Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

iPhone fails to authenticate within ACS.

Hi There!

I have created a VPN group (PIX v8.0(3))to the corporate iPhones, they work fine if the authentication is LOCAL, but if I request them to authenticate within ACS, it fails. What should I do?

6 REPLIES

Re: iPhone fails to authenticate within ACS.

Perform a authentication check from the PIX/ASA using the uid/pwd that is configured in the ACS to make sure the details are valid.

HTH>

New Member

Re: iPhone fails to authenticate within ACS.

Yes they are valid. Works fine from my desktop.

Re: iPhone fails to authenticate within ACS.

OK - is the config in the PIX/ASA valid?

Have you added the PIX/ASA in the ACS as a valid network device?

New Member

Re: iPhone fails to authenticate within ACS.

So far it is.

Yes, I have added the PIX in the ACS. I have about 300 L2L Dynamic connection, 3 PIX x PIX/ASA and about 150 remote access.

Here is the set pointing to ACS:

aaa-server PIX protocol radius

aaa-server PIX (Corp) host 10.0.30.3

timeout 5

key auditor

Re: iPhone fails to authenticate within ACS.

The the only thing left to test - is to log in via a remote VPN connection using the same details the iPhone is using. If it passes - the issue is with the iPhone - it if fails, then you need to check the ACS logs for the failure reason.

HTH>

New Member

Re: iPhone fails to authenticate within ACS.

This group has access via remote VPN and via iPhone.

Here is mu configuration:

object-group network Painel

network-object 172.30.23.0 255.255.255.0

!

access-list Outside_cryptomap extended permit ip any object-group Painel

access-list Corp_NAT_0_out extended permit tcp host 10.0.30.102 object-group Painel eq 7778

access-list Corp_NAT_0_out extended permit tcp host 10.0.30.109 object-group Painel eq www

access-list Corp_NAT_0_out extended permit tcp host 10.0.30.169 object-group Painel eq 8080

access-list Corp_NAT_0_out extended permit tcp host 10.0.30.191 object-group Painel eq 8080

access-list Corp_NAT_0_out extended permit tcp host 10.0.30.235 object-group Painel eq www

access-list Corp_NAT_0_out extended permit tcp host 10.0.30.253 object-group Painel eq www

!

access-list Painel_SplittunnelAcl standard permit host 10.0.30.102

access-list Painel_SplittunnelAcl standard permit host 10.0.30.109

access-list Painel_SplittunnelAcl standard permit host 10.0.30.169

access-list Painel_SplittunnelAcl standard permit host 10.0.30.191

access-list Painel_SplittunnelAcl standard permit host 10.0.30.235

access-list Painel_SplittunnelAcl standard permit host 10.0.30.253

!

ip local pool PainelACCESS 172.30.23.1-172.30.23.254 mask 255.255.255.0

!

group-policy Painel internal

group-policy Painel attributes

vpn-tunnel-protocol IPSec l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Painel_SplittunnelAcl

!

tunnel-group Painel type ipsec-ra

tunnel-group Painel general-attributes

address-pool PainelACCESS

authentication-server-group PIX

authorization-server-group PIX

accounting-server-group PIX

default-group-policy Painel

tunnel-group Painel ipsec-attributes

pre-shared-key *

408
Views
0
Helpful
6
Replies
CreatePlease login to create content