Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
391
Views
0
Helpful
1
Replies

vpn client authentication with windows IAS

zeuscyril
Level 4
Level 4

‎11-21-2010 09:50 PM

hi all,

i am trying to configure the IAS authentication for vpn client in cisco 2811 router.

if i use authentication and authorisation as local user database vpn client is working fine.

if i use radius the following error,i am also attaching my config.

in the config y.y.y.y is my outside interface ip, z.z.z.z is gateway

x.x.x.x in the debug is client initiator WAN ip

*Nov 22 05:41:22.840: RADIUS/ENCODE(0000002D):Orig. component type = VPN_IPSEC
*Nov 22 05:41:22.840: RADIUS:  AAA Unsupported Attr: interface         [174] 14

*Nov 22 05:41:22.840: RADIUS:   38 33 2E 31 31 31 2E 32 32 38 2E 31
[83.111.228.1]
*Nov 22 05:41:22.840: RADIUS(0000002D): Config NAS IP: 192.168.16.1
*Nov 22 05:41:22.840: RADIUS/ENCODE(0000002D): acct_session_id: 45
*Nov 22 05:41:22.840: RADIUS(0000002D): sending
*Nov 22 05:41:22.840: RADIUS(0000002D): Send Access-Request to 192.168.16.2:1812
id 1645/30, len 107
*Nov 22 05:41:22.840: RADIUS:  authenticator C6 5A 3E 4E 2D B0 EC A8 - B4 B6 16
E6 5B 48 11 F1
*Nov 22 05:41:22.840: RADIUS:  User-Name           [1]   13  "brayangroup"
*Nov 22 05:41:22.840: RADIUS:  User-Password       [2]   18  *
*Nov 22 05:41:22.840: RADIUS:  Calling-Station-Id  [31]  16  "X.x.x.x"
*Nov 22 05:41:22.844: RADIUS:  NAS-Port-Type       [61]  6   Virtual
       [5]
*Nov 22 05:41:22.844: RADIUS:  NAS-Port            [5]   6   0

*Nov 22 05:41:22.844: RADIUS:  NAS-Port-Id         [87]  16  "Y.y.y.y"
*Nov 22 05:41:22.844: RADIUS:  Service-Type        [6]   6   Outbound
       [5]
*Nov 22 05:41:22.844: RADIUS:  NAS-IP-Address      [4]   6   192.168.16.1

*Nov 22 05:41:22.844: RADIUS: Received from id 1645/30 192.168.16.2:1812, Access
-Reject, len 20
*Nov 22 05:41:22.848: RADIUS:  authenticator 43 4B 8D 67 F7 FF 59 13 - A3 55 52
E4 DB 8F 1E 94
*Nov 22 05:41:22.848: RADIUS(0000002D): Received from id 1645/30
*Nov 22 05:41:22.936: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from x.x.x.x
was not encrypted and it should've been.
*Nov 22 05:41:22.940: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from x.x.x.x was not encrypted and it should've been.

Labels:
75673-vpn with IAS.txt.zip
0 Helpful
1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

‎11-21-2010 10:00 PM

You would need to configure NAT exemption on the router despite using local or radius authentication as follows:

ACL101 needs to have deny statement first, before permit statements as follows:

access-list 101 deny ip 192.168.16.0 0.0.0.255 80.0.0.0 0.0.0.255

access-list 101 permit ip 192.168.16.0 0.0.0.255 any

BUT, you might want to change your IP Pool as you are using a public ip range. Unless you own 80.0.0.0 subnet, you might want to change the IP Pool to private ip subnet, otherwise, when connected via VPN, you won't be able to access sites whose IPs are in 80.0.0.0 subnet.

If you change the ip pool to a different subnet range, then pls modify the above ACL 101 accordingly with the right subnet.

For the IAS radius authentication, please check the IAS server itself, as it is rejecting the authentication request. You might want to check the policy on your microsoft IAS server as sometimes it has default policy that might only allow specific authentication request.You might want to delete all the policies to start with, test the authentication, and create new policy accordingly after it's tested working.

Hope that helps.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents