Secure Router 4134 VPN client authentication through RADIUS

[carey4]

Hi

I am attempting to configure a SR4134 with VPN moduale to allow VPN client connections to be authenticated via a RADIUS server. i can get it to work with just username but its failing when i use group authentication. I have conducted wireshark traces and can see the ike messages pass through phase 1 and the RADIUS server has accepted the request but it does not get past phase 1.5. The server send out the config message and the client responds and continues but it does not go to phase 2.

I am using Microsoft IAS as the radius server, I believe the issue is i am not sending the right information from the server to the client but haven't bee able to find anthing specifc that needs to be setup.

Thank you in advanced

Cheers

Jeff

ike policy vpntest
local-address *.*.*.*
remote-id group-name "TEST-VPN" password
proposal 1
exit proposal
client configuration
address-pool 2 192.168.23.10 192.168.23.50
private-side-address 192.168.20.3
dns-server 192.168.10.1 192.168.10.2
wins-server 192.168.10.1 192.168.10.2
client-domain-name domain.local
banner-enable
banner-text "No Unauthorised entry"
keepalive
enable
interval 60
exit keepalive
split-tunnel
mode enabled
network 192.168.9.0 24
network 192.168.20.0 24
network 192.168.10.0 24
network 192.168.11.0 24
exit split-tunnel
nat-keepalive 60
exit configuration
exit policy

[bjakka]

Hello Jeff,

Are we trying to create IPsec tunnel between SR4134 and Radius server?

From the configuration i could not see any phase 2 proposal related config.

Is there any document that you are following for configuration.

Regards
Bala

[carey4]

Thank you Bala for your reply,

No the IPSEC tunnel is between Nortel VPN Client(remote user) and SR 4134 the RADIUS server is on the local LAN through a trusted interface

I have left the phase 2 config as default so have left it out and do not have it handy at the moment but will post it tomorrow

I am using NN47263-600-03.01 Configuration-Security

Thank you in advance

Jeff

[kspeic]

Hi Jeff,

I am experiencing similar difficulties. In my case, I am trying to set up RADIUS authentication for the VPN client on an SR2330. I am not fairing as well as you, since I don't ever see packets arrive at the RADIUS server.

I am running V10.3 code on the Secure Router and using the "contivity-iras" option. My VPN client is at version 6_02.022.

If I configure this to use Username/Password authentication, I can establish a VPN client tunnel.

I am unsure how the VPN client's "ike policy" gets tied back to the RADIUS server. I don't see any options in the IKE policy or IPSEC policy that point back to AAA or the RADIUS. So, I have added it to my trusted interface, but that does not seem quite right to me.

interface ethernet 0/1
ip address 10.247.53.10 255.255.255.0
aaa
authentication IRAS IRASPROT
exit aaa
crypto trusted
chassis
exit ethernet



The following are key parts of my configuration, which are quite similar to yours.


aaa
authentication login IRAS radius/local
authentication protocols IRASPROT pap
enable
radius
primary_server
ipaddress 10.1.99.124
shared_key **********
exit primary_server
exit radius
source-address 10.247.53.10
exit aaa
crypto
ike policy AAA-USER
local-address *.*.*.*
remote-id group-name "groupname" ********
proposal 1
exit proposal
client configuration
address-pool 1 10.247.53.80 10.247.53.95
private-side-address 10.247.53.10
dns-server 10.1.99.121 10.1.100.5
client-domain-name mydomain.com
no client-may-store-password
client-screen-saver 15
banner-enable
banner-text "For Authorized Use ONLY."
keepalive
exit keepalive
split-tunnel
exit split-tunnel
exit configuration
ipsec policy AAA-USER
proposal 1
lifetime seconds 3600
exit proposal
exit policy
exit contivity-iras
no keepalive mode periodic
exit crypto


For the record, I have been working from NN47263-600, 04.01 which came out in October with V10.3.

Not sure if any of this helps, since I, too, have yet to get this working.


Regards,
Kerry

[rsuguna1]

Hi,

Anyone had luck to get the Avaya VPN client to get authenticated with Windows Radius Server through SR2330 Router?

Im trying to cofigure SR 2330 with a WIndows 2003 IAS server. Am able to establish a vpn connection with user id and password configured in the contivity-iras.

thanks!

su

[rsuguna1]

I am able to authenticate thru the group name and in my radius server, receive access accept for the domain login credential entered in the vpn client. But I dont see that the radius server pass the attributes back to the vpn router. Also, the vpn client status shows as connecting.

below are my config in the router:


aaa
accounting network acct start_stop
accounting system rad2330 start_stop
authentication login iras radius/local
authentication protocols irasprtc pap
authorization commands auth local
tacacs
exit tacacs
enable
radius
primary_server
ipaddress xx.xx.xx.xxxx
shared_key password
time_out 100
retries 5
exit primary_server
secondary_server
exit secondary_server
exit radius
source-address xx.xx.xx.xx
exit aaa

interface ethernet 0/1
description Internet
ip address xx.xx.xx.xx
aaa
accounting network acct
authentication iras irasprtc
authorization auth
exit aaa
crypto untrusted
qos
module
exit module
chassis
exit chassis
exit qos
exit ethernet


ike policy vpnusers
local-address xx.xx.xx.xx
remote-id group-name "vpnusers" *****
proposal 1
dh-group group2
encryption-algorithm 3des-cbc
exit proposal
client configuration
address-pool 1 xx.xx.xx.xx xx.xx.xx.xx
private-side-address xx.xx.xx.xx
dns-server xx.xx.xx.xxxxxx
wins-server xx.xx.xx.xxxxxx
banner-enable
banner-text "Welcome!"
keepalive
enable
interval 60
exit keepalive
split-tunnel
mode enabled
network xx.xx.xx.xx
network xx.xx.xx.xx
exit split-tunnel
nat-keepalive 20
exit configuration
exit policy
ipsec policy vpnusers
proposal 1
lifetime seconds 3600
exit proposal
exit policy
exit contivity-iras

is there anything that im missing?

Thanks for the assistance!

su