Troubleshooting PIX firewall and IAS 2003

Discussion in 'Cisco' started by Fuzzy Britches, Jul 25, 2005.

  1. Sorry about this guys but I've been all over hell and back trying to
    find the solution to this problem and the boss is getting a little
    impatient. Sorry in advance if this is a little verbose, but I wanted
    to make sure all the info needed was supplied, thanks in advance and
    just ask for any extra debug output or configuration info, and thy
    shall receive.

    I'm currently trying in a test environment (cut off from the internet)
    to configure a PIX 501 with OS version 6.3(4) to authenticate VPN
    clients via RADIUS using IAS 2003. I've set it up as is shown in this
    document:

    http://www.cisco.com/en/US/products...s_configuration_example09186a00800b6099.shtml

    I've gone over the document two or three times and I'm pretty sure that
    I have it set up basically how it has it, I'm sure the shared secrets
    are the same, and that the user has been given VPN priv's.

    here is my PIX configuration:
    Building configuration...

    : Saved

    :

    PIX Version 6.3(4)

    interface ethernet0 auto

    interface ethernet1 100full

    nameif ethernet0 outside security0

    nameif ethernet1 inside security100

    enable password 2zZ07gPEI9TAr1VS encrypted

    passwd 2zZ07gPEI9TAr1VS encrypted

    hostname PIX501-RadiusVPN

    fixup protocol dns maximum-length 512

    fixup protocol ftp 21

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol http 80

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol sip 5060

    fixup protocol sip udp 5060

    fixup protocol skinny 2000

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    fixup protocol tftp 69

    names

    name 192.168.1.2 Windows2003

    name 24.1.1.2 WindowsXP

    access-list 108 remark Define VPN Traffic

    access-list 108 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    255.255.255.0

    pager lines 24

    mtu outside 1500

    mtu inside 1500

    ip address outside 24.1.1.1 255.0.0.0

    ip address inside 192.168.1.1 255.255.255.0

    ip audit info action alarm

    ip audit attack action alarm

    ip local pool VPNPool 192.168.2.1-192.168.2.200

    pdm history enable

    arp timeout 14400

    timeout xlate 3:00:00

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00

    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

    timeout uauth 0:05:00 absolute

    aaa-server TACACS+ protocol tacacs+

    aaa-server TACACS+ max-failed-attempts 3

    aaa-server TACACS+ deadtime 10

    aaa-server RADIUS protocol radius

    aaa-server RADIUS max-failed-attempts 3

    aaa-server RADIUS deadtime 10

    aaa-server LOCAL protocol local

    aaa-server PartnerAuth protocol radius

    aaa-server PartnerAuth max-failed-attempts 3

    aaa-server PartnerAuth deadtime 10

    aaa-server PartnerAuth (outside) host Windows2003 cisco timeout 10

    no snmp-server location

    no snmp-server contact

    snmp-server community public

    no snmp-server enable traps

    floodguard enable

    sysopt connection permit-ipsec

    crypto ipsec transform-set myset esp-des esp-md5-hmac

    crypto dynamic-map DynMap 10 set transform-set myset

    crypto map MyMap 10 ipsec-isakmp dynamic DynMap

    crypto map MyMap client configuration address initiate

    crypto map MyMap client configuration address respond

    crypto map MyMap client authentication PartnerAuth

    crypto map MyMap interface outside

    isakmp enable outside

    isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

    isakmp identity address

    isakmp policy 10 authentication pre-share

    isakmp policy 10 encryption des

    isakmp policy 10 hash md5

    isakmp policy 10 group 1

    isakmp policy 10 lifetime 86400

    isakmp policy 20 authentication pre-share

    isakmp policy 20 encryption des

    isakmp policy 20 hash md5

    isakmp policy 20 group 2

    isakmp policy 20 lifetime 86400

    vpngroup RemoteStaff address-pool VPNPool

    vpngroup RemoteStaff dns-server Windows2003

    vpngroup RemoteStaff default-domain breakout.edu

    vpngroup RemoteStaff split-tunnel 108

    vpngroup RemoteStaff idle-time 1800

    vpngroup RemoteStaff password ********

    telnet Windows2003 255.255.255.255 inside

    telnet timeout 45

    ssh timeout 5

    console timeout 0

    terminal width 80

    this is the typical debug output:

    9: xauth authentication in progress for user: , session id: 1737599205

    10: Received response: UserA, session id 1737599205

    11: Making authentication request for host Windows2003, user UserA,
    session id: 1737599205

    12: Processing challenge for user UserA, session id: 1737599205,
    challenge: Password:

    13: Received xauth challenge: Password: , session id: 1737599205

    14: Received response: , session id 1737599205

    15: Making authentication request for host Windows2003, user UserA,
    session id: 1737599205

    16: xauth authentication failed for user: UserA, session id: 1737599205
     
    Fuzzy Britches, Jul 25, 2005
    #1
    1. Advertisements

  2. Fuzzy Britches

    thejayman Guest

    Hi,

    I had problems with this when I first tried. Can I ask a few questions:

    1. Did you create this via command line or PDM? Reason I ask, I have
    found if you set up via PDM it does not always bind XAUTH to OUTSIDE
    interface.
    2. Have you checked the password between the RADIUS server and PIX.
    3. Does the group password on the PIX match the Client.

    HTH's
    Jay
     
    thejayman, Jul 25, 2005
    #2
    1. Advertisements

  3. Fuzzy Britches

    thejayman Guest

    Hi,

    I had problems with this when I first tried. Can I ask a few questions:

    1. Did you create this via command line or PDM? Reason I ask, I have
    found if you set up via PDM it does not always bind XAUTH to OUTSIDE
    interface.
    2. Have you checked the password between the RADIUS server and PIX.
    3. Does the group password on the PIX match the Client.

    HTH's
    Jay
     
    thejayman, Jul 25, 2005
    #3
  4. 1. Command Line through console mostly
    2. Yes several times.
    3. Yes, I've retyped it to match both group name and password
     
    Fuzzy Britches, Jul 25, 2005
    #4
  5. Fuzzy Britches

    Wil Guest

    What does the event viewer say?

    Wil
    my 3ยข

     
    Wil, Jul 26, 2005
    #5
  6. None of the views contain any new entries except for "Security" which
    has a bunch of "Logon/Logoff" and "Privilege Use" events for user
    "SYSTEM"

    I probably should mention that the error is "User Failed
    Authentication" and I'm sure the suer/pass is right with the VPN right
    set.
     
    Fuzzy Britches, Jul 26, 2005
    #6
  7. I've found the solution to my problem in this document:
    http://www.cisco.com/en/US/products...s_configuration_example09186a00800b6099.shtml

    I stilll have no clue as to what was wrong with that configuration I
    posted, but it should be educational and will probably save me and
    whoever may be reading this a headache in the future if someone could
    still explain what the deal was. It was obviously only a problem with
    the PIX configuration because I changed nothing on the client, and
    nothing on the radius, I took the PIX down (it was a test) and
    re-worked the entire configuration again going by that document.
     
    Fuzzy Britches, Jul 26, 2005
    #7
  8. Ok after posting that I ran into another roadblock, I couldn't
    communicate with the internal machines on the other side of the test
    VPN. The problem was solved by setting up a NAT and configuring the
    usual NAT exceptions for the VPN traffic.

    My only real question is, why does the VPN function of a PIX firewall
    _NEED_ a NAT? I mean since I'm basically configuring a NAT and telling
    the PIX to never use it?
     
    Fuzzy Britches, Jul 27, 2005
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.