Re: VPN - RADIUS

bizsnatch · ‎05-15-2003

I have a PIX setup as a VPN server for remote access users. I have it configured for the Cisco Client and for Microsoft using PPTP/MSCHAP. I have security set to authenticate via RADIUS. RADIUS works for the Microsoft client and authenticates fine. Using the cisco client, the client establishes the connection with the PIX, and then the pop up window asking for the credentials to pass to RADIUS is displayed. It fails authentication every time. Any ideas?

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication RADIUS

crypto map outside_map interface inside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup group1 address-pool sapool

vpngroup group1 dns-server 192.168.1.70

vpngroup group1 wins-server 192.168.1.5

vpngroup group1 idle-time 1800

vpngroup group1 password ********

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 192.168.1.7 123 timeout 10

briapolo · ‎05-16-2003

I have the same problem. I authenticate fine to the PIX, yet my authentication to IAS fails. configs are very similar.

jmondaca · ‎05-16-2003

You have to enable "dial in" in your domain sever for the users you want to give access.

Active Directory -> USER -> Dial-in -> Allow Access

Hope it helps.

JM