Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX 501 VPN client and IAS authentication

Reply
Thread Tools

PIX 501 VPN client and IAS authentication

 
 
GKurcon
Guest
Posts: n/a
 
      03-06-2004
I want to set up RADIUS authentication for the Cisco VPN client
version 4.0.3. I have a PIX 501 which has both site to site vpn and
clients coming in. I want the Cisco VPN clients to be prompted for
their Windows username and password when it connects. I have set up
the IAS services on a Windows 2003 server and made the PIX a client.
I followed the document on the Cisco site that explains this, but the
clients are not prompted for the username and password. It connects
fine, just no prompts. Is this possible?
 
Reply With Quote
 
 
 
 
Rik Bain
Guest
Posts: n/a
 
      03-06-2004
On Sat, 06 Mar 2004 15:57:04 -0600, GKurcon wrote:

> I want to set up RADIUS authentication for the Cisco VPN client version
> 4.0.3. I have a PIX 501 which has both site to site vpn and clients
> coming in. I want the Cisco VPN clients to be prompted for their
> Windows username and password when it connects. I have set up the IAS
> services on a Windows 2003 server and made the PIX a client. I followed
> the document on the Cisco site that explains this, but the clients are
> not prompted for the username and password. It connects fine, just no
> prompts. Is this possible?


If it is happening, then it's possible
You did not provide the link you followed, nor the relevant pix config[1],
so /I/ couldn't say what's happening.


1.) grep for "isa" and "cry"
 
Reply With Quote
 
 
 
 
GKurcon
Guest
Posts: n/a
 
      03-07-2004
Here is the link:

http://www.cisco.com/en/US/products/...800b6099.shtml

And here is my config, thanks in advance for any suggestions:

PIX Version 6.3(3)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 4R3vD8XGO4lVLaq6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname ciscopix
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit icmp any any
access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
255.255.255.0
access-list 200 permit tcp any host x.x.185.50 eq pcanywhere-data
access-list 200 permit tcp any host x.x.185.50 eq 5632
access-list 200 permit tcp any host x.x.185.50 eq smtp
access-list ctvpn_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0
any
access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
255.255.255.0
access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
255.255.255.0
pager lines 24
logging on
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside x.x.185.50 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ciscovpn 172.16.1.1-172.16.1.20
ip local pool pptp-pool 172.16.101.1-172.16.101.14
pdm location 192.168.1.11 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 172.16.1.0 255.255.255.0 outside
pdm location 192.168.2.0 255.255.255.0 outside
pdm location 172.16.0.0 255.255.254.0 inside
pdm location 172.16.101.0 255.255.255.0 outside
pdm location x.x.20.0 255.255.252.0 inside
pdm location 172.16.0.0 255.255.0.0 outside
pdm location 192.168.1.12 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 111
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface pcanywhere-data 192.168.1.11
pcanywhere-da
ta netmask 255.255.255.255 0 20
static (inside,outside) tcp interface 5632 192.168.1.11 5632 netmask
255.255.255
..255 0 0
static (inside,outside) tcp interface smtp 192.168.1.12 smtp netmask
255.255.255
..255 0 0
access-group 200 in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.185.49 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server radius-authport 1812
aaa-server radius-acctport 1813
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
http server enable
http 172.16.1.0 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
http x.x.20.0 255.255.252.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.1.15 tftp-root
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set cityset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set cityset
crypto map citymap 10 ipsec-isakmp
crypto map citymap 10 set peer x.x.184.146
crypto map citymap 10 set transform-set cityset
! Incomplete
crypto map citymap 20 ipsec-isakmp dynamic dynmap
crypto map citymap interface outside
isakmp enable outside
isakmp key ******** address x.x.184.146 netmask 255.255.255.255
no-xauth no-co
nfig-mode
isakmp identity address
isakmp client configuration address-pool local ciscovpn outside
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 1
isakmp policy 8 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup ctvpn address-pool ciscovpn
vpngroup ctvpn dns-server 192.168.1.11
vpngroup ctvpn split-tunnel ctvpn_splitTunnelAcl
vpngroup ctvpn idle-time 7200
vpngroup ctvpn authentication-server partnerauth
vpngroup ctvpn user-authentication
vpngroup ctvpn user-idle-timeout 600
vpngroup ctvpn password ********
telnet 192.168.2.0 255.255.255.0 outside
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.1.1 255.255.255.255 inside
telnet timeout 5
ssh 172.16.0.0 255.255.0.0 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client configuration dns 192.168.1.11
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username cityhall password ********
vpdn username gkurcon password ********
vpdn enable outside
vpdn enable inside
username cityhall password 2J6.dR4Av1kpERLo encrypted privilege 2
terminal width 80
Cryptochecksum:972c1448acd4812347cbf66ff34666d7

Rik Bain <(E-Mail Removed)> wrote in message

> If it is happening, then it's possible
> You did not provide the link you followed, nor the relevant pix config[1],
> so /I/ couldn't say what's happening.
>
>
> 1.) grep for "isa" and "cry"

 
Reply With Quote
 
Ant Mahoney
Guest
Posts: n/a
 
      03-07-2004
On Sat, 06 Mar 2004 13:57:04 -0800, GKurcon wrote:

> I want to set up RADIUS authentication for the Cisco VPN client
> version 4.0.3. I have a PIX 501 which has both site to site vpn and
> clients coming in. I want the Cisco VPN clients to be prompted for
> their Windows username and password when it connects. I have set up
> the IAS services on a Windows 2003 server and made the PIX a client.
> I followed the document on the Cisco site that explains this, but the
> clients are not prompted for the username and password. It connects
> fine, just no prompts. Is this possible?


Sounds like something i have encounted. You can connect the vpn client to
a pix firewall buy using just a preshare key or with a preshare key with
raradius/tacacs authentication.

To make you pix connect vpn clients using preshare key do this.

access-list no-nat permit ip 192.168.252.0 255.255.255.240 172.16.1.0 255.255.255.0
nat (inside) 0 access-list no-nat
ip local pool vpn-pool 172.16.1.1-172.16.1.254
sysopt connection permit-ipsec

crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto dynamic-map cisco 1 set transform-set strong
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside

isakmp enable outside
isakmp keepalive 10 10
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

vpngroup mygroup address-pool vpn-pool
vpngroup mygroup idle-time 1800
vpngroup mygroup password testing123
vpngroup password idle-time 1800
vpngroup mygroup default-domain example.com



The above configuration will connect with prompting for username and
password.

To prompt for a username and password add the following


aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.252.3 testing123 timeout 5
aaa-server radius-authport 1812
aaa-server radius-acctport 1813
crypto map dyn-map client token authentication RADIUS


Now your clients will be connecting using preshare key and radius
authentication.



 
Reply With Quote
 
Martin Bilgrav
Guest
Posts: n/a
 
      03-07-2004

"GKurcon" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> Here is the link:
>
>

http://www.cisco.com/en/US/products/...800b6099.shtml
>
> And here is my config, thanks in advance for any suggestions:
>
> PIX Version 6.3(3)
> interface ethernet0 10baset
> interface ethernet1 100full
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password 4R3vD8XGO4lVLaq6 encrypted
> passwd 2KFQnbNIdI.2KYOU encrypted
> hostname ciscopix
> domain-name ciscopix.com
> fixup protocol dns maximum-length 512
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol ils 389
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol tftp 69
> names
> access-list acl_out permit icmp any any
> access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
> 255.255.255.0
> access-list 200 permit tcp any host x.x.185.50 eq pcanywhere-data
> access-list 200 permit tcp any host x.x.185.50 eq 5632
> access-list 200 permit tcp any host x.x.185.50 eq smtp
> access-list ctvpn_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0
> any
> access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
> 255.255.255.0
> access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
> 255.255.255.0
> pager lines 24
> logging on



> icmp deny any outside


since you run VPN you may want to enable unreachables for your outside,
since the tunnels depends on these.
(note the order of the ICMP cmds)

> mtu outside 1500
> mtu inside 1500
> ip address outside x.x.185.50 255.255.255.252
> ip address inside 192.168.1.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> ip local pool ciscovpn 172.16.1.1-172.16.1.20
> ip local pool pptp-pool 172.16.101.1-172.16.101.14
> pdm location 192.168.1.11 255.255.255.255 inside
> pdm location 192.168.2.0 255.255.255.0 inside
> pdm location 172.16.1.0 255.255.255.0 outside
> pdm location 192.168.2.0 255.255.255.0 outside
> pdm location 172.16.0.0 255.255.254.0 inside
> pdm location 172.16.101.0 255.255.255.0 outside
> pdm location x.x.20.0 255.255.252.0 inside
> pdm location 172.16.0.0 255.255.0.0 outside
> pdm location 192.168.1.12 255.255.255.255 inside
> pdm logging informational 100
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 0 access-list 111
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> static (inside,outside) tcp interface pcanywhere-data 192.168.1.11
> pcanywhere-da
> ta netmask 255.255.255.255 0 20
> static (inside,outside) tcp interface 5632 192.168.1.11 5632 netmask
> 255.255.255
> .255 0 0
> static (inside,outside) tcp interface smtp 192.168.1.12 smtp netmask
> 255.255.255
> .255 0 0
> access-group 200 in interface outside
> route outside 0.0.0.0 0.0.0.0 x.x.185.49 1
> timeout xlate 0:05:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server radius-authport 1812
> aaa-server radius-acctport 1813
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> aaa-server LOCAL protocol local



> aaa-server partnerauth protocol radius


you dont have a secret key for you radius server

> http server enable
> http 172.16.1.0 255.255.255.0 outside
> http 192.168.1.0 255.255.255.0 inside
> http 192.168.2.0 255.255.255.0 inside
> http x.x.20.0 255.255.252.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> tftp-server inside 192.168.1.15 tftp-root
> floodguard enable
> sysopt connection permit-ipsec
> sysopt connection permit-pptp
> crypto ipsec transform-set cityset esp-3des esp-md5-hmac
> crypto dynamic-map dynmap 30 set transform-set cityset
> crypto map citymap 10 ipsec-isakmp
> crypto map citymap 10 set peer x.x.184.146
> crypto map citymap 10 set transform-set cityset


> ! Incomplete

so it says - you miss a "match address ACL" statement for your site2site
tunnel

> crypto map citymap 20 ipsec-isakmp dynamic dynmap


you need "crypto map citymap 20 client auth partnerauth"

> crypto map citymap interface outside
> isakmp enable outside
> isakmp key ******** address x.x.184.146 netmask 255.255.255.255
> no-xauth no-co
> nfig-mode
> isakmp identity address


> isakmp client configuration address-pool local ciscovpn outside

hmm this i have never seen before....

> isakmp policy 8 authentication pre-share
> isakmp policy 8 encryption des
> isakmp policy 8 hash md5
> isakmp policy 8 group 1
> isakmp policy 8 lifetime 86400
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption des
> isakmp policy 10 hash md5
> isakmp policy 10 group 2
> isakmp policy 10 lifetime 86400


you dont have any ISAKMP to match your crypto maps, which runs 3DES:
isakmp policy 12 authentication pre-share
isakmp policy 12 encryption 3des
isakmp policy 12 hash md5
isakmp policy 12 group 2
isakmp policy 12 lifetime 86400



> vpngroup ctvpn address-pool ciscovpn
> vpngroup ctvpn dns-server 192.168.1.11
> vpngroup ctvpn split-tunnel ctvpn_splitTunnelAcl
> vpngroup ctvpn idle-time 7200


> vpngroup ctvpn authentication-server partnerauth
> vpngroup ctvpn user-authentication


you dont actually need those two line above.

> vpngroup ctvpn user-idle-timeout 600
> vpngroup ctvpn password ********
> telnet 192.168.2.0 255.255.255.0 outside
> telnet 192.168.2.0 255.255.255.0 inside
> telnet 192.168.1.0 255.255.255.0 inside
> telnet 192.168.1.1 255.255.255.255 inside
> telnet timeout 5
> ssh 172.16.0.0 255.255.0.0 outside
> ssh 192.168.1.0 255.255.255.0 inside
> ssh timeout 5
> console timeout 0
> vpdn group 1 accept dialin pptp
> vpdn group 1 ppp authentication pap
> vpdn group 1 ppp authentication chap
> vpdn group 1 ppp authentication mschap
> vpdn group 1 ppp encryption mppe 40
> vpdn group 1 client configuration address local pptp-pool
> vpdn group 1 client configuration dns 192.168.1.11
> vpdn group 1 pptp echo 60
> vpdn group 1 client authentication local
> vpdn username cityhall password ********
> vpdn username gkurcon password ********
> vpdn enable outside
> vpdn enable inside
> username cityhall password 2J6.dR4Av1kpERLo encrypted privilege 2
> terminal width 80
> Cryptochecksum:972c1448acd4812347cbf66ff34666d7
>



HTH
Martin Bilgrav


 
Reply With Quote
 
GKurcon
Guest
Posts: n/a
 
      03-07-2004
Thanks guys, I cleaned up the config and added the necessary lines. It's working!
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
VPN PIX-_static PIX ; PIX-dynamic_PIX ; VPN Client Svenn Cisco 3 03-13-2006 09:25 AM
Microsoft IAS, PIX 515 and MS VPN Client Town Dummy Cisco 2 01-10-2006 07:41 AM
PIX 501 VPN client to VPN client connections Nick Cisco 2 12-14-2005 04:33 PM
PIX to PIX VPN and VPN Client to PIX Config Example? GVB Cisco 1 02-06-2004 07:44 PM
Cant establish a VPN tunnel between PIX 501 and Cisco VPN Client Martin Nowles Cisco 0 11-10-2003 03:46 PM



Advertisments