Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1994
Views
5
Helpful
5
Replies

ipsec vpn cisco asa and acs 5.1

Go to solution
ngo duyen
Level 1
Level 1

ā€Ž12-30-2011 08:27 PM - edited ā€Ž03-10-2019 06:40 PM

we have configured  ipsec vpn cisco asa authentication by acs 5.1:

Here the config in cisco vpn 5580:

access-list acltest standard permit 10.10.30.0 255.255.255.0

aaa-server Gserver protocol radius

aaa-server Gserver (inside) host 10.1.8.10

key cisco

aaa-server Gserver (inside) host 10.1.8.11

key cisco

group-policy gpTest internal

group-policy gpTest attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value acltest

tunnel-group test type remote-access

tunnel-group test general-attributes

address-pool localpool

default-group-policy gpTest

authentication-server-group Gserver LOCAL

authorization-server-group Gserver

accounting-server-group Gserver

tunnel-group test ipsec-attributes

pre-shared-key cisco123

In the ACS, we config a group user: VPN users. all user VPN in that group. ACS have access policy: if user in group "VPN users", ACS permit access.

when we connect from a VPN Client to the server, all user connect success. When we see monitor log in ACS, each user success connect also get

error: 

22040 wrong password or invalid shared secret

(pls see the attach picture)

the system still work but I dont know why we get the error log.

Thanks for any help you can provide!

Duyen

Labels:
Preview file
45 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
camejia
Level 3
Level 3
In response to ngo duyen

ā€Ž01-03-2012 10:46 AM

Hello Duyen,

I think I have narrowed the issue. When authenticating VPN Remote Access using RADIUS we need to keep in mind that the Authentication and Authorization are included on the same packet.

As per your configuration, the ACS is defined as a RADIUS server (aaa-server Gserver protocol radius) and the Tunnel Group for VPN is getting authenticated and "authorized" against that server:

authentication-server-group Gserver LOCAL

authorization-server-group Gserver

As stated above, the RADIUS request/response includes Authentication and Authorization on the same packet. This seems to be a misconfiguration issue as we should not be configuring the "authorization" under the Tunnel Group.

Please remove the authorization under the Tunnel Group:

no authorization-server-group Gserver

Please test the connection again and verify the ACS logs. At this point there should only be one sucessful log reported on the ACS side.

The "authorization-server-group" is meant for LDAP authorization when authenticating against an LDAP server as well in order to retrieve the authorization attributes from the server. RADIUS does not need the command as explained above.

Hope this helps.

Regards.

View solution in original post

5 Replies 5

Go to solution
jonmarso_07
Level 1
Level 1

ā€Ž12-31-2011 10:33 AM

Friend you have configured the same shared secret on both devices?

0 Helpful

Go to solution
ngo duyen
Level 1
Level 1
In response to jonmarso_07

ā€Ž12-31-2011 05:57 PM

thank Jonatas,

But client success to connect to vpn server so I think key mismatch doesnt happen here.

0 Helpful

Go to solution
ngo duyen
Level 1
Level 1
In response to ngo duyen

ā€Ž01-02-2012 10:22 AM

have you got any idea to help me ?

thanks

0 Helpful

Go to solution
camejia
Level 3
Level 3
In response to ngo duyen

ā€Ž01-03-2012 10:46 AM

Hello Duyen,

I think I have narrowed the issue. When authenticating VPN Remote Access using RADIUS we need to keep in mind that the Authentication and Authorization are included on the same packet.

As per your configuration, the ACS is defined as a RADIUS server (aaa-server Gserver protocol radius) and the Tunnel Group for VPN is getting authenticated and "authorized" against that server:

authentication-server-group Gserver LOCAL

authorization-server-group Gserver

As stated above, the RADIUS request/response includes Authentication and Authorization on the same packet. This seems to be a misconfiguration issue as we should not be configuring the "authorization" under the Tunnel Group.

Please remove the authorization under the Tunnel Group:

no authorization-server-group Gserver

Please test the connection again and verify the ACS logs. At this point there should only be one sucessful log reported on the ACS side.

The "authorization-server-group" is meant for LDAP authorization when authenticating against an LDAP server as well in order to retrieve the authorization attributes from the server. RADIUS does not need the command as explained above.

Hope this helps.

Regards.

Go to solution
ngo duyen
Level 1
Level 1
In response to camejia

ā€Ž01-05-2012 04:46 AM

thank, it work

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents