Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ipsec vpn cisco asa and acs 5.1

we have configured  ipsec vpn cisco asa authentication by acs 5.1:

Here the config in cisco vpn 5580:

access-list acltest standard permit 10.10.30.0 255.255.255.0

aaa-server Gserver protocol radius

aaa-server Gserver (inside) host 10.1.8.10

key cisco

aaa-server Gserver (inside) host 10.1.8.11

key cisco

group-policy gpTest internal

group-policy gpTest attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value acltest

tunnel-group test type remote-access

tunnel-group test general-attributes

address-pool localpool

default-group-policy gpTest

authentication-server-group Gserver LOCAL

authorization-server-group Gserver

accounting-server-group Gserver

tunnel-group test ipsec-attributes

pre-shared-key cisco123

In the ACS, we config a group user: VPN users. all user VPN in that group. ACS have access policy: if user in group "VPN users", ACS permit access.

when we connect from a VPN Client to the server, all user connect success. When we see monitor log in ACS, each user success connect also get

error: 

22040 wrong password or invalid shared secret

(pls see the attach picture)

the system still work but I dont know why we get the error log.

Thanks for any help you can provide!

Duyen

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: ipsec vpn cisco asa and acs 5.1

Hello Duyen,

I think I have narrowed the issue. When authenticating VPN Remote Access using RADIUS we need to keep in mind that the Authentication and Authorization are included on the same packet.

As per your configuration, the ACS is defined as a RADIUS server (aaa-server Gserver protocol radius) and the Tunnel Group for VPN is getting authenticated and "authorized" against that server:

authentication-server-group Gserver LOCAL

authorization-server-group Gserver

As stated above, the RADIUS request/response includes Authentication and Authorization on the same packet. This seems to be a misconfiguration issue as we should not be configuring the "authorization" under the Tunnel Group.

Please remove the authorization under the Tunnel Group:

no authorization-server-group Gserver

Please test the connection again and verify the ACS logs. At this point there should only be one sucessful log reported on the ACS side.

The "authorization-server-group" is meant for LDAP authorization when authenticating against an LDAP server as well in order to retrieve the authorization attributes from the server. RADIUS does not need the command as explained above.

Hope this helps.

Regards.

5 REPLIES
New Member

ipsec vpn cisco asa and acs 5.1

Friend you have configured the same shared secret on both devices?

New Member

ipsec vpn cisco asa and acs 5.1

thank Jonatas,

But client success to connect to vpn server so I think key mismatch doesnt happen here.

New Member

ipsec vpn cisco asa and acs 5.1

have you got any idea to help me ?

thanks

Silver

Re: ipsec vpn cisco asa and acs 5.1

Hello Duyen,

I think I have narrowed the issue. When authenticating VPN Remote Access using RADIUS we need to keep in mind that the Authentication and Authorization are included on the same packet.

As per your configuration, the ACS is defined as a RADIUS server (aaa-server Gserver protocol radius) and the Tunnel Group for VPN is getting authenticated and "authorized" against that server:

authentication-server-group Gserver LOCAL

authorization-server-group Gserver

As stated above, the RADIUS request/response includes Authentication and Authorization on the same packet. This seems to be a misconfiguration issue as we should not be configuring the "authorization" under the Tunnel Group.

Please remove the authorization under the Tunnel Group:

no authorization-server-group Gserver

Please test the connection again and verify the ACS logs. At this point there should only be one sucessful log reported on the ACS side.

The "authorization-server-group" is meant for LDAP authorization when authenticating against an LDAP server as well in order to retrieve the authorization attributes from the server. RADIUS does not need the command as explained above.

Hope this helps.

Regards.

New Member

ipsec vpn cisco asa and acs 5.1

thank, it work

1350
Views
5
Helpful
5
Replies