|
HI all,
I have a problem with my configuration. can someone help.
I have a freeradius, pix and vpn client and i install the radius to authenticate the vpn users. i tested the authentication from the pix to the radius OK but if I want the vpn user to authenticate, after doing tcpdump on the radius server I can see the request coming from the pix but the request cannot go back to the pix. can someone help.
NB: I can authenticate the ssh connection but not the vpn.
thanks
-------------
carrel
---------------------- part of the configuration concerning my pb -------------
aaa-server RADIUS protocol radius
aaa-server RADIUS host 192.168.1.40
retry-interval 2
timeout 2
key vpn
authentication-port 1812
accounting-port 1813
!
aaa authentication ssh console RADIUS
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map vpn 20 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic vpn
crypto map outside_map interface outside
crypto map outside_map client authentication RADIUS
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
ip local pool staffpool 10.33.11.1-10.33.11.254
vpngroup groupstaff address-pool staffpool
vpngroup groupstaff password **********
-----------------------------------
here is the log
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Deny Conn when Queue Full: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 250 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled
, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
%PIX-7-715047: IP = 192.168.100.248, processing VID payload
%PIX-7-715049: IP = 192.168.100.248, Received Cisco Unity client VID
%PIX-7-713906: IP = 192.168.100.248, Connection landed on tunnel_group groupstaff
%PIX-7-713906: Group = groupstaff, IP = 192.168.100.248, processing IKE SA
%PIX-7-715028: Group = groupstaff, IP = 192.168.100.248, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 1
%PIX-7-713906: Group = groupstaff, IP = 192.168.100.248, constructing ISA_SA for isakmp
%PIX-7-713906: Group = groupstaff, IP = 192.168.100.248, constructing ke payload
%PIX-7-715001: Group = groupstaff, IP = 192.168.100.248, constructing nonce payload
%PIX-7-713906: Group = groupstaff, IP = 192.168.100.248, Generating keys for Responder...
%PIX-7-715001: Group = groupstaff, IP = 192.168.100.248, constructing ID
%PIX-7-713906: Group = groupstaff, IP = 192.168.100.248, construct hash payload
%PIX-7-713906: Group = groupstaff, IP = 192.168.100.248, computing hash
%PIX-7-715046: Group = groupstaff, IP = 192.168.100.248, constructing Cisco Unity VID payload
%PIX-7-715046: Group = groupstaff, IP = 192.168.100.248, constructing xauth V6 VID payload
%PIX-7-715046: Group = groupstaff, IP = 192.168.100.248, constructing dpd vid payload
%PIX-7-715046: Group = groupstaff, IP = 192.168.100.248, constructing Fragmentation VID + extended capabilities payload
%PIX-7-715046: Group = groupstaff, IP = 192.168.100.248, constructing VID payload
%PIX-7-715048: Group = groupstaff, IP = 192.168.100.248, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
%PIX-7-713906: IP = 192.168.100.248, IKE DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 378
%PIX-7-713906: IP = 192.168.100.248, IKE DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 120
%PIX-7-713906: Group = groupstaff, IP = 192.168.100.248, processing hash
%PIX-7-713906: Group = groupstaff, IP = 192.168.100.248, computing hash
%PIX-7-713906: Group = groupstaff, IP = 192.168.100.248, Processing Notify payload
%PIX-7-715047: Group = groupstaff, IP = 192.168.100.248, processing VID payload
%PIX-7-715038: Group = groupstaff, IP = 192.168.100.248, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)
%PIX-7-715047: Group = groupstaff, IP = 192.168.100.248, processing VID payload
%PIX-7-715049: Group = groupstaff, IP = 192.168.100.248, Received Cisco Unity client VID
%PIX-7-713906: Group = groupstaff, IP = 192.168.100.248, constructing blank hash
%PIX-7-713906: Group = groupstaff, IP = 192.168.100.248, constructing qm hash
%PIX-7-713906: IP = 192.168.100.248, IKE DECODE SENDING Message (msgid=6dad54cf) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 104
%PIX-7-713906: IP = 192.168.100.248, IKE DECODE RECEIVED Message (msgid=6dad54cf) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 84
%PIX-7-715001: process_attr(): Enter!
%PIX-7-715001: Processing MODE_CFG Reply attributes.
%PIX-6-113015: AAA user authentication Rejected : reason = Invalid password : local database : user = kunale
%PIX-7-713906: Group = groupstaff, Username = kunale, IP = 192.168.100.248, constructing blank hash
%PIX-7-713906: Group = groupstaff, Username = kunale, IP = 192.168.100.248, constructing qm hash
%PIX-7-713906: IP = 192.168.100.248, IKE DECODE SENDING Message (msgid=86f73b86) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 104
|
Register
Search 
Login
