Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
795
Views
7
Helpful
5
Replies

IPSec VPN w/ IOS using MS IAS RADIUS

cooperben
Level 1
Level 1

‎08-04-2009 08:23 AM - edited ‎02-21-2020 04:18 PM

Using a 3825 router to set up incoming VPN connection using the Cisco VPN client. I would like group auth to be done on the router, and user auth using radius, in this case an IAS server.

The problem is that the router is sending groupauth to the IAS server, which of course denies it. So, communication between the router and IAS server is fine, it's just what is being sent.

Our group name is remote, and it sends domain\remote as the username to the IAS server. Key exchange needs to be handled by the router, and then when the user enters their domain user/pass, it's sent to the IAS server.

Below is the relvant config. I feel like I am close, but am missing something obvious. Thanks in advance for taking a look and/or referring me to relevant config references.

aaa new-model

aaa group server radius VPNAccess

server 1.2.3.4 auth-port 1645 acct-port 1646

aaa authentication login default local

aaa authorization network groupauthor group VPNAccess

crypto isakmp policy 10

encr 3des

hash sha

authentication pre-share

group 2

crypto isakmp client configuration group remote

key ******

dns 5.6.7.8 9.10.11.12

pool remote-pool

acl 1234

crypto ipsec transform-set strong esp-3des esp-sha-hmac

crypto dynamic-map dyna 10

set transform-set strong

crypto map MYMAP isakmp authorization list groupauthor

crypto map MYMAP client configuration address respond

crypto map MYMAP 10 ipsec-isakmp dynamic dyna

Labels:
0 Helpful
5 Replies 5

Collin Clark
VIP Alumni
VIP Alumni

‎08-04-2009 08:24 AM

Looks like your authentication and authorization are backwards-

aaa authentication login default local

aaa authorization network groupauthor group VPNAccess

aaa authentication login VPNAccess local

aaa authorization network groupauthor local

cooperben
Level 1
Level 1
In response to Collin Clark

‎08-04-2009 08:28 AM

Will that allow login to the router itself to still be handled through local? I would prefer not to have to use radius to auth me when I SSH to the router.

0 Helpful

cooperben
Level 1
Level 1
In response to Collin Clark

‎08-04-2009 08:33 AM

After attempting these changes, VPN login is allowed without any interaction with the radius server at all.

0 Helpful

cooperben
Level 1
Level 1

‎08-04-2009 09:06 AM

OK, figured it out.

For the record, here is the correct config:

aaa authentication login userauthen group radius local

aaa authorization network groupauthor local

crypto isakmp policy 10

encr 3des

hash sha

authentication pre-share

group 2

crypto isakmp client configuration group remote

key ******

dns 5.6.7.8 9.10.11.12

pool remote-pool

acl 1234

crypto ipsec transform-set strong esp-3des esp-sha-hmac

crypto dynamic-map dyna 10

set transform-set strong

crypto map MYMAP client authentication list userauthen

crypto map MYMAP isakmp authorization list groupauthor

crypto map MYMAP client configuration address respond

crypto map MYMAP 10 ipsec-isakmp dynamic dyna

Collin Clark
VIP Alumni
VIP Alumni
In response to cooperben

‎08-04-2009 11:59 AM

Thanks for posting the corrected config.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents