PIX 501 VPN client and IAS authentication

Discussion in 'Cisco' started by GKurcon, Mar 6, 2004.

  1. GKurcon

    GKurcon Guest

    I want to set up RADIUS authentication for the Cisco VPN client
    version 4.0.3. I have a PIX 501 which has both site to site vpn and
    clients coming in. I want the Cisco VPN clients to be prompted for
    their Windows username and password when it connects. I have set up
    the IAS services on a Windows 2003 server and made the PIX a client.
    I followed the document on the Cisco site that explains this, but the
    clients are not prompted for the username and password. It connects
    fine, just no prompts. Is this possible?
    GKurcon, Mar 6, 2004
    #1
    1. Advertising

  2. GKurcon

    Rik Bain Guest

    On Sat, 06 Mar 2004 15:57:04 -0600, GKurcon wrote:

    > I want to set up RADIUS authentication for the Cisco VPN client version
    > 4.0.3. I have a PIX 501 which has both site to site vpn and clients
    > coming in. I want the Cisco VPN clients to be prompted for their
    > Windows username and password when it connects. I have set up the IAS
    > services on a Windows 2003 server and made the PIX a client. I followed
    > the document on the Cisco site that explains this, but the clients are
    > not prompted for the username and password. It connects fine, just no
    > prompts. Is this possible?


    If it is happening, then it's possible :)
    You did not provide the link you followed, nor the relevant pix config[1],
    so /I/ couldn't say what's happening.


    1.) grep for "isa" and "cry"
    Rik Bain, Mar 6, 2004
    #2
    1. Advertising

  3. GKurcon

    GKurcon Guest

    Here is the link:

    http://www.cisco.com/en/US/products...s_configuration_example09186a00800b6099.shtml

    And here is my config, thanks in advance for any suggestions:

    PIX Version 6.3(3)
    interface ethernet0 10baset
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 4R3vD8XGO4lVLaq6 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname ciscopix
    domain-name ciscopix.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list acl_out permit icmp any any
    access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    255.255.255.0
    access-list 200 permit tcp any host x.x.185.50 eq pcanywhere-data
    access-list 200 permit tcp any host x.x.185.50 eq 5632
    access-list 200 permit tcp any host x.x.185.50 eq smtp
    access-list ctvpn_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0
    any
    access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    255.255.255.0
    access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
    255.255.255.0
    pager lines 24
    logging on
    icmp deny any outside
    mtu outside 1500
    mtu inside 1500
    ip address outside x.x.185.50 255.255.255.252
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool ciscovpn 172.16.1.1-172.16.1.20
    ip local pool pptp-pool 172.16.101.1-172.16.101.14
    pdm location 192.168.1.11 255.255.255.255 inside
    pdm location 192.168.2.0 255.255.255.0 inside
    pdm location 172.16.1.0 255.255.255.0 outside
    pdm location 192.168.2.0 255.255.255.0 outside
    pdm location 172.16.0.0 255.255.254.0 inside
    pdm location 172.16.101.0 255.255.255.0 outside
    pdm location x.x.20.0 255.255.252.0 inside
    pdm location 172.16.0.0 255.255.0.0 outside
    pdm location 192.168.1.12 255.255.255.255 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 111
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface pcanywhere-data 192.168.1.11
    pcanywhere-da
    ta netmask 255.255.255.255 0 20
    static (inside,outside) tcp interface 5632 192.168.1.11 5632 netmask
    255.255.255
    ..255 0 0
    static (inside,outside) tcp interface smtp 192.168.1.12 smtp netmask
    255.255.255
    ..255 0 0
    access-group 200 in interface outside
    route outside 0.0.0.0 0.0.0.0 x.x.185.49 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server radius-authport 1812
    aaa-server radius-acctport 1813
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa-server partnerauth protocol radius
    http server enable
    http 172.16.1.0 255.255.255.0 outside
    http 192.168.1.0 255.255.255.0 inside
    http 192.168.2.0 255.255.255.0 inside
    http x.x.20.0 255.255.252.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    tftp-server inside 192.168.1.15 tftp-root
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set cityset esp-3des esp-md5-hmac
    crypto dynamic-map dynmap 30 set transform-set cityset
    crypto map citymap 10 ipsec-isakmp
    crypto map citymap 10 set peer x.x.184.146
    crypto map citymap 10 set transform-set cityset
    ! Incomplete
    crypto map citymap 20 ipsec-isakmp dynamic dynmap
    crypto map citymap interface outside
    isakmp enable outside
    isakmp key ******** address x.x.184.146 netmask 255.255.255.255
    no-xauth no-co
    nfig-mode
    isakmp identity address
    isakmp client configuration address-pool local ciscovpn outside
    isakmp policy 8 authentication pre-share
    isakmp policy 8 encryption des
    isakmp policy 8 hash md5
    isakmp policy 8 group 1
    isakmp policy 8 lifetime 86400
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup ctvpn address-pool ciscovpn
    vpngroup ctvpn dns-server 192.168.1.11
    vpngroup ctvpn split-tunnel ctvpn_splitTunnelAcl
    vpngroup ctvpn idle-time 7200
    vpngroup ctvpn authentication-server partnerauth
    vpngroup ctvpn user-authentication
    vpngroup ctvpn user-idle-timeout 600
    vpngroup ctvpn password ********
    telnet 192.168.2.0 255.255.255.0 outside
    telnet 192.168.2.0 255.255.255.0 inside
    telnet 192.168.1.0 255.255.255.0 inside
    telnet 192.168.1.1 255.255.255.255 inside
    telnet timeout 5
    ssh 172.16.0.0 255.255.0.0 outside
    ssh 192.168.1.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    vpdn group 1 accept dialin pptp
    vpdn group 1 ppp authentication pap
    vpdn group 1 ppp authentication chap
    vpdn group 1 ppp authentication mschap
    vpdn group 1 ppp encryption mppe 40
    vpdn group 1 client configuration address local pptp-pool
    vpdn group 1 client configuration dns 192.168.1.11
    vpdn group 1 pptp echo 60
    vpdn group 1 client authentication local
    vpdn username cityhall password ********
    vpdn username gkurcon password ********
    vpdn enable outside
    vpdn enable inside
    username cityhall password 2J6.dR4Av1kpERLo encrypted privilege 2
    terminal width 80
    Cryptochecksum:972c1448acd4812347cbf66ff34666d7

    Rik Bain <> wrote in message

    > If it is happening, then it's possible :)
    > You did not provide the link you followed, nor the relevant pix config[1],
    > so /I/ couldn't say what's happening.
    >
    >
    > 1.) grep for "isa" and "cry"
    GKurcon, Mar 7, 2004
    #3
  4. GKurcon

    Ant Mahoney Guest

    On Sat, 06 Mar 2004 13:57:04 -0800, GKurcon wrote:

    > I want to set up RADIUS authentication for the Cisco VPN client
    > version 4.0.3. I have a PIX 501 which has both site to site vpn and
    > clients coming in. I want the Cisco VPN clients to be prompted for
    > their Windows username and password when it connects. I have set up
    > the IAS services on a Windows 2003 server and made the PIX a client.
    > I followed the document on the Cisco site that explains this, but the
    > clients are not prompted for the username and password. It connects
    > fine, just no prompts. Is this possible?


    Sounds like something i have encounted. You can connect the vpn client to
    a pix firewall buy using just a preshare key or with a preshare key with
    raradius/tacacs authentication.

    To make you pix connect vpn clients using preshare key do this.

    access-list no-nat permit ip 192.168.252.0 255.255.255.240 172.16.1.0 255.255.255.0
    nat (inside) 0 access-list no-nat
    ip local pool vpn-pool 172.16.1.1-172.16.1.254
    sysopt connection permit-ipsec

    crypto ipsec transform-set strong esp-3des esp-sha-hmac
    crypto dynamic-map cisco 1 set transform-set strong
    crypto map dyn-map 20 ipsec-isakmp dynamic cisco
    crypto map dyn-map interface outside

    isakmp enable outside
    isakmp keepalive 10 10
    isakmp nat-traversal 20
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400

    vpngroup mygroup address-pool vpn-pool
    vpngroup mygroup idle-time 1800
    vpngroup mygroup password testing123
    vpngroup password idle-time 1800
    vpngroup mygroup default-domain example.com



    The above configuration will connect with prompting for username and
    password.

    To prompt for a username and password add the following


    aaa-server RADIUS protocol radius
    aaa-server RADIUS (inside) host 192.168.252.3 testing123 timeout 5
    aaa-server radius-authport 1812
    aaa-server radius-acctport 1813
    crypto map dyn-map client token authentication RADIUS


    Now your clients will be connecting using preshare key and radius
    authentication.
    Ant Mahoney, Mar 7, 2004
    #4
  5. "GKurcon" <> wrote in message
    news:...
    > Here is the link:
    >
    >

    http://www.cisco.com/en/US/products...s_configuration_example09186a00800b6099.shtml
    >
    > And here is my config, thanks in advance for any suggestions:
    >
    > PIX Version 6.3(3)
    > interface ethernet0 10baset
    > interface ethernet1 100full
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > enable password 4R3vD8XGO4lVLaq6 encrypted
    > passwd 2KFQnbNIdI.2KYOU encrypted
    > hostname ciscopix
    > domain-name ciscopix.com
    > fixup protocol dns maximum-length 512
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol ils 389
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol tftp 69
    > names
    > access-list acl_out permit icmp any any
    > access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    > 255.255.255.0
    > access-list 200 permit tcp any host x.x.185.50 eq pcanywhere-data
    > access-list 200 permit tcp any host x.x.185.50 eq 5632
    > access-list 200 permit tcp any host x.x.185.50 eq smtp
    > access-list ctvpn_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0
    > any
    > access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    > 255.255.255.0
    > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
    > 255.255.255.0
    > pager lines 24
    > logging on



    > icmp deny any outside


    since you run VPN you may want to enable unreachables for your outside,
    since the tunnels depends on these.
    (note the order of the ICMP cmds)

    > mtu outside 1500
    > mtu inside 1500
    > ip address outside x.x.185.50 255.255.255.252
    > ip address inside 192.168.1.1 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > ip local pool ciscovpn 172.16.1.1-172.16.1.20
    > ip local pool pptp-pool 172.16.101.1-172.16.101.14
    > pdm location 192.168.1.11 255.255.255.255 inside
    > pdm location 192.168.2.0 255.255.255.0 inside
    > pdm location 172.16.1.0 255.255.255.0 outside
    > pdm location 192.168.2.0 255.255.255.0 outside
    > pdm location 172.16.0.0 255.255.254.0 inside
    > pdm location 172.16.101.0 255.255.255.0 outside
    > pdm location x.x.20.0 255.255.252.0 inside
    > pdm location 172.16.0.0 255.255.0.0 outside
    > pdm location 192.168.1.12 255.255.255.255 inside
    > pdm logging informational 100
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 0 access-list 111
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > static (inside,outside) tcp interface pcanywhere-data 192.168.1.11
    > pcanywhere-da
    > ta netmask 255.255.255.255 0 20
    > static (inside,outside) tcp interface 5632 192.168.1.11 5632 netmask
    > 255.255.255
    > .255 0 0
    > static (inside,outside) tcp interface smtp 192.168.1.12 smtp netmask
    > 255.255.255
    > .255 0 0
    > access-group 200 in interface outside
    > route outside 0.0.0.0 0.0.0.0 x.x.185.49 1
    > timeout xlate 0:05:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server radius-authport 1812
    > aaa-server radius-acctport 1813
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > aaa-server LOCAL protocol local



    > aaa-server partnerauth protocol radius


    you dont have a secret key for you radius server

    > http server enable
    > http 172.16.1.0 255.255.255.0 outside
    > http 192.168.1.0 255.255.255.0 inside
    > http 192.168.2.0 255.255.255.0 inside
    > http x.x.20.0 255.255.252.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > tftp-server inside 192.168.1.15 tftp-root
    > floodguard enable
    > sysopt connection permit-ipsec
    > sysopt connection permit-pptp
    > crypto ipsec transform-set cityset esp-3des esp-md5-hmac
    > crypto dynamic-map dynmap 30 set transform-set cityset
    > crypto map citymap 10 ipsec-isakmp
    > crypto map citymap 10 set peer x.x.184.146
    > crypto map citymap 10 set transform-set cityset


    > ! Incomplete

    so it says - you miss a "match address ACL" statement for your site2site
    tunnel

    > crypto map citymap 20 ipsec-isakmp dynamic dynmap


    you need "crypto map citymap 20 client auth partnerauth"

    > crypto map citymap interface outside
    > isakmp enable outside
    > isakmp key ******** address x.x.184.146 netmask 255.255.255.255
    > no-xauth no-co
    > nfig-mode
    > isakmp identity address


    > isakmp client configuration address-pool local ciscovpn outside

    hmm this i have never seen before....

    > isakmp policy 8 authentication pre-share
    > isakmp policy 8 encryption des
    > isakmp policy 8 hash md5
    > isakmp policy 8 group 1
    > isakmp policy 8 lifetime 86400
    > isakmp policy 10 authentication pre-share
    > isakmp policy 10 encryption des
    > isakmp policy 10 hash md5
    > isakmp policy 10 group 2
    > isakmp policy 10 lifetime 86400


    you dont have any ISAKMP to match your crypto maps, which runs 3DES:
    isakmp policy 12 authentication pre-share
    isakmp policy 12 encryption 3des
    isakmp policy 12 hash md5
    isakmp policy 12 group 2
    isakmp policy 12 lifetime 86400



    > vpngroup ctvpn address-pool ciscovpn
    > vpngroup ctvpn dns-server 192.168.1.11
    > vpngroup ctvpn split-tunnel ctvpn_splitTunnelAcl
    > vpngroup ctvpn idle-time 7200


    > vpngroup ctvpn authentication-server partnerauth
    > vpngroup ctvpn user-authentication


    you dont actually need those two line above.

    > vpngroup ctvpn user-idle-timeout 600
    > vpngroup ctvpn password ********
    > telnet 192.168.2.0 255.255.255.0 outside
    > telnet 192.168.2.0 255.255.255.0 inside
    > telnet 192.168.1.0 255.255.255.0 inside
    > telnet 192.168.1.1 255.255.255.255 inside
    > telnet timeout 5
    > ssh 172.16.0.0 255.255.0.0 outside
    > ssh 192.168.1.0 255.255.255.0 inside
    > ssh timeout 5
    > console timeout 0
    > vpdn group 1 accept dialin pptp
    > vpdn group 1 ppp authentication pap
    > vpdn group 1 ppp authentication chap
    > vpdn group 1 ppp authentication mschap
    > vpdn group 1 ppp encryption mppe 40
    > vpdn group 1 client configuration address local pptp-pool
    > vpdn group 1 client configuration dns 192.168.1.11
    > vpdn group 1 pptp echo 60
    > vpdn group 1 client authentication local
    > vpdn username cityhall password ********
    > vpdn username gkurcon password ********
    > vpdn enable outside
    > vpdn enable inside
    > username cityhall password 2J6.dR4Av1kpERLo encrypted privilege 2
    > terminal width 80
    > Cryptochecksum:972c1448acd4812347cbf66ff34666d7
    >



    HTH
    Martin Bilgrav
    Martin Bilgrav, Mar 7, 2004
    #5
  6. GKurcon

    GKurcon Guest

    Thanks guys, I cleaned up the config and added the necessary lines. It's working!
    GKurcon, Mar 7, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. GVB
    Replies:
    1
    Views:
    2,749
    Martin Bilgrav
    Feb 6, 2004
  2. Nick
    Replies:
    2
    Views:
    2,364
  3. Town Dummy
    Replies:
    2
    Views:
    2,243
    Town Dummy
    Jan 10, 2006
  4. DCS
    Replies:
    2
    Views:
    5,052
    eshan_amiran
    Mar 26, 2009
  5. machine
    Replies:
    1
    Views:
    4,530
    Hoffa
    Aug 17, 2006
Loading...

Share This Page