VPN and radius server authentication config

[awingnut]

Is this the correct forum for getting some configuration help setting up EasyVPN Server that will authenticate with a radius server?

I am not having much success mostly because I don't think I understand all the jargon for setting up the proper parameters. I have a working radius server ( at least it works from the test client) but I cannot get it to work from a Cisco 2810. The server indicates it is rejecting the server/client password but I know I am using the correct one. TIA.

 

[watchguardmonkey]

are you using aaa on the router?

 

[awingnut]

Thanks for the reply and yes. That is one of the issues I have a question about. One of the many questions is which AAA method to use. The sequence of setting questions asked by the VPN server setup GUI is:

IKE Proposal: I chose 3DES-MD5-Group 2, PRE_SHARE

Transform Set: I chose ESP-3DES-SHA7

AAA Method: I chose radius, local

Another question concerns 'group' authentication. The cisco refers to group authentication as does the VPN client but there is nothing in raduis about groups. At the same time I don't understand what 'groups' refers to. I don't see any connection between 'group' authentication and some 'group' name against which to authenticate or to associate a pass phrase.

 

[watchguardmonkey]

can you paste up the config of the router, ta.

 

[awingnut]

Thanks. I can if you tell me what command result you want posted. I have been using the Cisco GUI and I am only slighly familiar with the CHUI.

 

[watchguardmonkey]

logon to eh CLI and once you are in the global mode type show run, which should display the running config.

 

[awingnut]

Thanks again. Here is the config:

Current configuration : 14819 bytes
!
! Last configuration change at 14:06:48 PCTime Mon Nov 7 2005 by admin
! NVRAM config last updated at 06:33:04 PCTime Thu Jul 21 2005 by admin
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime
service password-encryption
service sequence-numbers
!
hostname aimcisco1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
no logging buffered
logging console critical
logging monitor warnings
enable secret 5 $1$4m8X$SV2f8EV4kxiiYWYyoWV/J/
!
username admin privilege 15 secret 5 $1$9Phg$DEXna1mOV9ICWnz9OEfM..
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no network-clock-participate aim 0
no network-clock-participate aim 1
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 group radius local
aaa authentication login sdm_vpn_xauth_ml_3 group radius local
aaa authentication login sdm_vpn_xauth_ml_4 group radius local
aaa authentication login sdm_vpn_xauth_ml_5 group radius local
aaa authentication login sdm_vpn_xauth_ml_6 group radius local
aaa authentication login sdm_vpn_xauth_ml_7 group radius local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 group radius local
aaa authorization network sdm_vpn_group_ml_3 group radius local
aaa authorization network sdm_vpn_group_ml_4 local
aaa authorization network sdm_vpn_group_ml_5 group radius local
aaa session-id common
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
!
ip cef
!
!
no ip bootp server
ip domain name aimaudit.com
ip name-server 130.205.111.141
ip name-server 130.205.111.253
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name To-Sonicwall fragment maximum 256 timeout 1
ip inspect name To-Sonicwall rpc program-number 1 audit-trail on timeout 30
ip inspect name To-Sonicwall icmp audit-trail on timeout 10
ip inspect name To-Sonicwall netshow audit-trail on timeout 3600
ip inspect name To-Sonicwall cuseeme audit-trail on timeout 3600
ip inspect name To-Sonicwall streamworks audit-trail on timeout 30
ip inspect name To-Sonicwall udp audit-trail on timeout 30
ip inspect name To-Sonicwall tcp audit-trail on timeout 3600
ip inspect name To-Sonicwall skinny audit-trail on timeout 3600
ip inspect name To-Sonicwall ftp audit-trail on timeout 3600
ip inspect name To-Sonicwall smtp audit-trail on timeout 3600
ip inspect name To-Sonicwall h323 audit-trail on timeout 3600
ip inspect name To-Sonicwall sqlnet audit-trail on timeout 3600
ip inspect name To-Sonicwall rcmd audit-trail on timeout 3600
ip inspect name To-Sonicwall realaudio audit-trail on timeout 3600
ip inspect name To-Sonicwall vdolive audit-trail on timeout 3600
ip inspect name To-Sonicwall http audit-trail on timeout 3600
ip inspect name To-Sonicwall tftp audit-trail on timeout 30
ip inspect name To-Sonicwall rtsp audit-trail on timeout 3600
ip inspect name To-Sonicwall sip audit-trail on timeout 30
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 2
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
crypto isakmp key 4Score7yrAgo address 66.255.181.230 no-xauth
!
crypto isakmp client configuration group AIM-Remote-Users
dns 209.195.33.7 209.195.33.8
domain aimaudit.com
pool SDM_POOL_1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set MD5-HMAC esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA6
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_2
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_2
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
crypto map SDM_CMAP_2 client authentication list sdm_vpn_xauth_ml_7
crypto map SDM_CMAP_2 isakmp authorization list sdm_vpn_group_ml_2
crypto map SDM_CMAP_2 client configuration address respond
crypto map SDM_CMAP_2 1 ipsec-isakmp
description Tunnel to66.255.181.230
set peer 66.255.181.230
set transform-set MD5-HMAC
match address 109
crypto map SDM_CMAP_2 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
!
interface GigabitEthernet0/0
description Production LAN$ETH-LAN$$FW_INSIDE$
ip address 209.195.32.1 255.255.255.192 secondary
ip address 209.195.33.1 255.255.255.0
ip access-group 106 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
ip tcp adjust-mss 1300
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface GigabitEthernet0/1
description Old Production LAN$FW_INSIDE$
ip address 130.205.111.132 255.255.255.128
ip access-group 107 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
ip tcp adjust-mss 1300
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface Serial0/0/0
description Globix T1$FW_OUTSIDE$
ip address 209.195.44.50 255.255.255.252
ip access-group sdm_serial0/0/0_in in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
encapsulation ppp
ip route-cache flow
no cdp enable
crypto map SDM_CMAP_2
!
interface Group-Async0
physical-layer async
no ip address
no group-range
!
ip local pool SDM_POOL_1 209.195.33.100 209.195.33.120
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0 permanent
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip access-list extended sdm_serial0/0/0_in
remark SDM_ACL Category=1
----------------------------------
FIREWALL STUFF OMITTED
----------------------------------
no cdp run
!
!
!
radius-server host 209.195.33.7 auth-port 1645 acct-port 1646 key 7 00021C13164808091D244D400D4E1C1213191F052D24
!
control-plane
!
!
!
!
!
!
!
!
!
!
!
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17180153
ntp update-calendar
ntp server 17.254.0.26 prefer
!
end