Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

vpn client authentication with windows IAS

hi all,

i am trying to configure the IAS authentication for vpn client in cisco 2811 router.

if i use authentication and authorisation as local user database vpn client is working fine.

if i use radius the following error,i am also attaching my config.

in the config y.y.y.y is my outside interface ip, z.z.z.z is gateway

x.x.x.x in the debug is client initiator WAN ip

*Nov 22 05:41:22.840: RADIUS/ENCODE(0000002D):Orig. component type = VPN_IPSEC
*Nov 22 05:41:22.840: RADIUS:  AAA Unsupported Attr: interface         [174] 14

*Nov 22 05:41:22.840: RADIUS:   38 33 2E 31 31 31 2E 32 32 38 2E 31
*Nov 22 05:41:22.840: RADIUS(0000002D): Config NAS IP:
*Nov 22 05:41:22.840: RADIUS/ENCODE(0000002D): acct_session_id: 45
*Nov 22 05:41:22.840: RADIUS(0000002D): sending
*Nov 22 05:41:22.840: RADIUS(0000002D): Send Access-Request to
id 1645/30, len 107
*Nov 22 05:41:22.840: RADIUS:  authenticator C6 5A 3E 4E 2D B0 EC A8 - B4 B6 16
E6 5B 48 11 F1
*Nov 22 05:41:22.840: RADIUS:  User-Name           [1]   13  "brayangroup"
*Nov 22 05:41:22.840: RADIUS:  User-Password       [2]   18  *
*Nov 22 05:41:22.840: RADIUS:  Calling-Station-Id  [31]  16  "X.x.x.x"
*Nov 22 05:41:22.844: RADIUS:  NAS-Port-Type       [61]  6   Virtual
*Nov 22 05:41:22.844: RADIUS:  NAS-Port            [5]   6   0

*Nov 22 05:41:22.844: RADIUS:  NAS-Port-Id         [87]  16  "Y.y.y.y"
*Nov 22 05:41:22.844: RADIUS:  Service-Type        [6]   6   Outbound
*Nov 22 05:41:22.844: RADIUS:  NAS-IP-Address      [4]   6

*Nov 22 05:41:22.844: RADIUS: Received from id 1645/30, Access
-Reject, len 20
*Nov 22 05:41:22.848: RADIUS:  authenticator 43 4B 8D 67 F7 FF 59 13 - A3 55 52
E4 DB 8F 1E 94
*Nov 22 05:41:22.848: RADIUS(0000002D): Received from id 1645/30
*Nov 22 05:41:22.936: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from x.x.x.x
was not encrypted and it should've been.
*Nov 22 05:41:22.940: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from x.x.x.x was not encrypted and it should've been.

Cisco Employee

Re: vpn client authentication with windows IAS

You would need to configure NAT exemption on the router despite using local or radius authentication as follows:

ACL101 needs to have deny statement first, before permit statements as follows:

access-list 101 deny ip

access-list 101 permit ip any

BUT, you might want to change your IP Pool as you are using a public ip range. Unless you own subnet, you might want to change the IP Pool to private ip subnet, otherwise, when connected via VPN, you won't be able to access sites whose IPs are in subnet.

If you change the ip pool to a different subnet range, then pls modify the above ACL 101 accordingly with the right subnet.

For the IAS radius authentication, please check the IAS server itself, as it is rejecting the authentication request. You might want to check the policy on your microsoft IAS server as sometimes it has default policy that might only allow specific authentication request.You might want to delete all the policies to start with, test the authentication, and create new policy accordingly after it's tested working.

Hope that helps.

CreatePlease to create content