

!

!

ip address-pool dhcp-pool

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group AAA

key vpnuser

dns 10.0.1.13 10.0.1.14

domain cisco.com

pool Remote-Pool

save-password

!

!

crypto ipsec transform-set VPNTRANSFORM esp-3des esp-sha-hmac

!

crypto dynamic-map Dynamic-Map 10

set transform-set VPNTRANSFORM

reverse-route

!

!

crypto map ClientMap client authentication list AUTH

crypto map ClientMap isakmp authorization list AUTH

crypto map ClientMap client configuration address respond

crypto map ClientMap 65535 ipsec-isakmp dynamic Dynamic-Map

!

!

!

!

interface FastEthernet0/0

ip address 172.16.1.241 255.255.255.0

duplex auto

speed auto

crypto map ClientMap

!

ip local pool Remote-Pool 10.0.1.100 10.0.1.150

ip http server

no ip http secure-server

!

!

!

ip radius source-interface FastEthernet0/0

!

!

radius-server host 172.16.1.243 auth-port 1645 acct-port 1646 key xxxxxx

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

exec-timeout 0 0

line aux 0

line vty 0 4

login authentication AUTH

!

!

end

When I dial using the Cisco Easy VPN Client i get a debug error of :

%CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 172.16.1.242 was not encrypted and it should've been.

I have searched on google and thought that the problem would have been with the Group ID and Password

In my case the Group ID is AAA and password is vpnuser.

But still I cant VPN into the router.

I think it is a problem associated with AAA because in books I have read and seen configuration of EzVPN using the local database and here I am authenticating them with IAS . But it should work fine as I am able to telnet into the router using my Active Directory/IAS account i.e. Administrator@radius.net

Please help

1 Accepted Solution

Accepted Solutions

Ivan Martinon
Level 7
Level 7

Change this line:

aaa authorization network AUTH group radius

to be

aaa authorization network AUTH local

View solution in original post

3 Replies 3

Ivan Martinon
Level 7
Level 7

Change this line:

aaa authorization network AUTH group radius

to be

aaa authorization network AUTH local

I was working on this with no success and you help me a lot... thanks for your help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: