cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2989
Views
5
Helpful
10
Replies

AAA sending group name as user name

ray
Level 1
Level 1

We're provisioning a 2821 with IOS 15.1(4)M5 ADVSECURITYK9 for Easy VPN/classic client access. Everything works fine with local authentication.

When we switch to radius authentication, the router sends the group name to the radius server instead of prompting the client for a username/password. I can see the transaction complete in both Windows event logs and IOS debug. How do I force the client to prompt for user credentials as it does when local authentication is specified instead of using group information in the radius transaction?

I'm a firewall guy and have done this hundreds of times with PIX/ASA configs and never seen a similar issue switching to radius for authentication.

radius debug:

*Jul  1 19:20:57.509: RADIUS/ENCODE(0000007E):Orig. component type = VPN IPSEC

*Jul  1 19:20:57.509: RADIUS:  AAA Unsupported Attr: interface         [210] 13 

*Jul  1 19:20:57.509: RADIUS:   31 39 32 2E 31 36 38 2E 31 36 38       [ 192.168.168]

*Jul  1 19:20:57.509: RADIUS(0000007E): Config NAS IP: 0.0.0.0

*Jul  1 19:20:57.509: RADIUS(0000007E): Config NAS IPv6:

*Jul  1 19:20:57.509: RADIUS/ENCODE(0000007E): acct_session_id: 93

*Jul  1 19:20:57.509: RADIUS(0000007E): sending

*Jul  1 19:20:57.509: RADIUS/ENCODE: Best Local IP-Address 192.168.1.1 for Radius-Server 192.168.1.50

*Jul  1 19:20:57.509: RADIUS(0000007E): Send Access-Request to 192.168.1.50:1645 id 1645/22, len 110

*Jul  1 19:20:57.509: RADIUS:  authenticator 72 23 FE 6B 78 D0 90 B9 - B2 A2 8C A9 32 E8 95 7E

*Jul  1 19:20:57.509: RADIUS:  User-Name           [1]   13  "vpn_admin"

*Jul  1 19:20:57.509: RADIUS:  User-Password       [2]   18  *

*Jul  1 19:20:57.509: RADIUS:  Calling-Station-Id  [31]  14  "x.x.x.x"

*Jul  1 19:20:57.509: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]

*Jul  1 19:20:57.509: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]

*Jul  1 19:20:57.509: RADIUS:  NAS-Port            [5]   6   1                        

*Jul  1 19:20:57.509: RADIUS:  NAS-Port-Id         [87]  15  "192.168.168.1"

*Jul  1 19:20:57.509: RADIUS:  Service-Type        [6]   6   Outbound                  [5]

*Jul  1 19:20:57.513: RADIUS:  NAS-IP-Address      [4]   6   192.168.1.1              

*Jul  1 19:20:57.513: RADIUS(0000007E): Sending a IPv4 Radius Packet

*Jul  1 19:20:57.513: RADIUS(0000007E): Started 5 sec timeout

*Jul  1 19:20:57.529: RADIUS: Received from id 1645/22 192.168.1.50:1645, Access-Reject, len 20

*Jul  1 19:20:57.529: RADIUS:  authenticator C0 F7 22 93 F4 D2 61 12 - 4F 9D E8 2B A8 24 48 31

*Jul  1 19:20:57.529: RADIUS(0000007E): Received from id 1645/22

*Jul  1 19:20:57.585: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from x.x.x.x was not encrypted and it should've been.

Windows Event Log:

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:

    Security ID:            NULL SID

    Account Name:            vpn_admin

    Account Domain:            DOMAIN

    Fully Qualified Account Name:    DOMAIN\vpn_admin

Client Machine:

    Security ID:            NULL SID

    Account Name:            -

    Fully Qualified Account Name:    -

    OS-Version:            -

    Called Station Identifier:        -

    Calling Station Identifier:        x.x.x.x

NAS:

    NAS IPv4 Address:        192.168.1.1

    NAS IPv6 Address:        -

    NAS Identifier:            -

    NAS Port-Type:            Virtual

    NAS Port:            1

RADIUS Client:

    Client Friendly Name:        admin_router

    Client IP Address:            192.168.1.1

Authentication Details:

    Connection Request Policy Name:    Client VPN

    Network Policy Name:        -

    Authentication Provider:        Windows

    Authentication Server:        admin-server.HTMUA.com

    Authentication Type:        PAP

    EAP Type:            -

    Account Session Identifier:        -

    Logging Results:            Accounting information was written to the local log file.

    Reason Code:            16

    Reason:                Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

relevant router config:

aaa new-model

!

!

aaa authentication login default group radius

aaa authentication login aaa-authent-vpn local

aaa authentication login aaa-authent-radius-vpn group radius

aaa authorization network aaa-author-vpn local

aaa authorization network aaa-author-radius-vpn group radius

crypto isakmp client configuration group vpn_admin

key ****

domain domain.local

pool adminvpn

acl operations_network

crypto isakmp profile vpn_admin_profile

   match identity group vpn_admin

   client authentication list aaa-authent-radius-vpn

   isakmp authorization list aaa-author-radius-vpn

   client configuration address respond

   client configuration group vpn_admin

   virtual-template 2

crypto ipsec transform-set vpnclient esp-3des esp-sha-hmac

crypto ipsec profile vpn-client-profile-admin

set transform-set vpnclient

set isakmp-profile vpn_admin_profile

interface Virtual-Template2 type tunnel

ip unnumbered GigabitEthernet0/1

tunnel mode ipsec ipv4

tunnel protection ipsec profile vpn-client-profile-admin

ip local pool adminvpn 192.168.101.1 192.168.101.250

ip access-list extended operations_network

permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255

radius-server host 192.168.1.50 key ****

10 Replies 10

ray
Level 1
Level 1

One addition:

RADIUS authentication works perfectly for command line login.

*Jul  1 20:25:39.833: RADIUS/ENCODE(00000080): ask "Password: "

*Jul  1 20:25:39.833: RADIUS/ENCODE(00000080): send packet; GET_PASSWORD

*Jul  1 20:25:43.093: RADIUS/ENCODE(00000080):Orig. component type = Exec

*Jul  1 20:25:43.093: RADIUS:  AAA Unsupported Attr: interface         [210] 6  

*Jul  1 20:25:43.093: RADIUS:   74 74 79 35              [ tty5]

*Jul  1 20:25:43.093: RADIUS/ENCODE(00000080): dropping service type, "radius-server attribute 6 on-for-login-auth" is off

*Jul  1 20:25:43.093: RADIUS(00000080): Config NAS IP: 0.0.0.0

*Jul  1 20:25:43.093: RADIUS(00000080): Config NAS IPv6:

*Jul  1 20:25:43.093: RADIUS/ENCODE(00000080): acct_session_id: 95

*Jul  1 20:25:43.093: RADIUS(00000080): sending

*Jul  1 20:25:43.093: RADIUS/ENCODE: Best Local IP-Address 192.168.1.1 for Radius-Server 192.168.1.50

*Jul  1 20:25:43.093: RADIUS(00000080): Send Access-Request to 192.168.1.50:1645 id 1645/26, len 70

*Jul  1 20:25:43.093: RADIUS:  authenticator D5 50 F6 21 F4 31 22 E1 - 51 53 62 9B 78 3E 5D 60

*Jul  1 20:25:43.093: RADIUS:  User-Name           [1]   6   "ray"

*Jul  1 20:25:43.097: RADIUS:  User-Password       [2]   18  *

*Jul  1 20:25:43.097: RADIUS:  NAS-Port            [5]   6   515                      

*Jul  1 20:25:43.097: RADIUS:  NAS-Port-Id         [87]  8   "tty515"

*Jul  1 20:25:43.097: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]

*Jul  1 20:25:43.097: RADIUS:  NAS-IP-Address      [4]   6   192.168.1.1              

*Jul  1 20:25:43.097: RADIUS(00000080): Sending a IPv4 Radius Packet

*Jul  1 20:25:43.097: RADIUS(00000080): Started 5 sec timeout

*Jul  1 20:25:43.105: RADIUS: Received from id 1645/26 192.168.1.50:1645, Access-Accept, len 102

