08-28-2012 10:04 AM
I've been looking through the discussions and I can't seem to nail this one down. I'm implimenting SSL VPN on a 2821 to do SMTP only. I need it to auth off the radius server and it is only asking for local router login P/Ws. It will not auth against Radius. I've created a seperate aaa auth group to no avail and tried a few different tweaks. I'm throwing science at the wall and seeing what sticks at this point.
I've made a new group server for Radius to test it, not working. I've tried variations in domain, not working. Can't use SDM, nor want to.
This is what the config looks like
Building configuration...
Current configuration : 24735 bytes
!
! Last configuration change at 08:19:39 Arizona Tue Aug 28 2012 by dci
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname N****
!
aaa new-model
!
!
aaa group server radius IAS_AUTH
server-private 10.12.1.7 auth-port 1645 acct-port 1646 key $*****
!
aaa group server radius Global ***made for testing. Redundant
server-private 10.12.1.7 auth-port 1645 acct-port 1646 key $*****
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 group IAS_AUTH
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login SSL_Global group Global ** created for SSL VPN redundant, but did for testing
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
!
!
!
!
!
aaa session-id common
!
clock timezone Arizona -7
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
!
password encryption aes
!
crypto pki trustpoint TP-self-signed-2464190257
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2464190257
revocation-check none
rsakeypair TP-self-signed-2464190257
!
!
crypto pki certificate chain TP-self-signed-2464190257
certificate self-signed 01
***
REMOVED
****
!
!
!
!
!
interface GigabitEthernet0/0
****
INTERFACES REMOVED
****
ip local pool SDM_POOL_2 10.12.252.1 10.12.252.254
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip flow-cache timeout inactive 10
ip flow-cache timeout active 5
ip flow-export source GigabitEthernet0/0
ip flow-export version 5 peer-as
ip flow-export destination 10.12.1.17 2048
!
***
ROUTES REMOVED
***
ACLS REMOVED SSL IS ALLOWED
***
!
!
route-map STAT_NAT permit 10
match ip address 109
!
route-map DYN_NAT permit 10
match ip address 108
!
snmp-server community $DCI$ RO
!
!
!
control-plane
!
banner login ^C
!
line con 0
password 7 01100F175804
login authentication local
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
!
webvpn gateway gateway_1
ip address **outside ip*** port 443
http-redirect port 80
ssl trustpoint TP-self-signed-2464190257
no inservice
!
webvpn context webvpn
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
!
!
port-forward "portforward_list_1"
local-port 3000 remote-server "10.12.1.23" remote-port 25 description "Email"
!
policy group policy_1
port-forward "portforward_list_1"
default-group-policy policy_1
aaa authentication list SSL_Global
aaa authentication domain @n****
gateway gateway_1 domain N****
max-users 10
no inservice
!
end
Can't change "no inservice" to "inservice" and I can't figure out why. Any help with this?
08-31-2012 10:41 AM
OK, upgraded IOS to most current stable version and I'm now able to do inservice on the context and gateway. I'm trying to go through the SDM route, but Java crashes with ValidatorException errors. I'm going to try updating the SDM since it's the original version to the 2008 version since all the little "fixes" for this do not work. Any ideas on that?
08-31-2012 03:53 PM
Eric,
Can you post the results of "debug aaa authentication, and debug radius authentication"
thanks,
Tarik Admani
*Please rate helpful posts*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide