I set up the pix client software, to connect to my 501 3DES. Everything worked great, it connects. Now I want to configure XAuth, and I am am somewhat confused. Does the Radius server use the same username and password key that I gave to the VPNGroup on the pix? My firewall is connected directly to the internet, can I run my IAS server on the inside? I tried to read Cisco CCO docs, and they show the IAS Server on the DMZ. Should the IAS Server always be done on a Member server, and not a domain controller? Any info on XAUTH would be appreciated. THanks in advance!
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
RADIUS Server / IAS Server
- Thread starter tek777
- Start date
You set up a shared secret key between the PIX and the Radius server, then when a client connects to the PIX via VPN the PIX hands off the authentication to the server.
The user has to log in with a username and password combination that is set up on the server.
Have a look at this, from cisco.com
pixfirewall(config)# write terminal
Building configuration...
: Saved
:
PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
!--- Issue the access-list command to avoid
!--- Network Address Translation (NAT) on the IPSec packets.
access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0
255.255.255.0
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 14.36.100.50 255.255.0.0
ip address inside 172.18.124.152 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.1.2.1-10.1.2.254
pdm history enable
arp timeout 14400
global (outside) 1 14.36.100.51
!--- Binding access list 101 to the NAT statement to avoid
!--- NAT on the IPSec packets.
nat (inside) 0 access-list 101
Nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 14.36.1.1 1
route inside 10.1.1.0 255.255.255.0 172.18.124.1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
!--- Enable access to the TACACS+ and RADIUS protocols.
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
!--- Associate the partnerauth protocol to RADIUS.
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 172.18.124.196 cisco123
timeout 5
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
!--- Tell PIX to implicitly permit IPSec traffic.
sysopt connection permit-ipsec
no sysopt route dnat
!--- Configure a transform set that defines how the traffic will be protected.
crypto ipsec transform-set myset esp-des esp-md5-hmac
!--- Create a dynamic crypto map and specify which
!--- transform sets are allowed for this dynamic crypto map entry.
crypto dynamic-map dynmap 10 set transform-set myset
!--- Add the dynamic crypto map set into a static crypto map set.
crypto map mymap 10 ipsec-isakmp dynamic dynmap
!--- Enable the PIX to launch the Xauth application on the VPN Client.
crypto map mymap client authentication partnerauth
!--- Apply the crypto map to the outside interface.
crypto map mymap interface outside
!--- IKE Policy Configuration.
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
!--- IPSec group configuration for VPN Client.
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 dns-server 10.1.1.2
vpngroup vpn3000 wins-server 10.1.1.2
vpngroup vpn3000 default-domain cisco.com
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:3f9e31533911b8a6bb5c0f06900c2dbc
: end
[OK]
The user has to log in with a username and password combination that is set up on the server.
Have a look at this, from cisco.com
pixfirewall(config)# write terminal
Building configuration...
: Saved
:
PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
!--- Issue the access-list command to avoid
!--- Network Address Translation (NAT) on the IPSec packets.
access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0
255.255.255.0
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 14.36.100.50 255.255.0.0
ip address inside 172.18.124.152 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.1.2.1-10.1.2.254
pdm history enable
arp timeout 14400
global (outside) 1 14.36.100.51
!--- Binding access list 101 to the NAT statement to avoid
!--- NAT on the IPSec packets.
nat (inside) 0 access-list 101
Nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 14.36.1.1 1
route inside 10.1.1.0 255.255.255.0 172.18.124.1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
!--- Enable access to the TACACS+ and RADIUS protocols.
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
!--- Associate the partnerauth protocol to RADIUS.
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 172.18.124.196 cisco123
timeout 5
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
!--- Tell PIX to implicitly permit IPSec traffic.
sysopt connection permit-ipsec
no sysopt route dnat
!--- Configure a transform set that defines how the traffic will be protected.
crypto ipsec transform-set myset esp-des esp-md5-hmac
!--- Create a dynamic crypto map and specify which
!--- transform sets are allowed for this dynamic crypto map entry.
crypto dynamic-map dynmap 10 set transform-set myset
!--- Add the dynamic crypto map set into a static crypto map set.
crypto map mymap 10 ipsec-isakmp dynamic dynmap
!--- Enable the PIX to launch the Xauth application on the VPN Client.
crypto map mymap client authentication partnerauth
!--- Apply the crypto map to the outside interface.
crypto map mymap interface outside
!--- IKE Policy Configuration.
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
!--- IPSec group configuration for VPN Client.
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 dns-server 10.1.1.2
vpngroup vpn3000 wins-server 10.1.1.2
vpngroup vpn3000 default-domain cisco.com
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:3f9e31533911b8a6bb5c0f06900c2dbc
: end
[OK]
- Thread starter
- #3
My RADIUS server still is not working. I think it is because i need my IAS on the outside of the outbound interface.Either that, or its Windows 2003 IAS doesnt work.
My VPN pool = 192.168.100.11-50
My Lan = 10.10.1.x
My RADIUS 10.10.1.8
Quoting something I read "Xauth allows authentication after IKE phase 1 and before IKE Phase 2 and a password from the client, The user is verified against and external RADIUS or TACACS+ server, LOCAL cannot be used"
I am thinking it needs to be on the outside interface, because it statest the the IAS must be "External".
My VPN pool = 192.168.100.11-50
My Lan = 10.10.1.x
My RADIUS 10.10.1.8
Quoting something I read "Xauth allows authentication after IKE phase 1 and before IKE Phase 2 and a password from the client, The user is verified against and external RADIUS or TACACS+ server, LOCAL cannot be used"
I am thinking it needs to be on the outside interface, because it statest the the IAS must be "External".
Your RADIUS server should really be on the inside network, safe from attack etc. The `external' refers to a server function that is not within the PIX, but it dosent have to be on the outside network. Sp long as your client has an IP path to the server then the RADIUS protocol will work, as long as your not blocking the protocol in any ACL's.
Between the client and the PIX you need a shared secret key, this is for ISAKMP and is configured using the `vpngroup <name> password' command.
You also need a shared secret key between the radius server and the PIX, in the following example its `cisco123'
aaa-server partnerauth (inside) host 172.18.124.196 cisco123
I'm not sure if the windows 2003 IAS needs to be on a DC or a member server. I know RADIUS can use the accounts database, so would it will work on a DC.
Between the client and the PIX you need a shared secret key, this is for ISAKMP and is configured using the `vpngroup <name> password' command.
You also need a shared secret key between the radius server and the PIX, in the following example its `cisco123'
aaa-server partnerauth (inside) host 172.18.124.196 cisco123
I'm not sure if the windows 2003 IAS needs to be on a DC or a member server. I know RADIUS can use the accounts database, so would it will work on a DC.
- Thread starter
- #5
Hi, thanks for the tips. I am starting to wonder if Windows 2003 server is OK to use. I read one other post where someone was having trouble with it. I am going to try again to set up this radius server today. I may just try to use the same IP range as my internal network to keep it simple. The example they use in the Cisco Press VPN book has the remote user pool, the same as the lan IP range. I am under the gun to get this set up, I am going to try my best again today to get it set up, if it doesnt work, I am going to open up a TAC case. I will first double check my configs against the ones in the books, heh.
tek777 can you access cisco.com, if so have a look at:
This has been updated 19th November to include windows 2003 IAS, hows that for service!!
This has been updated 19th November to include windows 2003 IAS, hows that for service!!
- Thread starter
- #7
Wow! You are the man. The only thing that may be a litte confusing is the RADIUS is on a different IP then the lan. But, as you said, that isnt a problem I do not think. I was reading Cisco VPN book, and there example has the radius on the same IP as the lan as well. OK, I am going to do a write erase and start over. I implmented WINS and I have my own internal DNS as well. I will let you know how it is going. I have 2 firewalls here, a 501 with 3DES, and now a 506e that I upgraded with teh free Key for 3DES. I have a smartnet on a 501 and some 515s. I am also waiting on the smartnet for my 506e. I guess I could just ask Cisco TAC questions when I get stuck. I have been trying to learn, so I do anything I can to do it myself. However, I gotta replace our Checkpoint fireall ASAP. THe last thing I want to do is roll out this VPN and get calls at 1am, so I am going to be testing it this week. I am not sure if I will use the same IP as my lan for the VPN pool or not. I keep going back and forth. Right now I am just testing and getting my ducks in a row. I will surely use that Document you sent! Thanks you X 100!
My first Client based VPN used an IP range that overlapped the HQ LAN range, it did work, but I have some strange problems.
So I changed it to a completely different range, which resolved the problems I had.
I seem to recall the problems were mainly down to browsing network services.
So I changed it to a completely different range, which resolved the problems I had.
I seem to recall the problems were mainly down to browsing network services.
For the VPN pool it is recommended to use an unused subnte so it has to be different than your LAN address space. If you experience issues with RADIUS I would advise you run debug aaa authentication to find out it the PIX is sending the auth request to RADIUS, I would also look at RADIUS logs. That's my two cents!
- Thread starter
- #10
- Thread starter
- #11
Hi,
OK! I got it working! Thank you everyone
!!!! I was able to authenticate using the shared Key, and the local users name and password. Whew. The authentication works, now I have to make the user be able to browse the network and whatnot, that isnt working yet :O
Here is my config....
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password .
passwd
hostname pixfirewall
domain-name m13-group.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip any 192.168.100.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.100.0 255.255.255.224
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.211 255.255.255.240
ip address inside 10.0.0.200 255.0.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool m3vpnpool 192.168.100.10-192.168.100.30
pdm location 10.0.0.8 255.255.255.255 inside
pdm location 10.0.0.6 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 x.x.x.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server m3aaa protocol radius
aaa-server m3aaa (inside) host 10.0.0.6 33333 timeout 5
http server enable
http 10.0.0.8 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication m13aaa
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup m13vpn address-pool m3vpnpool
vpngroup m13vpn dns-server 10.0.0.4 10.0.0.6
vpngroup m13vpn wins-server 10.0.0.6
vpngroup m13vpn default-domain m3-group.com
vpngroup m13vpn idle-time 1800
vpngroup m13vpn password
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:
: end
[OK]
OK! I got it working! Thank you everyone
!!!! I was able to authenticate using the shared Key, and the local users name and password. Whew. The authentication works, now I have to make the user be able to browse the network and whatnot, that isnt working yet :O Here is my config....
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password .
passwd
hostname pixfirewall
domain-name m13-group.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip any 192.168.100.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.100.0 255.255.255.224
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.211 255.255.255.240
ip address inside 10.0.0.200 255.0.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool m3vpnpool 192.168.100.10-192.168.100.30
pdm location 10.0.0.8 255.255.255.255 inside
pdm location 10.0.0.6 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 x.x.x.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server m3aaa protocol radius
aaa-server m3aaa (inside) host 10.0.0.6 33333 timeout 5
http server enable
http 10.0.0.8 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication m13aaa
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup m13vpn address-pool m3vpnpool
vpngroup m13vpn dns-server 10.0.0.4 10.0.0.6
vpngroup m13vpn wins-server 10.0.0.6
vpngroup m13vpn default-domain m3-group.com
vpngroup m13vpn idle-time 1800
vpngroup m13vpn password
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:
: end
[OK]
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question