Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SA540 to Windows 2008 Radius Authentication Failure

I am having trouble getting my SA540 small business router to authenticate.

Problem 1) Authentication fails with Windows 2008 radius server

Problem 2) Digicert 3rd party SSL certifictate fails to load into Self Signed Certificates

Part I: CONFIGURE WINDOWS 2008 RADIUS & CONNECTION POLICIES

Step 1: Configure Radius client on Windows 2008

In configured the settings for

* Friendly Name: SA540

* IP/DNS: LAN address of Cisco SA540

* Secret: xxxx

I tried two vendor settings: RADIUS Standard and Cisco

I left the boxes unchecked for:

* Require access requests to contain the Message Authentication Attribute

* Nap capable

Step2: Configure Connection Request Policy on Windows 2008

Overview:

* Name: SA540

* Enable policy: checked

* Network Connection Method: Unspecified

Conditions:

* Client Friendly Name (must match Radius Client Name above)

Settings:

* Required Authentication Methods:

- Check box for Override network policy authentication settings

- CHAP (always fails), PAP (a test worked from inside LAN using a radius test utility)

- I would like to use certificates for authentication but my digicert will not load into the SA540 3rd party cert area

* Forwarding Connection Requests:

- Authenticate requests on this server (checked)

* Radius Attributes:

- I want to have a login prompt sent to the Cisco VPN client being authenticated but am unclear what attributes are required

- I chose "Standard: Login-IP-Host" = (IP address of Active Directory Server)"

PART II: CONFIGURE CISCO SA540

Step 1: Use IPSEC VPN Wizard to create IKE and VPN policies

* VPN Type:  Remote Access

* Enable Cisco Client (checked)

* Name

* Key

* WAN Interface

* Remote GW: FQDN = URL that is on my 3rd party certificate (vpn5.docvera.com)

Step 2: Change authentication to radius

* VPN - VPN Policies: disable vpn policy

* VPN - IKE Policies: change IKE policy

* Authentication Type: Radius - PAP or Radius - CHAP

* Click Apply

* note that the help file says that there should also be MS-CHAP and MS-CHAPv2 but they do not appear

Step 3: Configure Dynamic IP Range

* VPN - IPSEC - Dynamic IP Range:

- Split tunnel (only remote traffic goes through tunnel)

- Start/End IP address: New IP segment with DHCP for VPN users

* Split DNS Names: Active Directory domain (docvera.local)

Step 4: Add Authentication Certificates (if you use them)

* Administration - Authentication: My digicert 3rd party SSL certificate will not load into the Self Certificates area

Step 5:Configure Radius Server

* Administration - RADIUS server:

* IP address

* Authentication port: 1812 (also tried 1645)

* Secret

* Timeout: 180

* Retries: 3

Part III: CONNECT

* Cisco VPN Client v5.0.07 connects find when using Local Users but always fails to the radius server

* I ran wireshark and could NOT find:

- requests from the SA540 LAN IP address

- packets using UDP port 1812 (or 1645 when I tested it)

* Cisco VPN client gets an error message 413

* Connection tests to the radius server test utility from inside the LAN work with PAP buy not CHAP

Other:

* Clients today failed to connect using local user database.

* I deleted the VPN and IKE policy, added them back and then the users could connect

In sum:

* I hope to get radius authentication working

* I hope to use 3rd party certificates working for authentication

1 REPLY
New Member

SA540 to Windows 2008 Radius Authentication Failure

I checked the Windows NPS Event log and found a CHAP authentication error that the user could not be authenticated using CHAP because a reversibly encrypted password does not exist for this account

* Windows Security Event 6273

1442
Views
0
Helpful
1
Replies