*Jul  1 20:25:43.105: RADIUS:  authenticator 39 2F 0C 7E D1 5A F3 A0 - B1 42 6F BE 66 24 B6 F2

*Jul  1 20:25:43.105: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]

*Jul  1 20:25:43.105: RADIUS:  Service-Type        [6]   6   Framed                    [2]

*Jul  1 20:25:43.105: RADIUS:  Class               [25]  46 

*Jul  1 20:25:43.105: RADIUS:   6B 35 05 EE 00 00 01 37 00 01 02 00 C0 A8 01 32 00 00 00 00 00 00 00 00 00 00 00 00 01 CE 76 75 CE 16 DB 84 00 00 00 00 00 00 00 1A            [ k572vu]

*Jul  1 20:25:43.105: RADIUS:  Vendor, Microsoft   [26]  12 

*Jul  1 20:25:43.105: RADIUS:   MS-Link-Util-Thresh[14]  6  

*Jul  1 20:25:43.105: RADIUS:   00 00 00 32                 [ 2]

*Jul  1 20:25:43.105: RADIUS:  Vendor, Microsoft   [26]  12 

*Jul  1 20:25:43.105: RADIUS:   MS-Link-Drop-Time-L[15]  6  

*Jul  1 20:25:43.105: RADIUS:   00 00 00 78                 [ x]

*Jul  1 20:25:43.105: RADIUS(00000080): Received from id 1645/26

*Jul  1 20:25:43.105: RADIUS: Constructed " ppp negotiate"

mmangat
Level 1
Level 1

Hello,

Use the aaa authentication login command with the group group-name method to specify a subset of RADIUS or TACACS+ servers to use as the  login authentication method. To specify and define the group name and  the members of the group, use the aaa group server command. For example, use the aaa group server command to first define the members of group loginrad:

aaa group server radius loginrad

 server 172.16.2.3

 server 172.16.2 17

 server 172.16.2.32


This command specifies RADIUS servers 172.16.2.3, 172.16.2.17, and  172.16.2.32 as members of the group loginrad.

To specify group loginrad as  the method of user authentication at login when no other method list has  been defined, enter the following command:

aaa authentication login default group loginrad


Before you can use a group name as the login authentication method, you  need to enable communication with the RADIUS or TACACS+ security server.

http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfathen.html

I updated the configuration with the following and the behavior does not change. The VPN client still does not prompt for user credentials:

aaa group server radius radius-group

server 192.168.1.50

!

aaa authentication login default group radius-group

aaa authentication login aaa-authent-vpn local

aaa authentication login aaa-authent-radius-vpn group radius-group

aaa authorization network aaa-author-vpn local

aaa authorization network aaa-author-radius-vpn group radius-group

Debug shows the router is still sending the group name

*Jul  2 15:14:52.096: RADIUS/ENCODE(00000092):Orig. component type = VPN IPSEC

*Jul  2 15:14:52.096: RADIUS:  AAA Unsupported Attr: interface         [210] 13 

*Jul  2 15:14:52.096: RADIUS:   31 39 32 2E 31 36 38 2E 31 36 38       [ 192.168.168]

*Jul  2 15:14:52.096: RADIUS(00000092): Config NAS IP: 0.0.0.0

*Jul  2 15:14:52.096: RADIUS(00000092): Config NAS IPv6:

*Jul  2 15:14:52.096: RADIUS/ENCODE(00000092): acct_session_id: 113

*Jul  2 15:14:52.096: RADIUS(00000092): sending

*Jul  2 15:14:52.096: RADIUS/ENCODE: Best Local IP-Address 192.168.1.1 for Radius-Server 192.168.1.50

*Jul  2 15:14:52.096: RADIUS(00000092): Send Access-Request to 192.168.1.50:1645 id 1645/36, len 110

*Jul  2 15:14:52.096: RADIUS:  authenticator 33 44 75 64 5F 29 68 3B - FD 9C 45 07 EB DF BD D1

*Jul  2 15:14:52.096: RADIUS:  User-Name           [1]   13  "vpn_admin"

*Jul  2 15:14:52.096: RADIUS:  User-Password       [2]   18  *

*Jul  2 15:14:52.096: RADIUS:  Calling-Station-Id  [31]  14  "x.x.x.x"

*Jul  2 15:14:52.100: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]

*Jul  2 15:14:52.100: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]

*Jul  2 15:14:52.100: RADIUS:  NAS-Port            [5]   6   1                        

*Jul  2 15:14:52.100: RADIUS:  NAS-Port-Id         [87]  15  "192.168.168.1"

*Jul  2 15:14:52.100: RADIUS:  Service-Type        [6]   6   Outbound                  [5]

*Jul  2 15:14:52.100: RADIUS:  NAS-IP-Address      [4]   6   192.168.1.1              

*Jul  2 15:14:52.100: RADIUS(00000092): Sending a IPv4 Radius Packet

*Jul  2 15:14:52.100: RADIUS(00000092): Started 5 sec timeout

*Jul  2 15:14:52.124: RADIUS: Received from id 1645/36 192.168.1.50:1645, Access-Reject, len 20

*Jul  2 15:14:52.124: RADIUS:  authenticator D5 FF 76 4A 66 79 C5 EB - 16 9B 1B 32 57 88 50 AE

Ray,

Is that possible for you to remove "client configuration group vpn_admin" from the vpn_admin_profile and test again.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Removing the "client configuration group" line causes phase 1 negoation to fail.

The group information is correct as the VPN client can connect when the authentication and authorization lines are changed back to reference local.

The abbreviated router debug follows:

*Jul  2 18:02:46.024: ISAKMP (0): received packet from x.x.x.x dport 500 sport 54555 Global (N) NEW SA

*Jul  2 18:02:46.024: ISAKMP: Created a peer struct for x.x.x.x, peer port 54555

*Jul  2 18:02:46.024: ISAKMP: New peer created peer = 0x48EBBDB8 peer_handle = 0x8000004C

*Jul  2 18:02:46.024: ISAKMP: Locking peer struct 0x48EBBDB8, refcount 1 for crypto_isakmp_process_block

*Jul  2 18:02:46.028: ISAKMP: local port 500, remote port 54555

*Jul  2 18:02:46.028: ISAKMP:(0):insert sa successfully sa = 49086238

*Jul  2 18:02:46.028: ISAKMP:(0): processing SA payload. message ID = 0

*Jul  2 18:02:46.028: ISAKMP:(0): processing ID payload. message ID = 0

*Jul  2 18:02:46.028: ISAKMP (0): ID payload

    next-payload : 13

    type         : 11

    group id     : vpn_admin

    protocol     : 17

    port         : 500

    length       : 19

*Jul  2 18:02:46.028: ISAKMP:(0):: peer matches vpn_admin_profile profile

*Jul  2 18:02:46.028: ISAKMP:(0):Setting client config settings 48B63CC4

*Jul  2 18:02:46.028: ISAKMP:(0):(Re)Setting client xauth list  and state

*Jul  2 18:02:46.028: ISAKMP/xauth: initializing AAA request

*Jul  2 18:02:46.028: ISAKMP AAA: NAS Port Id is set to 192.168.168.1

*Jul  2 18:02:46.028: ISAKMP:(0):AAA: Nas Port ID set to 192.168.168.1.

*Jul  2 18:02:46.028: ISAKMP/aaa: unique id = 153

*Jul  2 18:02:46.028: ISAKMP:(0): processing vendor id payload

*Jul  2 18:02:46.028: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch

*Jul  2 18:02:46.028: ISAKMP:(0): vendor ID is XAUTH

*Jul  2 18:02:46.028: ISAKMP:(0): processing vendor id payload

*Jul  2 18:02:46.028: ISAKMP:(0): vendor ID is DPD

*Jul  2 18:02:46.028: ISAKMP:(0): processing vendor id payload

*Jul  2 18:02:46.028: ISAKMP:(0): processing IKE frag vendor id payload

*Jul  2 18:02:46.028: ISAKMP:(0):Support for IKE Fragmentation not enabled

*Jul  2 18:02:46.028: ISAKMP:(0): processing vendor id payload

*Jul  2 18:02:46.028: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

*Jul  2 18:02:46.028: ISAKMP:(0): vendor ID is NAT-T v2

*Jul  2 18:02:46.028: ISAKMP:(0): processing vendor id payload

*Jul  2 18:02:46.028: ISAKMP:(0): vendor ID is Unity

*Jul  2 18:02:46.028: ISAKMP:(0): Authentication by xauth preshared

...

*Jul  2 18:02:46.032: ISAKMP:(0):Checking ISAKMP transform 9 against priority 30 policy

*Jul  2 18:02:46.032: ISAKMP:      encryption 3DES-CBC

*Jul  2 18:02:46.032: ISAKMP:      hash SHA

*Jul  2 18:02:46.032: ISAKMP:      default group 2

*Jul  2 18:02:46.032: ISAKMP:      auth XAUTHInitPreShared

*Jul  2 18:02:46.032: ISAKMP:      life type in seconds

*Jul  2 18:02:46.032: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

*Jul  2 18:02:46.032: ISAKMP:(0):atts are acceptable. Next payload is 3

...

*Jul  2 18:02:46.068: ISAKMP:(0):ISAKMP/tunnel: setting up tunnel vpn_admin pw request

*Jul  2 18:02:46.068: ISAKMP:(0):ISAKMP/tunnel: Tunnel vpn_admin PW Request successfully sent to AAA

*Jul  2 18:02:46.068: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH

*Jul  2 18:02:46.068: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_AM_AAA_AWAIT

*Jul  2 18:02:46.068: RADIUS/ENCODE(00000099):Orig. component type = VPN IPSEC

*Jul  2 18:02:46.068: RADIUS:  AAA Unsupported Attr: interface         [210] 13 

*Jul  2 18:02:46.068: RADIUS:   31 39 32 2E 31 36 38 2E 31 36 38       [ 192.168.168]

*Jul  2 18:02:46.068: RADIUS(00000099): Config NAS IP: 0.0.0.0

*Jul  2 18:02:46.068: RADIUS(00000099): Config NAS IPv6:

*Jul  2 18:02:46.068: RADIUS/ENCODE(00000099): acct_session_id: 120

*Jul  2 18:02:46.068: RADIUS(00000099): sending

*Jul  2 18:02:46.068: RADIUS/ENCODE: Best Local IP-Address 192.168.1.1 for Radius-Server 192.168.1.50

*Jul  2 18:02:46.068: RADIUS(00000099): Send Access-Request to 192.168.1.50:1645 id 1645/41, len 110

*Jul  2 18:02:46.068: RADIUS:  authenticator 7B 4D 82 F7 17 B8 DD 21 - 3A EA AB C0 3C EC CC F3

*Jul  2 18:02:46.068: RADIUS:  User-Name           [1]   13  "vpn_admin"

*Jul  2 18:02:46.068: RADIUS:  User-Password       [2]   18  *

...

The client debug follows:

Cisco Systems VPN Client Version 5.0.07.0290

Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 6.1.7601 Service Pack 1

4662   13:50:49.368  07/02/13  Sev=Info/4    CM/0x63100002

Begin connection process

4663   13:50:49.415  07/02/13  Sev=Info/4    CM/0x63100004

Establish secure connection

4664   13:50:49.415  07/02/13  Sev=Info/4    CM/0x63100024

Attempt connection with server "x.x.x.x"

4665   13:50:49.425  07/02/13  Sev=Info/6    IKE/0x6300003B

Attempting to establish a connection with x.x.x.x.

4666   13:50:49.443  07/02/13  Sev=Info/4    IKE/0x63000001

Starting IKE Phase 1 Negotiation

4667   13:50:49.456  07/02/13  Sev=Info/4    IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to x.x.x.x

4668   13:50:49.608  07/02/13  Sev=Info/5    IKE/0x6300002F

Received ISAKMP packet: peer = x.x.x.x

4669   13:50:49.608  07/02/13  Sev=Info/4    IKE/0x63000014

RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from x.x.x.x

4670   13:50:49.608  07/02/13  Sev=Info/5    IKE/0x63000001

Peer is a Cisco-Unity compliant peer

4671   13:50:49.608  07/02/13  Sev=Info/5    IKE/0x63000001

Peer supports DPD

4672   13:50:49.608  07/02/13  Sev=Info/5    IKE/0x63000001

Peer supports DWR Code and DWR Text

4673   13:50:49.608  07/02/13  Sev=Info/5    IKE/0x63000001

Peer supports XAUTH

4674   13:50:49.608  07/02/13  Sev=Info/5    IKE/0x63000001

Peer supports NAT-T

4675   13:50:49.622  07/02/13  Sev=Warning/3    IKE/0xE3000057

The received HASH payload cannot be verified

4676   13:50:49.622  07/02/13  Sev=Warning/2    IKE/0xE300007E

Hash verification failed... may be configured with invalid group password.

4677   13:50:49.622  07/02/13  Sev=Warning/2    IKE/0xE300009B

Failed to authenticate peer (Navigator:915)

4678   13:50:49.622  07/02/13  Sev=Info/4    IKE/0x63000013

SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to x.x.x.x

4679   13:50:49.622  07/02/13  Sev=Info/4    IKE/0x63000013

SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to x.x.x.x

4680   13:50:49.622  07/02/13  Sev=Warning/2    IKE/0xE30000A7

Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2263)

4681   13:50:49.622  07/02/13  Sev=Info/4    IKE/0x63000017

Marking IKE SA for deletion  (I_Cookie=E59FE4870EACCEA2 R_Cookie=FF0E635DD9F7AFC2) reason = DEL_REASON_IKE_NEG_FAILED

4682   13:50:49.622  07/02/13  Sev=Info/4    IPSEC/0x63700008

IPSec driver successfully started

4683   13:50:49.622  07/02/13  Sev=Info/4    IPSEC/0x63700014

Deleted all keys

4684   13:50:50.519  07/02/13  Sev=Info/4    IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=E59FE4870EACCEA2 R_Cookie=FF0E635DD9F7AFC2) reason = DEL_REASON_IKE_NEG_FAILED

4685   13:50:50.519  07/02/13  Sev=Info/4    CM/0x63100014

Unable to establish Phase 1 SA with server "x.x.x.x" because of "DEL_REASON_IKE_NEG_FAILED"

4686   13:50:50.519  07/02/13  Sev=Info/5    CM/0x63100025

Initializing CVPNDrv

4687   13:50:50.533  07/02/13  Sev=Info/6    CM/0x63100046

Set tunnel established flag in registry to 0.

4688   13:50:50.534  07/02/13  Sev=Info/4    IKE/0x63000001

IKE received signal to terminate VPN connection

4689   13:50:50.543  07/02/13  Sev=Info/4    IPSEC/0x63700014

Deleted all keys

4690   13:50:50.543  07/02/13  Sev=Info/4    IPSEC/0x63700014

Deleted all keys

4691   13:50:50.543  07/02/13  Sev=Info/4    IPSEC/0x63700014

Deleted all keys

4692   13:50:50.543  07/02/13  Sev=Info/4    IPSEC/0x6370000A

IPSec driver successfully stopped

Solved by TAC.

Since Microsoft NPS RADIUS does not support storage of shared secret, changed the isakmp authorization line to use local authentication

crypto isakmp profile vpn_admin_profile

   match identity group vpn_admin

   client authentication list aaa-authent-radius-vpn

   isakmp authorization list aaa-author-vpn

My original configuration also had to be modified as the VPN client does not accept a transform set using 3des and sha

crypto ipsec transform-set vpnclient esp-aes esp-sha-hmac

I see...authorization from local database. Thanks for sharing.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Good neighbor policy: always update every forum post you made with the answer so the next guy looking can find it.

Completely Agree I'm sure this will help a lot of community members in future.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

If only this lonely post were easier to find! 

Many thanks for posting the solution smiley

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: