Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5825
Views
0
Helpful
5
Replies

Xauth with Remote access VPN

wasiimcisco
Level 1
Level 1

‎12-09-2009 08:20 AM

I have cisco 3845 with version 12.3(11r)T2. I am trying to configure it for remote access vpn Xauth.

Follwoing is my configuration

aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login console none
aaa authentication enable default group tacacs+ enable
aaa authentication ppp default group tacacs+
aaa accounting network default start-stop group tacacs+


ip local pool aviation-pool 172.23.13.1 172.23.13.100


crypto isakmp policy 10
authentication pre-share
group 2
has md5

crypto isakmp client configuration address-pool local aviation-pool
crypto isakmp client configuration group NON-RETAIL-VPN
key xxxx
pool aviation-pool

crypto ipsec transform-set myset esp-3des esp-mds-hmac
crypto dynamic-map dynmap 1
set transform-set myset

crypto map aviation-map client authentication list default
crypto map aviation-map client configuration address-response

crypto map aviation-map 1 ipsec-isakmp dynamic dynmap

interface Serial2/3

crypto map aviation-map


I have created VPN GROUP NON-RETAIL-VPN in AAA. Router is configured for AAA server. I am logging to the Router

through the username configured in AAA.

But when i try to connect remote user they are getting error connection terminated locally by client reason 412.


Labels:
0 Helpful
5 Replies 5

Ricardo Prado Rueda
Cisco Employee
Cisco Employee

‎12-09-2009 09:41 AM

Hi,

   Before the router can authenticate the user the VPN Remote Access connection needs to be authorized. You are missing the AAA authorization config on your router. Check the following link:

http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a00800a393b.shtml

   You are basically missing something like this:

aaa authorization network groupauthor local
crypto map aviation-map isakmp authorization list groupauthor

   Regards,

Rick.

0 Helpful

wasiimcisco
Level 1
Level 1
In response to Ricardo Prado Rueda

‎12-09-2009 09:55 AM

I have even checked with this thing also but still the problem is there, same message is coming

aaa authentication login default group tacacs+ local
aaa authentication login console none
aaa authentication enable default group tacacs+ enable
aaa authentication ppp default group tacacs+
aaa authorization network NON-RETAIL-VPN local
aaa accounting network default start-stop group tacacs+

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2 
crypto isakmp client configuration address-pool local aviation-pool
!        
crypto isakmp client configuration group NON-RETAIL-VPN
key xxxx

pool aviation-pool
!        
!        
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!        
crypto dynamic-map dynmap 1
set transform-set myset
!        
!        
crypto map aviation-map client authentication list default
crypto map aviation-map isakmp authorization list NON-RETAIL-VPN
crypto map aviation-map client configuration address respond
crypto map aviation-map 1 ipsec-isakmp dynamic dynmap
!       

Please help me out, I have even reconfigure the vpn configuration. but still no luck.

0 Helpful

Ricardo Prado Rueda
Cisco Employee
Cisco Employee
In response to wasiimcisco

‎12-11-2009 09:05 AM

Hi,

   So you're still receiving the same error on the VPN Client? I guess we will have to run debugs to find out what is happening with the negotiation. Try gathering these:

debug crypto isakmp

debug crypto ipsec

debug aaa authentication

debug aaa authorization

Rick.

0 Helpful

wasiimcisco
Level 1
Level 1
In response to Ricardo Prado Rueda

‎12-11-2009 02:34 PM

IT is working now but with the following configuratoin

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2 
!        
crypto isakmp client configuration group Aviation-VPN
key egntosc
pool aviation-pool
acl avi-tunnel
save-password
netmask 255.255.255.0
crypto isakmp profile vpnclient
   match identity group Aviation-VPN
   client authentication list default
   isakmp authorization list Aviation-authorization
   client configuration address respond
!        
!        
crypto ipsec transform-set aviset esp-3des esp-sha-hmac
!        
crypto dynamic-map avi 10
set transform-set aviset
set isakmp-profile vpnclient
reverse-route

my vpn group and VPN POOL  is locally created in Cisco VPN router but users are authenticated through ACS, AAA server. Now I want to assign the static ip address to VPN Client. Everything is fine but due to the application problem I want to give them the static Ip address from the VPN Pool. I have greated one pool in AAA server and also configure the client in AAA to get the static ip address but unable to do this. Please help me out how to do this.

0 Helpful

Ricardo Prado Rueda
Cisco Employee
Cisco Employee
In response to wasiimcisco

‎12-11-2009 06:09 PM

Hi,

   Unfortunately you cannot assign a static IP address to a VPN client throug TACACS. You would need to use Radius.

Rick.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents