Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1129
Views
0
Helpful
5
Replies

VPN client Access question

Thomas Grassi
Level 1
Level 1

‎01-04-2012 05:54 AM

Do I have to create a userid and password for every vpn client user that I have on the Cisco router?

When I use the cisco VPN client it asks me for a userid and password

every windows 2003 ad account that I tried did not work

when I used the id that I use to telnet into my cisco to access the console it worked

Do I have something configed wrong or do I need to create duplicate ids?

I am using ESY VPN server on a cisco 851 awg k9 router

Any ideas

Please help

Tom

Thomas R Grassi Jr
Labels:
0 Helpful
5 Replies 5

rizwanr74
Level 7
Level 7

‎01-04-2012 06:20 AM

Of course, VPN router is within the router itself, if you want to communicate your router to Windows domain you may need to setup either LDAP authentication or Radius authentication. Radius is easier. Check the URL below for setting the router for Radius authentication.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800946b7.shtml

Thanks

Rizwan Rafeek

0 Helpful

Thomas Grassi
Level 1
Level 1
In response to rizwanr74

‎01-04-2012 06:52 AM

Rizwan

Thank you

I am running ISA on my Windows 2003 server its ip address is 192.168.69.15

I think I have Radius setup can you check my config?

Here it is and I highlighted the vpn commands


-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.

Here are the Cisco IOS commands.

username   privilege 15 secret 0
no username cisco

Replace and with the username and password you want to use
.

For more information about SDM please follow the instructions in the QUICK START

GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------


User Access Verification

Username: netman
Password:

MyRouter#show config
Using 6108 out of 131072 bytes
!
! Last configuration change at 21:16:45 EST Fri Dec 30 2011 by netman
! NVRAM config last updated at 21:16:48 EST Fri Dec 30 2011 by netman
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MyRouter
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa group server radius sdm-vpn-server-group-1                              I think this is it??????????????
server 192.168.69.15 auth-port 1645 acct-port 1646
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 group sdm-vpn-server-group-1 loc
al
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 group sdm-vpn-server-group-1 lo
cal
aaa authorization network ciscocp_vpn_group_ml_2 local
!
aaa session-id common
!
resource policy
!
clock timezone EST -5
clock summer-time edt recurring
ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   lease 0 2
!
!
ip cef
ip domain name TGCSNET.COM
ip name-server 71.242.0.12
ip name-server 71.250.0.12
ip name-server 4.2.2.2
!
!
crypto pki trustpoint TP-self-signed-1164042433
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1164042433
revocation-check none
rsakeypair TP-self-signed-1164042433
!
!
crypto pki certificate chain TP-self-signed-1164042433
certificate self-signed 01 nvram:IOS-Self-Sig#3302.cer
username netman privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
username mynet privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
group 2
!
crypto isakmp client configuration group TGCSVPN
key xxxxxxxxxxxxxx
dns 192.168.69.10 192.168.69.15
wins 192.168.69.10 192.168.69.15
domain our
pool SDM_POOL_1
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group TGCSVPN
   client authentication list ciscocp_vpn_xauth_ml_2
   isakmp authorization list ciscocp_vpn_group_ml_2
   client configuration address respond
   virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 86400
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-1
!
!
bridge irb
!
!
interface Loopback1
ip address 10.69.241.0 255.0.0.0
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ETH-WAN$
ip address 72.88.223.20 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Virtual-Template2 type tunnel
ip unnumbered Loopback1
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
ssid 010659120255
!
ssid TGCSNET
    vlan 1
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 0 010659120255000000
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2437
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no snmp trap link-status
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
ip virtual-reassembly
ip tcp adjust-mss 1452
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.69.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool SDM_POOL_1 192.168.70.75 192.168.70.99
ip classless
ip route 0.0.0.0 0.0.0.0 72.88.223.1
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 110 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.69.26 8080 interface FastEthernet4 8080
ip nat inside source static tcp 192.168.69.26 25 interface FastEthernet4 25
ip nat inside source static tcp 192.168.69.15 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.69.15 21 interface FastEthernet4 21
ip nat inside source static tcp 192.168.69.15 5900 interface FastEthernet4 5900
ip nat inside source static tcp 192.168.69.26 443 interface FastEthernet4 443
!
ip access-list extended denyDHCP
deny   udp any any eq bootpc
deny   udp any any eq bootps
permit ip any any
!
ip radius source-interface BVI1
access-list 23 permit 192.168.69.0 0.0.0.255
access-list 110 permit ip 192.168.69.0 0.0.0.255 any
no cdp run
radius-server host 192.168.69.15 auth-port 1645 acct-port 1646
!
control-plane
!
bridge 1 route ip
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.

Here are the Cisco IOS commands.

username   privilege 15 secret 0
no username cisco

Replace and with the username and password you want to use
.

For more information about SDM please follow the instructions in the QUICK START

GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
transport input telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17175152
ntp server 141.165.5.137
end

MyRouter#

Thomas R Grassi Jr
0 Helpful

rizwanr74
Level 7
Level 7
In response to Thomas Grassi

‎01-04-2012 07:40 AM

Here are the primary commands for Radius authentication as per the Cisco documentation and make sure you have port number is correct.  For Windows Radius it is:1812

aaa authentication login userauthen group radius local

aaa authorization network groupauthor local

crypto isakmp client configuration group yourwindws-group


crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client authentication list userauthen

radius-server host 192.168.69.15 auth-port 1812 acct-port 1812 key cisco123
radius-server retransmit 3

0 Helpful

Thomas Grassi
Level 1
Level 1
In response to rizwanr74

‎01-14-2012 04:01 PM

Mu config now matches just those commands and the vpn client filas to connect now

I get this

Secure VPN connection terminated locally by the client

reason 412 the reomte peer in no longer responding

when I do a show crypto isakmp sa it shows nothing

Must need more than the above

Need help

Thomas R Grassi Jr
0 Helpful

rizwanr74
Level 7
Level 7
In response to Thomas Grassi

‎03-08-2012 09:51 PM

Please rate a helpful post.

thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents