ASA/PIX, IDS, IPS, VPN, Cisco Secure ACS, AAA, ISE.
carrel
New Member
Posts:
16
Joined:
Mon Mar 14, 2005 11:18 am

Help PIX and freeradius

Mon May 29, 2006 8:44 am

HI all,

I have a problem with my configuration. can someone help.

I have a freeradius, pix and vpn client and i install the radius to authenticate the vpn users. i tested the authentication from the pix to the radius OK but if I want the vpn user to authenticate, after doing tcpdump on the radius server I can see the request coming from the pix but the request cannot go back to the pix. can someone help.

NB: I can authenticate the ssh connection but not the vpn.

thanks
-------------
carrel

---------------------- part of the configuration concerning my pb -------------


aaa-server RADIUS protocol radius
aaa-server RADIUS host 192.168.1.40
retry-interval 2
timeout 2
key vpn
authentication-port 1812
accounting-port 1813
!
aaa authentication ssh console RADIUS


sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map vpn 20 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic vpn
crypto map outside_map interface outside
crypto map outside_map client authentication RADIUS

isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
ip local pool staffpool 10.33.11.1-10.33.11.254


vpngroup groupstaff address-pool staffpool
vpngroup groupstaff password **********

-----------------------------------


here is the log

Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Deny Conn when Queue Full: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 250 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled
, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
%PIX-7-715047: IP = 192.168.100.248, processing VID payload
%PIX-7-715049: IP = 192.168.100.248, Received Cisco Unity client VID
%PIX-7-713906: IP = 192.168.100.248, Connection landed on tunnel_group groupstaff
%PIX-7-713906: Group = groupstaff, IP = 192.168.100.248, processing IKE SA
%PIX-7-715028: Group = groupstaff, IP = 192.168.100.248, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 1
%PIX-7-713906: Group = groupstaff, IP = 192.168.100.248, constructing ISA_SA for isakmp
%PIX-7-713906: Group = groupstaff, IP = 192.168.100.248, constructing ke payload
%PIX-7-715001: Group = groupstaff, IP = 192.168.100.248, constructing nonce payload
%PIX-7-713906: Group = groupstaff, IP = 192.168.100.248, Generating keys for Responder...
%PIX-7-715001: Group = groupstaff, IP = 192.168.100.248, constructing ID
%PIX-7-713906: Group = groupstaff, IP = 192.168.100.248, construct hash payload
%PIX-7-713906: Group = groupstaff, IP = 192.168.100.248, computing hash
%PIX-7-715046: Group = groupstaff, IP = 192.168.100.248, constructing Cisco Unity VID payload
%PIX-7-715046: Group = groupstaff, IP = 192.168.100.248, constructing xauth V6 VID payload
%PIX-7-715046: Group = groupstaff, IP = 192.168.100.248, constructing dpd vid payload
%PIX-7-715046: Group = groupstaff, IP = 192.168.100.248, constructing Fragmentation VID + extended capabilities payload
%PIX-7-715046: Group = groupstaff, IP = 192.168.100.248, constructing VID payload
%PIX-7-715048: Group = groupstaff, IP = 192.168.100.248, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
%PIX-7-713906: IP = 192.168.100.248, IKE DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 378
%PIX-7-713906: IP = 192.168.100.248, IKE DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 120
%PIX-7-713906: Group = groupstaff, IP = 192.168.100.248, processing hash
%PIX-7-713906: Group = groupstaff, IP = 192.168.100.248, computing hash
%PIX-7-713906: Group = groupstaff, IP = 192.168.100.248, Processing Notify payload
%PIX-7-715047: Group = groupstaff, IP = 192.168.100.248, processing VID payload
%PIX-7-715038: Group = groupstaff, IP = 192.168.100.248, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)
%PIX-7-715047: Group = groupstaff, IP = 192.168.100.248, processing VID payload
%PIX-7-715049: Group = groupstaff, IP = 192.168.100.248, Received Cisco Unity client VID
%PIX-7-713906: Group = groupstaff, IP = 192.168.100.248, constructing blank hash
%PIX-7-713906: Group = groupstaff, IP = 192.168.100.248, constructing qm hash
%PIX-7-713906: IP = 192.168.100.248, IKE DECODE SENDING Message (msgid=6dad54cf) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 104

%PIX-7-713906: IP = 192.168.100.248, IKE DECODE RECEIVED Message (msgid=6dad54cf) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 84
%PIX-7-715001: process_attr(): Enter!
%PIX-7-715001: Processing MODE_CFG Reply attributes.
%PIX-6-113015: AAA user authentication Rejected : reason = Invalid password : local database : user = kunale
%PIX-7-713906: Group = groupstaff, Username = kunale, IP = 192.168.100.248, constructing blank hash
%PIX-7-713906: Group = groupstaff, Username = kunale, IP = 192.168.100.248, constructing qm hash
%PIX-7-713906: IP = 192.168.100.248, IKE DECODE SENDING Message (msgid=86f73b86) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 104

vivek283
CCIE #17621
Posts:
446
Joined:
Thu Oct 06, 2005 12:38 pm
Certs:
CCIE - Security, R&S. RHCE.

Re

Sun Jun 04, 2006 8:40 pm

Hey,

%PIX-6-113015: AAA user authentication Rejected : reason = Invalid password : local database : user = kunale

The above line shows that the radius server returned "Invalid Password".

I am curious about one thing. The config does not show any secret key. Radius requires a secret key between the device and the Radius Server to work properly.

This could be causing the problem.

'

Return to Cisco Security

Who is online

Users browsing this forum: No registered users and 18 guests