cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1295
Views
0
Helpful
5
Replies

PIX 6.3(3) and IAS (Internet Authentication Services, RADIUS)

lynch00
Level 1
Level 1

Has anyone been able to get RADIUS authentication to work for VPN users with the PIX OS 6.3(3)? The authentication appears to be accepted on the IAS server, but the client gets the error "Reason 412: The remote peer is no longer responding."

Anyone out there know of a fix?

5 Replies 5

rsursely
Level 1
Level 1

What is your config on your pix looks like? i got this running on my network with no problems.

here's the config.

Here is what i have setup on mine. you will see some of the difference. one is the address allocation portion. with my config it allows Cisco VPN client with cross authentication to IAS, as well as you can use the built in PPTP client with IAS authentication.

:Windows 2003 DNS compliant

fixup protocol dns maximum-length 1280

:DHCP Handed out to VPN Clients

ip local pool VPN-POOL 172.16.1.1-172.16.1.250

:NAT 0 ACL

access-list NAT-0-INSIDE permit ip 10.0.0.0 255.0.0.0 172.16.1.0 255.255.255.0

NAT (INSIDE) 0 access-list NAT-0-INSIDE

:Defines your IAS Server

aaa-server AD-VPN-AUTH protocol radius

aaa-server AD-VPN-AUTH (inside) host 10.8.240.15 secant timeout 5

:Stuff needed for Remote VPN

crypto ipsec transform-set AES-256-ENCRYPT esp-aes-256 esp-md5-hmac

crypto dynamic-map VPN-DYN-MAP 1 set transform-set AES-256-ENCRYPT

crypto map OUTSIDE-MAP 65535 ipsec-isakmp dynamic VPN-DYN-MAP

crypto map OUTSIDE-MAP client configuration address respond

crypto map OUTSIDE-MAP client authentication AD-VPN-AUTH

crypto map OUTSIDE-MAP interface outside

isakmp enable outside

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup USERNAME address-pool VPN-POOL

vpngroup USERNAME dns-server 10.8.240.14 10.8.240.15

vpngroup USERNAME default-domain company.com

vpngroup USERNAME split-tunnel VPN-SPLIT-TUNNEL

vpngroup USERNAME split-dns company.com

vpngroup USERNAME idle-time 1800

vpngroup USERNAME password ********

vpdn group PPTP-VPN accept dialin pptp

vpdn group PPTP-VPN ppp authentication pap

vpdn group PPTP-VPN ppp authentication chap

vpdn group PPTP-VPN ppp authentication mschap

vpdn group PPTP-VPN ppp encryption mppe auto

vpdn group PPTP-VPN client configuration address local VPN-POOL

vpdn group PPTP-VPN client configuration dns 10.8.240.14 10.8.240.15

vpdn group PPTP-VPN client authentication aaa AD-VPN-AUTH

vpdn group PPTP-VPN pptp echo 60

vpdn enable outside

marcusl
Level 1
Level 1

Make sure that you have enabled unencrypted authentication in the IAS - otherwise, the auth. will fail.

Best regards,

/M

Already did. The authentication request comes through just fine and the user appears to get authenticated, per the IAS log. I opened a case with TAC and they are having me make some changes to the ISA-KMP config for the roaming user config.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: