[c-nsp] IPsec cisco VPN client and Radius

Palis Michael security at cytanet.com.cy
Wed Nov 23 02:59:18 EST 2005 

Thanks Tomas for your reply. Your reply was very helpful. I solve the
problem. Problem was with the user setup on the radius. I did try before the
Microsoft PPtP Vdpn and I did not remove some attributes that I put to the
user in order to use PPtP.

Regards


-----Original Message-----
From: Tomas Caslavsky [mailto:tomas at caslavsky.cz] 
Sent: Tuesday, November 22, 2005 7:19 PM
To: Palis Michael
Subject: Re: [c-nsp] IPsec cisco VPN client and Radius


Hi Palis

There is no need to run any special RADIUS attributs for VPN auth.
What RADIUS server do you use?

And can you send me your "AAA" config.

Tomas


On Tue, 22 Nov 2005, Palis Michael wrote:

>
>
>
>
> Hello all
>
>
>
> I am trying to configure IPsec between a user running Cisco VPN client and
a
> Cisco router. Local authentication works really fine. Changing to radius
> authentication, my radius rejects the requests from the router for the
> client's user name.
>
>
>
> Here is the output from debug radius
>
>
>
> ov 22 15:29:45 EET: RADIUS:  NAS-IP-Address      [4]   6   192.168.2.1
>
>
> Nov 22 15:29:45 EET: RADIUS:  Vendor, Cisco       [26]  14
>
> Nov 22 15:29:45 EET: RADIUS:   cisco-nas-port     [2]   8   "ISAKMP"
>
> Nov 22 15:29:45 EET: RADIUS:  NAS-Port-Type       [61]  6   Async
> [0]
>
> Nov 22 15:29:45 EET: RADIUS:  User-Name           [1]   10  "user18"
>
> Nov 22 15:29:45 EET: RADIUS:  Calling-Station-Id  [31]  16  "192.168.1.1"
>
> Nov 22 15:29:45 EET: RADIUS:  User-Password       [2]   18  *
>
> Nov 22 15:29:50 EET: RADIUS: Retransmit to (192.168.3.1:1812,1813) for id
> 21648/118
>
> Nov 22 15:29:50 EET: RADIUS: Received from id 21648/118 192.168.3.1:1812,
> Access-Reject, len 20
>
> Nov 22 15:29:50 EET: RADIUS:  authenticator A8 81 03 2C 62 54 86 91 - A7
59
> B6 07 E1 A4 E1 4D
>
> Nov 22 15:29:50 EET: RADIUS: Pick NAS IP for u=0x63E8D1FC tableid=0
> cfg_addr=192.168.2.1 best_addr=0.0.0.0
>
> Nov 22 15:29:50 EET: RADIUS: ustruct sharecount=2
>
> Nov 22 15:29:50 EET: Radius: radius_port_info() success=0
radius_nas_port=1
>
> Nov 22 15:29:50 EET: RADIUS: added cisco VSA 2 len 6 "ISAKMP"
>
> Nov 22 15:29:50 EET: RADIUS(00000000): Send Access-Request to 192.168.3.1
> :1812 id 21648/119, len 90
>
>
>
>
>
> Do I need to use a special attribute for the user on the radius
> configuration in order for the client to be able to authenicate? Note that
> radius works fine for normal user authentication
>
>
>
> Any help will be appreciated.
>
>
>
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list