PIX 501 VPN client and IAS authentication

Discussion in 'Cisco' started by GKurcon, Mar 6, 2004.

  1. GKurcon

    GKurcon Guest

    I want to set up RADIUS authentication for the Cisco VPN client
    version 4.0.3. I have a PIX 501 which has both site to site vpn and
    clients coming in. I want the Cisco VPN clients to be prompted for
    their Windows username and password when it connects. I have set up
    the IAS services on a Windows 2003 server and made the PIX a client.
    I followed the document on the Cisco site that explains this, but the
    clients are not prompted for the username and password. It connects
    fine, just no prompts. Is this possible?
     
    GKurcon, Mar 6, 2004
    #1
    1. Advertisements

  2. GKurcon

    Rik Bain Guest

    If it is happening, then it's possible :)
    You did not provide the link you followed, nor the relevant pix config[1],
    so /I/ couldn't say what's happening.


    1.) grep for "isa" and "cry"
     
    Rik Bain, Mar 6, 2004
    #2
    1. Advertisements

  3. GKurcon

    GKurcon Guest

    Here is the link:

    http://www.cisco.com/en/US/products...s_configuration_example09186a00800b6099.shtml

    And here is my config, thanks in advance for any suggestions:

    PIX Version 6.3(3)
    interface ethernet0 10baset
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 4R3vD8XGO4lVLaq6 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname ciscopix
    domain-name ciscopix.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list acl_out permit icmp any any
    access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    255.255.255.0
    access-list 200 permit tcp any host x.x.185.50 eq pcanywhere-data
    access-list 200 permit tcp any host x.x.185.50 eq 5632
    access-list 200 permit tcp any host x.x.185.50 eq smtp
    access-list ctvpn_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0
    any
    access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    255.255.255.0
    access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
    255.255.255.0
    pager lines 24
    logging on
    icmp deny any outside
    mtu outside 1500
    mtu inside 1500
    ip address outside x.x.185.50 255.255.255.252
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool ciscovpn 172.16.1.1-172.16.1.20
    ip local pool pptp-pool 172.16.101.1-172.16.101.14
    pdm location 192.168.1.11 255.255.255.255 inside
    pdm location 192.168.2.0 255.255.255.0 inside
    pdm location 172.16.1.0 255.255.255.0 outside
    pdm location 192.168.2.0 255.255.255.0 outside
    pdm location 172.16.0.0 255.255.254.0 inside
    pdm location 172.16.101.0 255.255.255.0 outside
    pdm location x.x.20.0 255.255.252.0 inside
    pdm location 172.16.0.0 255.255.0.0 outside
    pdm location 192.168.1.12 255.255.255.255 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 111
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface pcanywhere-data 192.168.1.11
    pcanywhere-da
    ta netmask 255.255.255.255 0 20
    static (inside,outside) tcp interface 5632 192.168.1.11 5632 netmask
    255.255.255
    ..255 0 0
    static (inside,outside) tcp interface smtp 192.168.1.12 smtp netmask
    255.255.255
    ..255 0 0
    access-group 200 in interface outside
    route outside 0.0.0.0 0.0.0.0 x.x.185.49 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server radius-authport 1812
    aaa-server radius-acctport 1813
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa-server partnerauth protocol radius
    http server enable
    http 172.16.1.0 255.255.255.0 outside
    http 192.168.1.0 255.255.255.0 inside
    http 192.168.2.0 255.255.255.0 inside
    http x.x.20.0 255.255.252.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    tftp-server inside 192.168.1.15 tftp-root
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set cityset esp-3des esp-md5-hmac
    crypto dynamic-map dynmap 30 set transform-set cityset
    crypto map citymap 10 ipsec-isakmp
    crypto map citymap 10 set peer x.x.184.146
    crypto map citymap 10 set transform-set cityset
    ! Incomplete
    crypto map citymap 20 ipsec-isakmp dynamic dynmap
    crypto map citymap interface outside
    isakmp enable outside
    isakmp key ******** address x.x.184.146 netmask 255.255.255.255
    no-xauth no-co
    nfig-mode
    isakmp identity address
    isakmp client configuration address-pool local ciscovpn outside
    isakmp policy 8 authentication pre-share
    isakmp policy 8 encryption des
    isakmp policy 8 hash md5
    isakmp policy 8 group 1
    isakmp policy 8 lifetime 86400
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup ctvpn address-pool ciscovpn
    vpngroup ctvpn dns-server 192.168.1.11
    vpngroup ctvpn split-tunnel ctvpn_splitTunnelAcl
    vpngroup ctvpn idle-time 7200
    vpngroup ctvpn authentication-server partnerauth
    vpngroup ctvpn user-authentication
    vpngroup ctvpn user-idle-timeout 600
    vpngroup ctvpn password ********
    telnet 192.168.2.0 255.255.255.0 outside
    telnet 192.168.2.0 255.255.255.0 inside
    telnet 192.168.1.0 255.255.255.0 inside
    telnet 192.168.1.1 255.255.255.255 inside
    telnet timeout 5
    ssh 172.16.0.0 255.255.0.0 outside
    ssh 192.168.1.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    vpdn group 1 accept dialin pptp
    vpdn group 1 ppp authentication pap
    vpdn group 1 ppp authentication chap
    vpdn group 1 ppp authentication mschap
    vpdn group 1 ppp encryption mppe 40
    vpdn group 1 client configuration address local pptp-pool
    vpdn group 1 client configuration dns 192.168.1.11
    vpdn group 1 pptp echo 60
    vpdn group 1 client authentication local
    vpdn username cityhall password ********
    vpdn username gkurcon password ********
    vpdn enable outside
    vpdn enable inside
    username cityhall password 2J6.dR4Av1kpERLo encrypted privilege 2
    terminal width 80
    Cryptochecksum:972c1448acd4812347cbf66ff34666d7

