04-13-2004 01:29 PM - edited 02-21-2020 10:09 AM
Has anyone been able to get RADIUS authentication to work for VPN users with the PIX OS 6.3(3)? The authentication appears to be accepted on the IAS server, but the client gets the error "Reason 412: The remote peer is no longer responding."
Anyone out there know of a fix?
04-15-2004 08:27 AM
What is your config on your pix looks like? i got this running on my network with no problems.
04-15-2004 10:39 AM
04-15-2004 11:36 AM
Here is what i have setup on mine. you will see some of the difference. one is the address allocation portion. with my config it allows Cisco VPN client with cross authentication to IAS, as well as you can use the built in PPTP client with IAS authentication.
:Windows 2003 DNS compliant
fixup protocol dns maximum-length 1280
:DHCP Handed out to VPN Clients
ip local pool VPN-POOL 172.16.1.1-172.16.1.250
:NAT 0 ACL
access-list NAT-0-INSIDE permit ip 10.0.0.0 255.0.0.0 172.16.1.0 255.255.255.0
NAT (INSIDE) 0 access-list NAT-0-INSIDE
:Defines your IAS Server
aaa-server AD-VPN-AUTH protocol radius
aaa-server AD-VPN-AUTH (inside) host 10.8.240.15 secant timeout 5
:Stuff needed for Remote VPN
crypto ipsec transform-set AES-256-ENCRYPT esp-aes-256 esp-md5-hmac
crypto dynamic-map VPN-DYN-MAP 1 set transform-set AES-256-ENCRYPT
crypto map OUTSIDE-MAP 65535 ipsec-isakmp dynamic VPN-DYN-MAP
crypto map OUTSIDE-MAP client configuration address respond
crypto map OUTSIDE-MAP client authentication AD-VPN-AUTH
crypto map OUTSIDE-MAP interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup USERNAME address-pool VPN-POOL
vpngroup USERNAME dns-server 10.8.240.14 10.8.240.15
vpngroup USERNAME default-domain company.com
vpngroup USERNAME split-tunnel VPN-SPLIT-TUNNEL
vpngroup USERNAME split-dns company.com
vpngroup USERNAME idle-time 1800
vpngroup USERNAME password ********
vpdn group PPTP-VPN accept dialin pptp
vpdn group PPTP-VPN ppp authentication pap
vpdn group PPTP-VPN ppp authentication chap
vpdn group PPTP-VPN ppp authentication mschap
vpdn group PPTP-VPN ppp encryption mppe auto
vpdn group PPTP-VPN client configuration address local VPN-POOL
vpdn group PPTP-VPN client configuration dns 10.8.240.14 10.8.240.15
vpdn group PPTP-VPN client authentication aaa AD-VPN-AUTH
vpdn group PPTP-VPN pptp echo 60
vpdn enable outside
04-19-2004 02:24 PM
Make sure that you have enabled unencrypted authentication in the IAS - otherwise, the auth. will fail.
Best regards,
/M
04-20-2004 07:16 AM
Already did. The authentication request comes through just fine and the user appears to get authenticated, per the IAS log. I opened a case with TAC and they are having me make some changes to the ISA-KMP config for the roaming user config.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: