Secure Router 4134 VPN client authentication through RADIUS

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts
  • carey4
    Aspiring Member
    • Feb 2011
    • 2

    Secure Router 4134 VPN client authentication through RADIUS

    Hi

    I am attempting to configure a SR4134 with VPN moduale to allow VPN client connections to be authenticated via a RADIUS server. i can get it to work with just username but its failing when i use group authentication. I have conducted wireshark traces and can see the ike messages pass through phase 1 and the RADIUS server has accepted the request but it does not get past phase 1.5. The server send out the config message and the client responds and continues but it does not go to phase 2.

    I am using Microsoft IAS as the radius server, I believe the issue is i am not sending the right information from the server to the client but haven't bee able to find anthing specifc that needs to be setup.

    Thank you in advanced

    Cheers

    Jeff

    ike policy vpntest
    local-address *.*.*.*
    remote-id group-name "TEST-VPN" password
    proposal 1
    exit proposal
    client configuration
    address-pool 2 192.168.23.10 192.168.23.50
    private-side-address 192.168.20.3
    dns-server 192.168.10.1 192.168.10.2
    wins-server 192.168.10.1 192.168.10.2
    client-domain-name domain.local
    banner-enable
    banner-text "No Unauthorised entry"
    keepalive
    enable
    interval 60
    exit keepalive
    split-tunnel
    mode enabled
    network 192.168.9.0 24
    network 192.168.20.0 24
    network 192.168.10.0 24
    network 192.168.11.0 24
    exit split-tunnel
    nat-keepalive 60
    exit configuration
    exit policy
  • bjakka
    Aspiring Member
    .
    • Mar 2010
    • 1

    #2
    Hello Jeff,

    Are we trying to create IPsec tunnel between SR4134 and Radius server?

    From the configuration i could not see any phase 2 proposal related config.

    Is there any document that you are following for configuration.

    Regards
    Bala

    Comment

    • carey4
      Aspiring Member
      • Feb 2011
      • 2

      #3
      Thank you Bala for your reply,

      No the IPSEC tunnel is between Nortel VPN Client(remote user) and SR 4134 the RADIUS server is on the local LAN through a trusted interface

      I have left the phase 2 config as default so have left it out and do not have it handy at the moment but will post it tomorrow

      I am using NN47263-600-03.01 Configuration-Security

      Thank you in advance

      Jeff

      Comment

      • kspeic
        Aspiring Member
        • Mar 2011
        • 1

        #4
        Hi Jeff,

        I am experiencing similar difficulties. In my case, I am trying to set up RADIUS authentication for the VPN client on an SR2330. I am not fairing as well as you, since I don't ever see packets arrive at the RADIUS server.

        I am running V10.3 code on the Secure Router and using the "contivity-iras" option. My VPN client is at version 6_02.022.

        If I configure this to use Username/Password authentication, I can establish a VPN client tunnel.

        I am unsure how the VPN client's "ike policy" gets tied back to the RADIUS server. I don't see any options in the IKE policy or IPSEC policy that point back to AAA or the RADIUS. So, I have added it to my trusted interface, but that does not seem quite right to me.

        interface ethernet 0/1
        ip address 10.247.53.10 255.255.255.0
        aaa
        authentication IRAS IRASPROT
        exit aaa
        crypto trusted
        chassis
        exit ethernet




        The following are key parts of my configuration, which are quite similar to yours.


        aaa
        authentication login IRAS radius/local
        authentication protocols IRASPROT pap
        enable
        radius
        primary_server
        ipaddress 10.1.99.124
        shared_key **********
        exit primary_server
        exit radius
        source-address 10.247.53.10
        exit aaa
        crypto
        ike policy AAA-USER
        local-address *.*.*.*
        remote-id group-name "groupname" ********
        proposal 1
        exit proposal
        client configuration
        address-pool 1 10.247.53.80 10.247.53.95
        private-side-address 10.247.53.10
        dns-server 10.1.99.121 10.1.100.5
        client-domain-name mydomain.com
        no client-may-store-password
        client-screen-saver 15
        banner-enable
        banner-text "For Authorized Use ONLY."
        keepalive
        exit keepalive
        split-tunnel
        exit split-tunnel
        exit configuration
        ipsec policy AAA-USER
        proposal 1
        lifetime seconds 3600
        exit proposal
        exit policy
        exit contivity-iras
        no keepalive mode periodic
        exit crypto


        For the record, I have been working from NN47263-600, 04.01 which came out in October with V10.3.

        Not sure if any of this helps, since I, too, have yet to get this working.


        Regards,
        Kerry

        Comment

        • rsuguna1
          Aspiring Member
          • Mar 2013
          • 2

          #5
          Im also unable to get the radius communicate with sr2330

          Hi,

          Anyone had luck to get the Avaya VPN client to get authenticated with Windows Radius Server through SR2330 Router?

          Im trying to cofigure SR 2330 with a WIndows 2003 IAS server. Am able to establish a vpn connection with user id and password configured in the contivity-iras.

          thanks!

          su

          Comment

          • rsuguna1
            Aspiring Member
            • Mar 2013
            • 2

            #6
            I am able to authenticate thru the group name and in my radius server, receive access accept for the domain login credential entered in the vpn client. But I dont see that the radius server pass the attributes back to the vpn router. Also, the vpn client status shows as connecting.

            below are my config in the router:


            aaa
            accounting network acct start_stop
            accounting system rad2330 start_stop
            authentication login iras radius/local
            authentication protocols irasprtc pap
            authorization commands auth local
            tacacs
            exit tacacs
            enable
            radius
            primary_server
            ipaddress xx.xx.xx.xxxx
            shared_key password
            time_out 100
            retries 5
            exit primary_server
            secondary_server
            exit secondary_server
            exit radius
            source-address xx.xx.xx.xx
            exit aaa

            interface ethernet 0/1
            description Internet
            ip address xx.xx.xx.xx
            aaa
            accounting network acct
            authentication iras irasprtc
            authorization auth
            exit aaa
            crypto untrusted
            qos
            module
            exit module
            chassis
            exit chassis
            exit qos
            exit ethernet


            ike policy vpnusers
            local-address xx.xx.xx.xx
            remote-id group-name "vpnusers" *****
            proposal 1
            dh-group group2
            encryption-algorithm 3des-cbc
            exit proposal
            client configuration
            address-pool 1 xx.xx.xx.xx xx.xx.xx.xx
            private-side-address xx.xx.xx.xx
            dns-server xx.xx.xx.xxxxxx
            wins-server xx.xx.xx.xxxxxx
            banner-enable
            banner-text "Welcome!"
            keepalive
            enable
            interval 60
            exit keepalive
            split-tunnel
            mode enabled
            network xx.xx.xx.xx
            network xx.xx.xx.xx
            exit split-tunnel
            nat-keepalive 20
            exit configuration
            exit policy
            ipsec policy vpnusers
            proposal 1
            lifetime seconds 3600
            exit proposal
            exit policy
            exit contivity-iras

            is there anything that im missing?

            Thanks for the assistance!

            su

            Comment

            Loading