Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Unable to configure IPSec clients authentication with RADIUS

Hello,

I configured IPSec VPN server for remote clients on Cisco 2811 with XAuth (see attached cisco vpn configuration). At first I configured clients extended authentication (Xauth) using local IOS users database and it worked ok, but then I tried to configure clients authentication via FreeRADIUS and got authentication errors (see a part of attached freeradius log): in fact, instead of client's username/password sent via Xauth, Cisco sends a VPN-Group/pre-shared key combination to FreeRADIUS. Obviously FreeRADIUS can't find such username/password in it's database and replies with an error. Is it possible somehow to reconfigure Cisco in such a way that it would sent username/password insead of VPN-Group/Pre-shared key, or to reconfigure FreeRADIUS so that it would interpret VPN-Group/Pre-shared key parameters?

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Unable to configure IPSec clients authentication with RADIUS

xauth to radius server should not really be sending the group name and password towards the radius. xauth should send the username and password when user authenticates.

1) You can try to authenticate to the radius server from the router itself, using the "test aaa" command --> check if the authentication works.

2) When you are connecting with the vpn client, did you get prompted for username and password, and what did you enter?

3 REPLIES
Cisco Employee

Re: Unable to configure IPSec clients authentication with RADIUS

xauth to radius server should not really be sending the group name and password towards the radius. xauth should send the username and password when user authenticates.

1) You can try to authenticate to the radius server from the router itself, using the "test aaa" command --> check if the authentication works.

2) When you are connecting with the vpn client, did you get prompted for username and password, and what did you enter?

New Member

Re: Unable to configure IPSec clients authentication with RADIUS

Hello,

I tested FreeRADIUS authentication with "test aaa" command as you suggested and it worked ok. Then I changed the Cisco AAA network authorization to local: "aaa authorization network vpnauth local" and it could normally authenticate with RADIUS (Cisco sent username/password and not VPN-group/pre-shared key parameters). Thanks a lot!

New Member

Re: Unable to configure IPSec clients authentication with RADIUS

Very timely thread. I was having the exact same issue with radius(freeradius) trying to auth IKE, when I only wanted user authentication by radius.

I've applied the changes suggested, and it's fixed my problem also.  Thanks =)


## OLD


aaa authentication login vpn-test-users group radius local         
aaa authorization network vpn-test-group group radius local

## NEW


aaa authentication login vpn-test-users group radius local

aaa authorization network vpn-test-group local


Would you mind posting what radius attributes you've set?

2276
Views
0
Helpful
3
Replies
CreatePlease login to create content