Unable to configure IPSec clients authentication with RADIUS

Answered Question
Mar 22nd, 2010
User Badges:

Hello,


I configured IPSec VPN server for remote clients on Cisco 2811 with XAuth (see attached cisco vpn configuration). At first I configured clients extended authentication (Xauth) using local IOS users database and it worked ok, but then I tried to configure clients authentication via FreeRADIUS and got authentication errors (see a part of attached freeradius log): in fact, instead of client's username/password sent via Xauth, Cisco sends a VPN-Group/pre-shared key combination to FreeRADIUS. Obviously FreeRADIUS can't find such username/password in it's database and replies with an error. Is it possible somehow to reconfigure Cisco in such a way that it would sent username/password insead of VPN-Group/Pre-shared key, or to reconfigure FreeRADIUS so that it would interpret VPN-Group/Pre-shared key parameters?

Correct Answer by Jennifer Halim about 7 years 3 months ago

xauth to radius server should not really be sending the group name and password towards the radius. xauth should send the username and password when user authenticates.


1) You can try to authenticate to the radius server from the router itself, using the "test aaa" command --> check if the authentication works.


2) When you are connecting with the vpn client, did you get prompted for username and password, and what did you enter?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jennifer Halim Mon, 03/22/2010 - 22:59
User Badges:
  • Cisco Employee,

xauth to radius server should not really be sending the group name and password towards the radius. xauth should send the username and password when user authenticates.


1) You can try to authenticate to the radius server from the router itself, using the "test aaa" command --> check if the authentication works.


2) When you are connecting with the vpn client, did you get prompted for username and password, and what did you enter?

laotalax579 Wed, 03/24/2010 - 23:57
User Badges:

Hello,


I tested FreeRADIUS authentication with "test aaa" command as you suggested and it worked ok. Then I changed the Cisco AAA network authorization to local: "aaa authorization network vpnauth local" and it could normally authenticate with RADIUS (Cisco sent username/password and not VPN-group/pre-shared key parameters). Thanks a lot!

tf2-conky Mon, 03/29/2010 - 15:02
User Badges:

Very timely thread. I was having the exact same issue with radius(freeradius) trying to auth IKE, when I only wanted user authentication by radius.


I've applied the changes suggested, and it's fixed my problem also.  Thanks =)



## OLD


aaa authentication login vpn-test-users group radius local         
aaa authorization network vpn-test-group group radius local



## NEW


aaa authentication login vpn-test-users group radius local

aaa authorization network vpn-test-group local


Would you mind posting what radius attributes you've set?

Actions

This Discussion