Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec VPN w/ IOS using MS IAS RADIUS

Using a 3825 router to set up incoming VPN connection using the Cisco VPN client. I would like group auth to be done on the router, and user auth using radius, in this case an IAS server.

The problem is that the router is sending groupauth to the IAS server, which of course denies it. So, communication between the router and IAS server is fine, it's just what is being sent.

Our group name is remote, and it sends domain\remote as the username to the IAS server. Key exchange needs to be handled by the router, and then when the user enters their domain user/pass, it's sent to the IAS server.

Below is the relvant config. I feel like I am close, but am missing something obvious. Thanks in advance for taking a look and/or referring me to relevant config references.

aaa new-model

aaa group server radius VPNAccess

server 1.2.3.4 auth-port 1645 acct-port 1646

aaa authentication login default local

aaa authorization network groupauthor group VPNAccess

crypto isakmp policy 10

encr 3des

hash sha

authentication pre-share

group 2

crypto isakmp client configuration group remote

key ******

dns 5.6.7.8 9.10.11.12

pool remote-pool

acl 1234

crypto ipsec transform-set strong esp-3des esp-sha-hmac

crypto dynamic-map dyna 10

set transform-set strong

crypto map MYMAP isakmp authorization list groupauthor

crypto map MYMAP client configuration address respond

crypto map MYMAP 10 ipsec-isakmp dynamic dyna

5 REPLIES

Re: IPSec VPN w/ IOS using MS IAS RADIUS

Looks like your authentication and authorization are backwards-

aaa authentication login default local

aaa authorization network groupauthor group VPNAccess

aaa authentication login VPNAccess local

aaa authorization network groupauthor local

New Member

Re: IPSec VPN w/ IOS using MS IAS RADIUS

Will that allow login to the router itself to still be handled through local? I would prefer not to have to use radius to auth me when I SSH to the router.

New Member

Re: IPSec VPN w/ IOS using MS IAS RADIUS

After attempting these changes, VPN login is allowed without any interaction with the radius server at all.

New Member

Re: IPSec VPN w/ IOS using MS IAS RADIUS

OK, figured it out.

For the record, here is the correct config:

aaa authentication login userauthen group radius local

aaa authorization network groupauthor local

crypto isakmp policy 10

encr 3des

hash sha

authentication pre-share

group 2

crypto isakmp client configuration group remote

key ******

dns 5.6.7.8 9.10.11.12

pool remote-pool

acl 1234

crypto ipsec transform-set strong esp-3des esp-sha-hmac

crypto dynamic-map dyna 10

set transform-set strong

crypto map MYMAP client authentication list userauthen

crypto map MYMAP isakmp authorization list groupauthor

crypto map MYMAP client configuration address respond

crypto map MYMAP 10 ipsec-isakmp dynamic dyna

Re: IPSec VPN w/ IOS using MS IAS RADIUS

Thanks for posting the corrected config.

415
Views
7
Helpful
5
Replies