Xauth with Remote access VPN

Unanswered Question
Dec 9th, 2009

I have cisco 3845 with version 12.3(11r)T2. I am trying to configure it for remote access vpn Xauth.

Follwoing is my configuration

aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login console none
aaa authentication enable default group tacacs+ enable
aaa authentication ppp default group tacacs+
aaa accounting network default start-stop group tacacs+


ip local pool aviation-pool 172.23.13.1 172.23.13.100


crypto isakmp policy 10
authentication pre-share
group 2
has md5

crypto isakmp client configuration address-pool local aviation-pool
crypto isakmp client configuration group NON-RETAIL-VPN
key xxxx
pool aviation-pool

crypto ipsec transform-set myset esp-3des esp-mds-hmac
crypto dynamic-map dynmap 1
set transform-set myset

crypto map aviation-map client authentication list default
crypto map aviation-map client configuration address-response

crypto map aviation-map 1 ipsec-isakmp dynamic dynmap

interface Serial2/3

crypto map aviation-map


I have created VPN GROUP NON-RETAIL-VPN in AAA. Router is configured for AAA server. I am logging to the Router

through the username configured in AAA.

But when i try to connect remote user they are getting error connection terminated locally by client reason 412.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Ricardo Prado Wed, 12/09/2009 - 09:41

Hi,

   Before the router can authenticate the user the VPN Remote Access connection needs to be authorized. You are missing the AAA authorization config on your router. Check the following link:

http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a00800a393b.shtml

   You are basically missing something like this:

aaa authorization network groupauthor local
crypto map aviation-map isakmp authorization list groupauthor

   Regards,

Rick.

wasiimcisco Wed, 12/09/2009 - 09:55

I have even checked with this thing also but still the problem is there, same message is coming

aaa authentication login default group tacacs+ local
aaa authentication login console none
aaa authentication enable default group tacacs+ enable
aaa authentication ppp default group tacacs+
aaa authorization network NON-RETAIL-VPN local
aaa accounting network default start-stop group tacacs+

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2 
crypto isakmp client configuration address-pool local aviation-pool
!        
crypto isakmp client configuration group NON-RETAIL-VPN
key xxxx

pool aviation-pool
!        
!        
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!        
crypto dynamic-map dynmap 1
set transform-set myset
!        
!        
crypto map aviation-map client authentication list default
crypto map aviation-map isakmp authorization list NON-RETAIL-VPN
crypto map aviation-map client configuration address respond
crypto map aviation-map 1 ipsec-isakmp dynamic dynmap
!       

Please help me out, I have even reconfigure the vpn configuration. but still no luck.

Ricardo Prado Fri, 12/11/2009 - 09:05

Hi,

   So you're still receiving the same error on the VPN Client? I guess we will have to run debugs to find out what is happening with the negotiation. Try gathering these:

debug crypto isakmp

debug crypto ipsec

debug aaa authentication

debug aaa authorization

Rick.

wasiimcisco Fri, 12/11/2009 - 14:34

IT is working now but with the following configuratoin

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2 
!        
crypto isakmp client configuration group Aviation-VPN
key egntosc
pool aviation-pool
acl avi-tunnel
save-password
netmask 255.255.255.0
crypto isakmp profile vpnclient
   match identity group Aviation-VPN
   client authentication list default
   isakmp authorization list Aviation-authorization
   client configuration address respond
!        
!        
crypto ipsec transform-set aviset esp-3des esp-sha-hmac
!        
crypto dynamic-map avi 10
set transform-set aviset
set isakmp-profile vpnclient
reverse-route

my vpn group and VPN POOL  is locally created in Cisco VPN router but users are authenticated through ACS, AAA server. Now I want to assign the static ip address to VPN Client. Everything is fine but due to the application problem I want to give them the static Ip address from the VPN Pool. I have greated one pool in AAA server and also configure the client in AAA to get the static ip address but unable to do this. Please help me out how to do this.

Ricardo Prado Fri, 12/11/2009 - 18:09

Hi,

   Unfortunately you cannot assign a static IP address to a VPN client throug TACACS. You would need to use Radius.

Rick.

Actions

Login or Register to take actions

This Discussion

Posted December 9, 2009 at 8:20 AM
Stats:
Replies:5 Avg. Rating:
Views:3371 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard