VPN & radius authentication failure

[Steven16]

I just setup a pix520 with VPN and W2k IAS radius for domain authentication. If I disable the crypto client authentication to the radius server, I can successfully VPN with the Cisco 3.5 w2k client. (obviously with the right group name and shared secret.) But as soon as I turn on the authentication to radius, I do get a domain login screen for login name and password. But always get an authentication failure. Why? Yes the IAS looks to be configured right. Yes the user dial-up permission is set to allow. I dont have the pix config at hand (i'm at home) but I will reply with it tomorrow.

please advise.

 

[Steven16]

Ok here is the config.... the IAS server is the adauth on x.x.8.28

Please advise.


PIX(config)# show config
: Saved
:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security20
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password xxxxx encrypted
passwd xxxx encrypted
hostname PIX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list outside_2_inside permit tcp any host x.x.x.141 eq smtp
access-list localtovpnclient permit ip x.x.8.0 255.255.255.0 x.x.9.0 255.255.255.0
access-list acl_out permit gre any any
access-list no_nat_inside permit ip x.x.8.0 255.255.255.0 x.x.9.0 255.255.255.0
pager lines 24
logging buffered debugging
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside x.x.x.200 255.255.252.0
ip address inside x.x.8.2 255.255.252.0
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool corpvpnpool x.x.9.170-x.x.9.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no_nat_inside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.141 x.x.8.14 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.129 1
route inside x.x.8.0 255.255.255.192 x.x.8.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server adauth protocol tacacs+
aaa-server adauth (inside) host x.x.8.28 cisco123 timeout 10
aaa authentication telnet console adauth
aaa authentication ssh console adauth
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
no sysopt route dnat
auth-prompt accept OK - You are authenicated.
auth-prompt reject Authentication failed. Try Again.
crypto ipsec transform-set MYSET2 esp-3des esp-sha-hmac
crypto ipsec transform-set MYSET1 esp-des esp-md5-hmac
crypto dynamic-map corpvpndyn 10 set transform-set MYSET1
crypto dynamic-map corpvpndyn 20 set transform-set MYSET2
crypto map corpvpn 10 ipsec-isakmp dynamic corpvpndyn
crypto map corpvpn client configuration address respond
crypto map corpvpn client authentication adauth
crypto map corpvpn interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 5000
vpngroup REMOTE address-pool corpvpnpool
vpngroup REMOTE dns-server x.x.8.11
vpngroup REMOTE wins-server x.x.8.11
vpngroup REMOTE split-tunnel localtovpnclient
vpngroup REMOTE idle-time 84400
vpngroup REMOTE password ********
telnet x.x.8.0 255.255.255.192 inside
telnet timeout 5
ssh x.x.x.202 255.255.255.255 outside
ssh x.x.8.63 255.255.255.255 inside
ssh timeout 60
terminal width 80

 

[Steven16]

We got the authentication working. But now I cant see ANY ip's on the inside. Any ideas? Oh, one note: the cisco 3.5 client is connecting via ipsec over udp.

please advise.

 

[rickh9]

Stephen,
How did you get the XAUTH to work? We have a nearly identical configuration here and are having the same problem. Your insight into the problem would be greatly appreciated.

 

[Steven16]

This is the key to xauth:
crypto map corpvpn client authentication adauth

it links your crypto to the adauth(my variable)

Make sure the IAS IP is referenced and the secret password is set.

Once you get it running... see if you can browse the network. I can't. I need help with that part.

 

[yizhar]

HI.

***
About IAS, when used in conjuction with PIX and IPSEC, you should change the IAS profile to allow PAP which is disabled by default.
The xauth authentication of VPN client to PIX seems to be done by PAP over the encripted IPSEC tunnel, so it is not unencripted but the IAS must be configured to accept this, and by default IAS rejects this protocol.

***
Steven, what do you mean here:
"cisco 3.5 client is connecting via ipsec over udp."
As far as I know the pix does not yet support IPSEC encapsulation (the VPN client supports it but not the pix).

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[Steven16]

Yizhar,

I finally got VPN working. The issues were several, and no one place (even cisco) had all the right answers in one place. I found that no encapsulation is needed, but it will still work when the tunnel is sent via UDP instead of the TCPort 10000.

The block on the inside was two fold. Since we now have TWO external gateways (as seen from any server) a rule was needed on the Raptor (Craptor) firewall. Also a new access list was needed on the PIX to allow all inside subnets see the vpnpool.

 

[rickh9]

Stephen,
With our nearly identical situation (Right down to the Craptor) I solved the IAS problem by changing the default gateway on one of the dual nics that the IAS server has. I also added a new route on our WAN router pointing to the VPN Pool. And no Cisco couldn't figure it out after almost a year of trying.
It wasn't until after I had read several of the threads in this forum that the penny finally dropped. UDP works fine here as well.

I would be very interested in seeing the access-list you created to solve the browse issue.

As an aside.... Do you currently block mime types in the Raptor (IM, Streaming etc.) and if so what will you be using to do this in the future?

 

[Steven16]

Update:
We got the VPN and authentication to IAS working. But now with a dozen working clients, three clients using the same Cisco client, CAN get vpn authentication, but cant ping, browse or see the inside lan. Why?

 

[rickh9]

Added the following;

access-list inside permit udp any 192.168.x.0 255.255.255.0 eq netbios-ns
access-list inside permit udp any 192.168.x.0 255.255.255.0 eq netbios-dgm
access-list inside permit tcp any 192.168.x.0 255.255.255.0 eq netbios-ssn

And that got netbios working to ONE of our domains. I seem to recall a browser issue that may be related to NT4 SP5 one one or two of our machines in the disfunctional domain, so I'll be chasing that down this week.

It's interesting that you can complete your VPN connection but not ping the network. It looks like you still have a routing issue.

My solution was to add the following route to our default gateway, pointing the vpn pool back to the pix.

ip route 192.168.x.0 255.255.255.0 10.x.x.x

And with the exception of the browser bug issue, everything is working fine.