     
    GKurcon, Mar 7, 2004
    #3
  4. GKurcon

    Ant Mahoney Guest

    Sounds like something i have encounted. You can connect the vpn client to
    a pix firewall buy using just a preshare key or with a preshare key with
    raradius/tacacs authentication.

    To make you pix connect vpn clients using preshare key do this.

    access-list no-nat permit ip 192.168.252.0 255.255.255.240 172.16.1.0 255.255.255.0
    nat (inside) 0 access-list no-nat
    ip local pool vpn-pool 172.16.1.1-172.16.1.254
    sysopt connection permit-ipsec

    crypto ipsec transform-set strong esp-3des esp-sha-hmac
    crypto dynamic-map cisco 1 set transform-set strong
    crypto map dyn-map 20 ipsec-isakmp dynamic cisco
    crypto map dyn-map interface outside

    isakmp enable outside
    isakmp keepalive 10 10
    isakmp nat-traversal 20
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400

    vpngroup mygroup address-pool vpn-pool
    vpngroup mygroup idle-time 1800
    vpngroup mygroup password testing123
    vpngroup password idle-time 1800
    vpngroup mygroup default-domain example.com



    The above configuration will connect with prompting for username and
    password.

    To prompt for a username and password add the following


    aaa-server RADIUS protocol radius
    aaa-server RADIUS (inside) host 192.168.252.3 testing123 timeout 5
    aaa-server radius-authport 1812
    aaa-server radius-acctport 1813
    crypto map dyn-map client token authentication RADIUS


    Now your clients will be connecting using preshare key and radius
    authentication.
     
    Ant Mahoney, Mar 7, 2004
    #4
  5. since you run VPN you may want to enable unreachables for your outside,
    since the tunnels depends on these.
    (note the order of the ICMP cmds)
    you dont have a secret key for you radius server
    so it says - you miss a "match address ACL" statement for your site2site
    tunnel
    you need "crypto map citymap 20 client auth partnerauth"
    hmm this i have never seen before....
    you dont have any ISAKMP to match your crypto maps, which runs 3DES:
    isakmp policy 12 authentication pre-share
    isakmp policy 12 encryption 3des
    isakmp policy 12 hash md5
    isakmp policy 12 group 2
    isakmp policy 12 lifetime 86400


    you dont actually need those two line above.

    HTH
    Martin Bilgrav
     
    Martin Bilgrav, Mar 7, 2004
    #5
  6. GKurcon

    GKurcon Guest

    Thanks guys, I cleaned up the config and added the necessary lines. It's working!
     
    GKurcon, Mar 7, 2004
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.