Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA 5510 and MS IAS radius Cisco VPN Client setup

Hello,

I've spent hours trying to make heads or tails of the example: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml

XX for privacy

Any direction would be greatly appreciated.

satx-mdf-fw1(config)# sh run
: Saved
:
ASA Version 8.2(3)
!
hostname satx-mdf-fw1
domain-name domain.com
enable password QklkDpuqrOXyFWo7 encrypted
passwd wNIA7lMWIZEQRg9Z encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 2XX.67.103.90 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.50.1 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa823-k8.bin
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
timeout 30
name-server 10.10.50.90
domain-name domain.com
access-list inbound remark ** Inbound Filters **
access-list inbound extended permit tcp any host 64.XX2.225.140 eq www
access-list inbound extended permit tcp any host 64.XX2.225.140 eq https
access-list inbound extended permit tcp any host 64.132.225.140 eq smtp
access-list inbound extended permit icmp any any
access-list inbound extended permit tcp any host 64.XX2.225.141 eq ssh
access-list inbound extended permit tcp any host 64.XX2.225.141 eq www
access-list inbound extended permit tcp any host 64.XX2.225.141 eq https
access-list outbound remark ** Outbound Filters **
access-list outbound extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging buffered debugging
logging trap informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip local pool vpnclient 10.10.50.150-10.10.50.200
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any echo-reply inside
icmp permit any unreachable inside
icmp permit any time-exceeded inside
asdm image disk0:/asdm-634.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 64.XX2.225.141 10.10.50.22 netmask 255.255.255.255
static (inside,outside) 64.XX2.225.140 10.10.50.90 netmask 255.255.255.255
access-group inbound in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 207.67.103.89 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server vpn protocol radius
aaa-server vpn (inside) host 10.10.50.90
key *****
http server enable
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set my-set esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set transform-set my-set
crypto dynamic-map dynmap 10 set reverse-route
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 1000
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy vpn internal
group-policy vpn attributes
dns-server value 10.10.50.90
default-domain value personalizedprevention.com
username troy password BlahBlah8nfPJo9dtNu encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) vpn
tunnel-group vpn type remote-access
tunnel-group vpn general-attributes
address-pool vpnclient
authentication-server-group vpn
default-group-policy vpn
tunnel-group vpn ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
   inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end

Many Thanks,

Troy

18 REPLIES
New Member

Re: ASA 5510 and MS IAS radius Cisco VPN Client setup

I think I'm making this a lot more complicated than it is.  My network is simple, with no DMZ yet.  I have a Windows SBS 2003 Server running IAS and acting as a DC.  Ip address is 10.10.50.90.  I have an internal interface on the ASA of 10.10.50.1 and an external which is internet routable.

Cisco Employee

Re: ASA 5510 and MS IAS radius Cisco VPN Client setup

At which stage does the VPN Connection actually failing? Can you please elaborate a little bit more.

From the configuration, there is a few things that I can see might cause vpn failing to work:

1) IP Pool is currently in the same subnet as the internal network. Please kindly configure a different ip pool for vpn and it needs to be a unique subnet.

2) NAT exemption has not been configured, so once the pool has been changed, you can configure the following:

access-list nonat permit ip 10.10.50.0 255.255.255.0 255.255.255.0

nat (inside) 0 access-list nonat

For vpn access to your DMZ, then add the following:

access-list dmz-nonat permit ip 10.10.10.0 255.255.255.0 255.255.255.0

nat (dmz) 0 access-list dmz-nonat

It is also recommended to change the security level on your DMZ interface not the same as your outside interface (currently it's "0"). Should probably change it to 50 or other numbers but 0 or 100

3) Lastly, you would also need to add the following:

group-policy vpn attributes

     vpn-tunnel-protocol IPSec

Hope that helps a little in moving forward.

New Member

Re: ASA 5510 and MS IAS radius Cisco VPN Client setup

Thank you so much Jennifer I've got some noodling to do!

New Member

Re: ASA 5510 and MS IAS radius Cisco VPN Client setup

Okay, I think I've made some headway... The IAS server seems to be not listening.

satx-mdf-fw1(config)# test aaa-server authentication vpn
Server IP Address or name: 10.10.50.90
Username: Administrator
Password: ********
INFO: Attempting Authentication test to IP address <10.10.50.90> (timeout: 12 seconds)
ERROR: Authentication Server not responding: No error
satx-mdf-fw1(config)#

Upon VPN client connect, three attempts then this message: Screenshot: http://screencast.com/t/gvWt634IxA

Hmmm...  The Users and Groups snap-in is not installed on Manager on this Windows 2003 SBS Server as published example guide on Cisco.

Heres the latest:

satx-mdf-fw1(config)# sh run
: Saved
:
ASA Version 8.2(3)
!
hostname satx-mdf-fw1
domain-name personalizedprevention.com
enable password XXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXX encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 207.XXX.103.90 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.50.1 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa823-k8.bin
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
timeout 30
name-server 10.10.50.90
domain-name personalizedprevention.com
access-list inbound remark ** Inbound Filters **
access-list inbound extended permit tcp any host 64.132.225.130 eq ssh
access-list inbound extended permit tcp any host 64.132.225.130 eq www
access-list inbound extended permit tcp any host 64.132.225.130 eq https

access-list inbound extended permit tcp any host 64.132.225.140 eq www
access-list inbound extended permit tcp any host 64.132.225.140 eq https
access-list inbound extended permit tcp any host 64.132.225.140 eq smtp
access-list inbound extended permit icmp any any
access-list inbound extended permit tcp any host 64.132.225.141 eq ssh
access-list inbound extended permit tcp any host 64.132.225.141 eq www
access-list inbound extended permit tcp any host 64.132.225.141 eq https
access-list outbound remark ** Outbound Filters **
access-list outbound extended permit ip any any
access-list nonat extended permit ip 10.10.50.0 255.255.255.0 10.10.20.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffered debugging
logging trap informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip local pool vpnclient 10.10.20.150-10.10.20.200
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any echo-reply inside
icmp permit any unreachable inside
icmp permit any time-exceeded inside
asdm image disk0:/asdm-634.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (DMZ,outside) 64.132.225.130 10.10.10.2 netmask 255.255.255.255
static (DMZ,outside) 64.132.225.131 10.10.10.3 netmask 255.255.255.255
static (DMZ,outside) 64.132.225.132 10.10.10.4 netmask 255.255.255.255
static (DMZ,outside) 64.132.225.133 10.10.10.5 netmask 255.255.255.255
static (DMZ,outside) 64.132.225.134 10.10.10.6 netmask 255.255.255.255
static (DMZ,outside) 64.132.225.135 10.10.10.7 netmask 255.255.255.255
static (DMZ,outside) 64.132.225.136 10.10.10.8 netmask 255.255.255.255
static (DMZ,outside) 64.132.225.137 10.10.10.9 netmask 255.255.255.255
static (DMZ,outside) 64.132.225.138 10.10.10.10 netmask 255.255.255.255
static (DMZ,outside) 64.132.225.139 10.10.10.11 netmask 255.255.255.255
static (inside,outside) 64.132.225.141 10.10.50.22 netmask 255.255.255.255
static (inside,outside) 64.132.225.140 10.10.50.90 netmask 255.255.255.255
access-group inbound in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 207.67.103.89 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server vpn protocol radius
aaa-server vpn (inside) host 10.10.50.90
key *****
http server enable
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set my-set esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set transform-set my-set
crypto dynamic-map dynmap 10 set reverse-route
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 1000
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy vpn internal
group-policy vpn attributes
dns-server value 10.10.50.90
vpn-tunnel-protocol IPSec
default-domain value domain.com
username troy password XXXXXXXXXXXXXXX encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) vpn
tunnel-group vpn type remote-access
tunnel-group vpn general-attributes
default-group-policy vpn
tunnel-group vpn ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:13af202cd8140f04299980541bc990d5
: end
satx-mdf-fw1(config)#

Cheers,

Troy

Cisco Employee

Re: ASA 5510 and MS IAS radius Cisco VPN Client setup

Sounds like a problem on the authentication at this stage if "test authentication" is failing.

Are you able to ping the IAS radius server from the ASA?

Can you please check the logs on the IAS server and see why it's failing?

You can also run debug on the ASA when you try to test the authentication: "debug radius" and also grab the output of "show aaa-server vpn host 10.10.50.90"

To check if your VPN is up and running correctly, you can also test by using local authentication instead of external authentication with radius. This is just to test that the VPN is functioning and you can then concentrate to resolve the issue with the radius server.

New Member

Re: ASA 5510 and MS IAS radius Cisco VPN Client setup

satx-mdf-fw1# show aaa-server vpn host 10.10.50.90
Server Group:    vpn
Server Protocol: radius
Server Address:  10.10.50.90
Server port:     1645(authentication), 1646(accounting)
Server status:   ACTIVE, Last transaction at 21:36:22 UTC Tue Nov 9 2010
Number of pending requests              0
Average round trip time                 0ms
Number of authentication requests       43
Number of authorization requests        0
Number of accounting requests           0
Number of retransmissions               0
Number of accepts                       0
Number of rejects                       0
Number of challenges                    0
Number of malformed responses           0
Number of bad authenticators            0
Number of timeouts                      43
Number of unrecognized responses        0

+++++++++++++++++++++++++++++++++++++++++++++++++++

satx-mdf-fw1# ping 10.10.50.90
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.50.90, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

+++++++++++++++++++++++++++++++++++++++++++++++++++


satx-mdf-fw1# test aaa-server authentication vpn
Server IP Address or name: 10.10.50.90
Username: troy.perkins
Password: ********
INFO: Attempting Authentication test to IP address <10.10.50.90> (timeout: 12 seconds)
radius mkreq: 0x3b
alloc_rip 0xd8369398
    new request 0x3b --> 43 (0xd8369398)
got user 'troy.perkins'
got password
add_req 0xd8369398 session 0x3b id 43
RADIUS_REQUEST
radius.c: rad_mkpkt

RADIUS packet decode (authentication request)

--------------------------------------
Raw packet data (length = 70).....
01 2b 00 46 9d 12 e3 e0 99 5e 3f 0c 55 6a 5b f8    |  .+.F.....^?.Uj[.
d1 36 37 a4 01 0e 74 72 6f 79 2e 70 65 72 6b 69    |  .67...troy.perki
6e 73 02 12 cc cb 3a 2c 5c a8 29 b2 72 00 2f 15    |  ns....:,\.).r./.
5b c0 08 34 04 06 0a 0a 32 01 05 06 00 00 00 07    |  [..4....2.......
3d 06 00 00 00 05                                  |  =.....

Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 43 (0x2B)
Radius: Length = 70 (0x0046)
Radius: Vector: 9D12E3E0995E3F0C556A5BF8D13637A4
Radius: Type = 1 (0x01) User-Name
Radius: Length = 14 (0x0E)
Radius: Value (String) =
74 72 6f 79 2e 70 65 72 6b 69 6e 73                |  troy.perkins
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
cc cb 3a 2c 5c a8 29 b2 72 00 2f 15 5b c0 08 34    |  ..:,\.).r./.[..4
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 10.10.50.1 (0x0A0A3201)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x7
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
send pkt 10.10.50.90/1645
fail request 0x3b (10.10.50.90 failed)
RADIUS_DELETE
remove_req 0xd8369398 session 0x3b id 43
free_rip 0xd8369398
radius: send queue empty
ERROR: Authentication Server not responding: No error

We have determined that the IAS radius server dies a few second after its started.

The event logs show:

The Internet Authentication Service service terminated with the following error:  Only one usage of each socket address (protocol/network address/port) is  normally permitted. For more information, see Help and Support Center at  http://go.microsoft.com/fwlink/events.asp

Looking at the IAS server now... thanks so much!

New Member

Re: ASA 5510 and MS IAS radius Cisco VPN Client setup

Its now an MS issue... JOY.  We've verifed we have the MS08-037 dns security patch installed, which breaks IAS.

In the case of the IAS Service failing to start, you will see the  following event logged in the system event log:

Event Type: Error
Event Source: Service Control Manager
Event  Category: None
Event ID: 7023
Date: 7/12/2008
Time: 6:38:37 PM 
User: N/A
Computer: SERVER
Description:  The Internet Authentication  Service Service terminated with the following error:  Only one usage of each  socket address (protocol/network address/port) is normally permitted.

MS08-037 is a security update designed to prevent DNS spoofing.  The  update is described by article 953230       MS08-037: Vulnerabilities in DNS  could allow spoofing: http://support.microsoft.com/default.aspx?scid=kb;EN-US;953230

The update changes the way the DNS server allocates the UDP source port  for DNS queries.  On an SBS server by default we set the MaxUserPort value in  the registry to 60000 or 65536 depending on the version of SBS.  The  MaxUserPort  value causes the DNS server to pick UDP source ports in the range  of 1024 to 60000, or 65536.  The MaxUserPort is set on the SBS server by  Exchange and ISA server.  DNS by default will randomly pick 2500 ports when the  service starts up, a port conflict will occur if the DNS server allocates a port  that is required by another service and that service will fail once it requests  that static UDP port.  So far we have seen issues with AUTD, IPSEC, and IAS but  there may be other services that will have a conflict. 

The ReservedPorts registry key can be used to exclude ports from the  pool the DNS server uses.  The reservedports registry key is described in 812873 How to reserve a range of ephemeral ports on a computer  that is running Windows Server 2003 or Windows 2000 Server

Here is the list of ports that we have seen conflicts with services on  the machine.

  • 1645-1646 - Used by IAS
  • 1701-1701 - Used by L2TP
  • 1812-1813 - Used by IAS
  • 2883-2883 - Used by AUTD
  • 4500-4500 - Used by  IPSEC

For now we are suggesting customers be proactive and modify the  following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ReservedPorts

Cisco Employee

Re: ASA 5510 and MS IAS radius Cisco VPN Client setup

Great, thanks for sharing the information !!

New Member

Re: ASA 5510 and MS IAS radius Cisco VPN Client setup

Okay, we have IAS up and running but still can't authentice.  debug log below

satx-mdf-fw1# test aaa-server authentication vpn

Server IP Address or name: 10.10.50.90

Username: troy.perkins

Password: ********

INFO: Attempting Authentication test to IP address <10.10.50.90> (timeout: 12 seconds)

radius mkreq: 0x43

alloc_rip 0xd8369398

    new request 0x43 --> 48 (0xd8369398)

got user 'troy.perkins'

got password

add_req 0xd8369398 session 0x43 id 48

RADIUS_REQUEST

radius.c: rad_mkpkt

RADIUS packet decode (authentication request)

--------------------------------------

Raw packet data (length = 70).....

01 30 00 46 aa 9b 38 11 76 77 e4 4d 02 13 50 49    |  .0.F..8.vw.M..PI

4e 6f 7c 05 01 0e 74 72 6f 79 2e 70 65 72 6b 69    |  No|...troy.perki

6e 73 02 12 38 b5 ee a9 ce 98 82 08 6e 06 d8 50    |  ns..8.......n..P

2f 50 35 2f 04 06 0a 0a 32 01 05 06 00 00 00 0c    |  /P5/....2.......

3d 06 00 00 00 05                                  |  =.....

Parsed packet data.....

Radius: Code = 1 (0x01)

Radius: Identifier = 48 (0x30)

Radius: Length = 70 (0x0046)

Radius: Vector: AA9B38117677E44D021350494E6F7C05

Radius: Type = 1 (0x01) User-Name

Radius: Length = 14 (0x0E)

Radius: Value (String) =

74 72 6f 79 2e 70 65 72 6b 69 6e 73                |  troy.perkins

Radius: Type = 2 (0x02) User-Password

Radius: Length = 18 (0x12)

Radius: Value (String) =

38 b5 ee a9 ce 98 82 08 6e 06 d8 50 2f 50 35 2f    |  8.......n..P/P5/

Radius: Type = 4 (0x04) NAS-IP-Address

Radius: Length = 6 (0x06)

Radius: Value (IP Address) = 10.10.50.1 (0x0A0A3201)

Radius: Type = 5 (0x05) NAS-Port

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0xC

Radius: Type = 61 (0x3D) NAS-Port-Type

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0x5

send pkt 10.10.50.90/1645

rip 0xd8369398 state 7 id 48

rad_vrfy() : response message verified

rip 0xd8369398

: chall_state ''

: state 0x7

: reqauth:

     aa 9b 38 11 76 77 e4 4d 02 13 50 49 4e 6f 7c 05

: info 0xd83694d0

     session_id 0x43

     request_id 0x30

     user 'troy.perkins'

     response '***'

     app 0

     reason 0

     skey '*********************'

     sip 10.10.50.90

     type 1

RADIUS packet decode (response)

--------------------------------------

Raw packet data (length = 20).....

03 30 00 14 98 27 30 21 55 74 d9 96 91 89 c2 a5    |  .0...'0!Ut......

23 fb 1e 61                                        |  #..a

Parsed packet data.....

Radius: Code = 3 (0x03)

Radius: Identifier = 48 (0x30)

Radius: Length = 20 (0x0014)

Radius: Vector: 982730215574D9969189C2A523FB1E61

rad_procpkt: REJECT

RADIUS_DELETE

remove_req 0xd8369398 session 0x43 id 48

free_rip 0xd8369398

radius: send queue empty

ERROR: Authentication Rejected: AAA failure

***********************************************

IAS Radius Event Logs:

Message:

User troy.perkins was denied  access.


Fully-Qualified-User-Name = PERSONALIZEDPRE\troy.perkins


NAS-IP-Address =  10.10.50.1


NAS-Identifier = A long  jump has been executed.  (0x80000026)


Called-Station-Identifier = A long jump has been executed.   (0x80000026)


Calling-Station-Identifier = A long jump has been executed.   (0x80000026)


Client-Friendly-Name =  ASA


Client-IP-Address =  10.10.50.1


NAS-Port-Type =  Virtual


NAS-Port = 10


Proxy-Policy-Name = Use  Windows authentication for all users


Authentication-Provider  = The Plug and Play query operation was not successful.  (0x80000028)


Authentication-Server =  The specified connection has already been disconnected.  (0x80000025)


Policy-Name = The  specified connection has already been disconnected.  (0x80000025)


Authentication-Type =  PAP


EAP-Type = The specified  connection has already been disconnected.  (0x80000025)


Reason-Code =  16


Reason = [no error  description found] (4112)

New Member

Re: ASA 5510 and MS IAS radius Cisco VPN Client setup

IAS issue resolved.  Needed to check unencrypted authentication.  http://forums11.itrc.hp.com/service/forums/questionanswer.do?admit=109447626+1289449333753+28353475&threadId=846194

rad_procpkt: ACCEPT
RADIUS_ACCESS_ACCEPT: normal termination
RADIUS_DELETE
remove_req 0xd8369398 session 0x47 id 52
free_rip 0xd8369398
radius: send queue empty
INFO: Authentication Successful

So it works from the ASA to the IAS now, however, not from the VPN Client...

Still getting same error... how does one debug the VPN Client side?

Cisco Employee

Re: ASA 5510 and MS IAS radius Cisco VPN Client setup

When you try to connect with VPN Client, are you getting prompted for username/password and it fails after that?

If that is the case, then you would need to check your IAS remote access policy as it may not allow authentication from that. There are normally predefined policy, maybe you might want to test removing all the IAS policy to start with, and configure it accordingly once your vpn client is able to authenticate.

New Member

Re: ASA 5510 and MS IAS radius Cisco VPN Client setup

Running test authentication works from ASA# to IAS but fails when using the VPN Client after populating username and password fields and clicking ok.

Screenshot: http://screencast.com/t/3TtthTiXP7

When you say "If that is the case, then you would need to check your IAS remote access  policy as it may not allow authentication from that."  What exactly do you mean by `that`?  Is there somthing specific in the Policy setting on the IAS that references allowing access directly from the ASA but not an outside VPN Client?

I get the feeling that the ASA config I have is not allowing VPN Client connections.

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\troy>ping 207.67.103.90

Pinging 207.67.103.90 with 32 bytes of data:
Reply from 207.67.103.90: bytes=32 time=37ms TTL=243
Reply from 207.67.103.90: bytes=32 time=32ms TTL=243
Reply from 207.67.103.90: bytes=32 time=27ms TTL=243
Reply from 207.67.103.90: bytes=32 time=38ms TTL=243

Ping statistics for 207.67.103.90:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 27ms, Maximum = 38ms, Average = 33ms

C:\Users\troy>nmap 207.67.103.90

Starting Nmap 5.21 ( http://nmap.org ) at 2010-11-10 23:29 Central Standard Time

Nmap scan report for 207-67-103-90.static.twtelecom.net (207.67.103.90)
Host is up (0.027s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE
22/tcp  open  ssh
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 5.43 seconds

C:\Users\troy>

New Member

Re: ASA 5510 and MS IAS radius Cisco VPN Client setup

I just noticed as well that this: https://207.67.103.90/admin/public/index.html is available from the outside.  Not good, right?  I've yet to use the ADSM, would rather go shell.  But still, this is a security risk?

Cisco Employee

Re: ASA 5510 and MS IAS radius Cisco VPN Client setup

Because you have the following configured:

http 0.0.0.0 0.0.0.0 outside

That allows ASDM access from the outside. If you don't want ASDM access from the outside, please remove the above command.

Also, are you actually using IPSec VPN Client or AnyConnect VPN Client? From the configuration, I believe that you are using IPSec VPN, and if it actually prompts you for a username and password, that means the IPSec process itself has started because IPSec is in 2 phase (phase 1- isakmp, and phase 2- ipsec), and if you are actually prompted for a username and password, that means it is going through phase 1. Otherwise, it will not even prompt you for a username and password.

As suggested earlier, it might be good to test using ASA local database first, to make sure that the IPSec itself is working just fine.

Then when you have tested working, you can change it to use the IAS radius server to authenticate. That way, you can pin point exactly where the problem is.

New Member

Re: ASA 5510 and MS IAS radius Cisco VPN Client setup

Thanks for the tip, http outside turned off now!

Looks like I've got some more noodling to do, don't recall how to setup a local database.  Its been almost 10 years since I've configured a pix, beleive or not I used to work for Cisco in Austin in QA security appliances.  Back when it was IDS, fun stuff!

Cheers,

Troy

Cisco Employee

Re: ASA 5510 and MS IAS radius Cisco VPN Client setup

To configure the username and password, just configure the following:

username password

Then to assign the vpn group to use local authentication:

tunnel-group vpn general-attributes

     authentication-server-group LOCAL

========================================================

BTW, just look at your config again, and radius authentication server is not assigned to your vpn group, so before you try the above, can you try the following:

tunnel-group vpn general-attributes

     authentication-server-group (inside) vpn

And test to see if VPN Client connection with IAS authentication works.

========================================================

You might want to remove this too:

tunnel-group DefaultRAGroup general-attributes
     no  authentication-server-group (outside) vpn

New Member

Re: ASA 5510 and MS IAS radius Cisco VPN Client setup

Ok, I did the following:

1.) executed:

tunnel-group vpn general-attributes

      authentication-server-group (inside) vpn

2.) I added a user to local db.

3.) executed:

tunnel-group DefaultRAGroup general-attributes
     no   authentication-server-group (outside) vpn

Here is the behavior now... When attempting to login via the VPN Client, I get prompted for uname and pass.  When I enter an account that we know works on the IAS radius server I get prompted 3 times before it fails on the third attempt.

When I try with the locally added db account, I only get one try and it fails immediately.

dynamic-access-policy-record DfltAccessPolicy
aaa-server vpn protocol radius
aaa-server vpn (inside) host 10.10.50.90
key *****

crypto ipsec transform-set my-set esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set transform-set my-set
crypto dynamic-map dynmap 10 set reverse-route
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 1000
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

group-policy vpn internal
group-policy vpn attributes
dns-server value 10.10.50.90
vpn-tunnel-protocol IPSec
default-domain value personalizedprevention.com
username troy password BeT0T8nfPJo9dtNu encrypted privilege 15
tunnel-group vpn type remote-access
tunnel-group vpn general-attributes
authentication-server-group (inside) vpn
default-group-policy vpn
tunnel-group vpn ipsec-attributes
pre-shared-key *****

Cisco Employee

Re: ASA 5510 and MS IAS radius Cisco VPN Client setup

You would need to change the authentication depending on which you are testing.

If you are going to test authenticating to IAS radius, then you would need to have the following configured:

tunnel-group vpn general-attributes

      authentication-server-group (inside) vpn

If you are going to test authenticating to local database, then the following is required:

tunnel-group vpn general-attributes

      authentication-server-group LOCAL

Please kindly make sure that you only have 1 or the other when you are configuring it. To check the current configuration, issue: sh run tunnel-group vpn

4362
Views
23
Helpful
18
Replies
CreatePlease to create content