View Single Post
  #4  
Old 03-12-2011, 01:09 PM
kspeic kspeic is offline
Aspiring Member
 
Join Date: Mar 2011
Posts: 1
kspeic has 10 reputation points
Default

Hi Jeff,

I am experiencing similar difficulties. In my case, I am trying to set up RADIUS authentication for the VPN client on an SR2330. I am not fairing as well as you, since I don't ever see packets arrive at the RADIUS server.

I am running V10.3 code on the Secure Router and using the "contivity-iras" option. My VPN client is at version 6_02.022.

If I configure this to use Username/Password authentication, I can establish a VPN client tunnel.

I am unsure how the VPN client's "ike policy" gets tied back to the RADIUS server. I don't see any options in the IKE policy or IPSEC policy that point back to AAA or the RADIUS. So, I have added it to my trusted interface, but that does not seem quite right to me.

interface ethernet 0/1
ip address 10.247.53.10 255.255.255.0
aaa
authentication IRAS IRASPROT
exit aaa
crypto trusted
chassis
exit ethernet




The following are key parts of my configuration, which are quite similar to yours.


aaa
authentication login IRAS radius/local
authentication protocols IRASPROT pap
enable
radius
primary_server
ipaddress 10.1.99.124
shared_key **********
exit primary_server
exit radius
source-address 10.247.53.10
exit aaa
crypto
ike policy AAA-USER
local-address *.*.*.*
remote-id group-name "groupname" ********
proposal 1
exit proposal
client configuration
address-pool 1 10.247.53.80 10.247.53.95
private-side-address 10.247.53.10
dns-server 10.1.99.121 10.1.100.5
client-domain-name mydomain.com
no client-may-store-password
client-screen-saver 15
banner-enable
banner-text "For Authorized Use ONLY."
keepalive
exit keepalive
split-tunnel
exit split-tunnel
exit configuration
ipsec policy AAA-USER
proposal 1
lifetime seconds 3600
exit proposal
exit policy
exit contivity-iras
no keepalive mode periodic
exit crypto


For the record, I have been working from NN47263-600, 04.01 which came out in October with V10.3.

Not sure if any of this helps, since I, too, have yet to get this working.


Regards,
Kerry
Reply With Quote