To setup RADIUS authentication of VPN Client connections, you have to do a couple on steps on the SA 520. First define your RADIUS server to the SA: on the SA Web Configuration Utility, go to the Administration Menu select RADIUS Server on the navigation pane to open Radius Server Page. Click Add to enter the config page to enter your Radius Server's configuration and importantly the Shared Secret.
Next, since you already have working VPN remote access policies, you just need to switch the extended authentication of your users from the Internal User Database to XAUTH Configuration: Edge Device and the Authentication type: Radius - CHAP or PAP. First you need to stop the Associated VPN Policies of the IKE Policy that you want to modify.
1) Select the VPN Menu, click VPN Policies on the navigation pane, then checkmark the VPN Policies that are associate with your IKE Policy (Shrew), and finally Click Disable to temporarily stop these Policies.
2) Click IKE Policies, then click the Edit icon to modify the Policy that your Shrew Clients use.
3) Change the Extended Authentication settings as stated above: XAUTH Configuration: Edge Device and the Authentication type: Radius - CHAP or RADIUS - PAP depending on your 2008 server config.
4) Now go back to the VPN Policies Page, and re-Enable the policies that you had to temporarily disable to edit the IKE Policy.
This should help you get there...Let us know how this worked out for you.
BTW, make sure you you are not blocking fragmented packets on the SA, or you will have problems getting authenticated by the Radius server.
I try to configure a SA 520 IPSec VPN with Radius authentication and I've exactly the same problem. My config is :
SA520w with Block Fragmented Packets disabled
Primary Firmware Version:
Secondary Firmware Version:
Radius Server on OS X Server 10.6.7
I setup IPSec VPN for Mac OS X and iOS remote device, I've setup my VPN for RemoteAccess with the wizard by checking the Cisco VPN Client option. If I try from iOS or OS X with VPN setup on local database, everything work really well. As long I switch on Radius with Chap, nothing work.
I've try to connect from built-in OS X / iOS Cisco VPN client and with VPN Tracker and I got the same result, I can't connect to my VPN. On client no special error message, just I can't be authenticated. On the Server, if I read the system logs, I've nothing, I see the XAUTH request and then nothing, the connexion is closed. On the Radius Server I can't see any incoming request.
The first things that you should verify are the Radius Server information as stored on your SA500. Verify the RADIUS Server's IP address, Authentication Port used, and Shared Secret phrase match those of your RADIUS server. On the SA500's Web Configuration Utility, navigate to the Administartion -> RADIUS Server page, and make sure the RADIUS server information listed matches your environment.
If properly configured, perform a packet capture between the SA500 and the RADIUS server to verify requests and responses are being exchanged between the SA500 and your Radius Server.
There is a nice utility that can test your RADIUS server settings...
Thank for your answer. I've planed to check the communication with tcpdump as soon as possible yes.
About NTRadPing, it's not useful for me, I work on Mac OS X. Do you know an other tool, make for Unix and with sources available ? I've found a lot of Unix tools but only in binaries for Linux, Solaris, FreeBSD, but not Darwin or sources… So if you know one, I'm really interested !
Article ID:3091 Reboot and Factory Default Reset on ISA500 Series
Integrated Security Appliances Objective Reboot or restart of the
network device is made when certain changes in the settings need reboot
or if the device is frozen. The configuration setti...
Article ID:3403 WAN Quality of Service (QoS) Policy Profiles Settings on
ISA500 Series Integrated Security Appliances Objective Wide Area Network
(WAN) Quality of Service (QoS) policy profiles manage traffic through
classed-based profiles. These profiles ...
Article ID:2922 Cisco QuickVPN Installation Tips for Windows Operating
Systems For a video showing installation tips on Quick VPN, visit
http://youtu.be/hHu2z6A78N8 Objective Cisco QuickVPN is a free software
designed for remote access to a network. It is...