I am having a problem with radius authentication for vpn clients. It seems as though the router (871w, adv.security 12.4) is not sending authentication requests to the radius server, a Win2k3 member server running IAS.
Below is a snip of the config:
aaa authentication login default local
aaa authentication login vpn_user group radius local
radius-server host A.B.C.D auth-port 1645 acct-port 1646 key 7 xyz
radius-server retransmit 4
The problem is that the router does not seem to be sending any authentication requests to the radius server.
Show radius stat displays no packets sent or received to the radius sever.
The router has a isa profile for vpn clients that specifies the vpn_user group for authentication, e.g.:
crypto isakmp profile vpn_client
match identity group vpn_access
client authentication list vpn_user
I can see in cry isa debugs that the VPN clients are being matched to the vpn_client isakmp profile. And local user/passwords allows vpn access, but Windows user/passwords don't.
I have tried using different ports (1812, 1813), creating a radius server group, and trying a DC instead of a Windows member server. The logs on the Windows servers appear to show no radius authentication requests. I have also tried ip radius source f0 and ip radius source vlan1 as the interface facing the server is a switchport on the 871w.
But it seems to not even be sending any authentication requests to the radius server.
I have set up radius in a similar way at several other sites, without any similar difficulties, although using different Cisco routers (2611, 2821).
Are there any possible issues relating to the switchports on the 871w and radius? Or am I missing something in the config?
Thanks for the help,
Can you ping the server from the router, and vice-versa? Also, check whether the router has been added into radius as AAA client.
It's possible that you may need to have "isakmp authorization list" under your isakmp profile. This *may* make a difference since it needs this to look up the information within the client group, and is also needed to get mode config information either locally or from radius. Check out this sample:
aaa authentication login userauth group radius local
aaa authorization network groupauthor local
crypto isakmp profile softclient
match identity group tennis
client authentication list userauth
isakmp authorization list groupauthor
client configuration address respond
If this doesn't help, what I would also do is turn on "debug radius" to see what radius packets are being sent from the router, if at all.
Also, make sure radius is working. You can use the "test" global exec mode to see if communication to radius is even working:
# test aaa group vpn_user
I can ping the server(s) used for radius, and from server to router. The router terminates 2 GRE/IPSec tunnels and 4 IPSec connections, plus the VPN clients. End to end connectivity is good, hosts can ping from site to site without problem, so basic connectivity appears to be solid.
The configuration includes:
aaa authorization network vpn1 local
-and the appropriate
commands in the isakmp profile.
debug radius produces no output. debug ip packet (with an access list to display only packets destined for the server) also produces no output.
Thanks for the test command, I haven't seen that command before.
I am resonable certain the Windows servers are configured correctly, IAS is running, radius client info for the router is set, etc.
I must be missing something, I'll try some more testing and go over the various documents and try to see what I might have overlooked.
Another thing to do would be to turn on "debug crypto isakmp" and "debug crypto ipsec" to see if it is actually finishing IKE Phase 1 and even doing Xauth.
The test aaa command was very useful. At least I was able to confirm that the Win2K3 radius side was working.
debug cry isa/ips shows the clients connecting without a problem.
debug aaa authe has revealed the problem - the vpn clients are using the default aaa authentication (which is local) and not the aaa authentication list specified in the isakmp profile.
Setting the default aaa authentication to group radius local, and connecting, shows radius traffic and clients are authenticated against AD.
It is a bit odd - the isakmp debugs show that the vpn clients are being matched to the correct isakmp profile. And the profile specifies a aaa authentication list, which matches the aaa authentication statement specifying radius. But the clients still are only authenticated against the default aaa authentication method.
Config looks like this:
aaa authen login default local
aaa authen login vpn_users group radius local
cry isa profile vpn_clients
match ident group xyz
client authen list vpn_users
debug cry isa shows that clients are matched to the vpn_client profile, but debug aaa auth shows that they are being authenticated against the default, not vpn_users.
Still, as a workaround I have set the default to:
aaa authentication login default group radius local
- and everything seems to work fine.
Hmm... to me, something still seems amiss. What version of IOS is the router running? In any case, I'm glad to hear that it is looking better.