Avaya Support Forums  

Go Back   Avaya Support Forums > Avaya Networking Products

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 02-07-2011, 07:54 PM
carey4 carey4 is offline
Aspiring Member
 
Join Date: Feb 2011
Posts: 2
carey4 has 10 reputation points
Default Secure Router 4134 VPN client authentication through RADIUS

Hi

I am attempting to configure a SR4134 with VPN moduale to allow VPN client connections to be authenticated via a RADIUS server. i can get it to work with just username but its failing when i use group authentication. I have conducted wireshark traces and can see the ike messages pass through phase 1 and the RADIUS server has accepted the request but it does not get past phase 1.5. The server send out the config message and the client responds and continues but it does not go to phase 2.

I am using Microsoft IAS as the radius server, I believe the issue is i am not sending the right information from the server to the client but haven't bee able to find anthing specifc that needs to be setup.

Thank you in advanced

Cheers

Jeff

ike policy vpntest
local-address *.*.*.*
remote-id group-name "TEST-VPN" password
proposal 1
exit proposal
client configuration
address-pool 2 192.168.23.10 192.168.23.50
private-side-address 192.168.20.3
dns-server 192.168.10.1 192.168.10.2
wins-server 192.168.10.1 192.168.10.2
client-domain-name domain.local
banner-enable
banner-text "No Unauthorised entry"
keepalive
enable
interval 60
exit keepalive
split-tunnel
mode enabled
network 192.168.9.0 24
network 192.168.20.0 24
network 192.168.10.0 24
network 192.168.11.0 24
exit split-tunnel
nat-keepalive 60
exit configuration
exit policy
Reply With Quote
  #2  
Old 03-03-2011, 06:31 AM
bjakka bjakka is offline
Aspiring Member
.
 
Join Date: Mar 2010
Posts: 1
bjakka has 10 reputation points
Default

Hello Jeff,

Are we trying to create IPsec tunnel between SR4134 and Radius server?

From the configuration i could not see any phase 2 proposal related config.

Is there any document that you are following for configuration.

Regards
Bala
Reply With Quote
  #3  
Old 03-07-2011, 03:14 AM
carey4 carey4 is offline
Aspiring Member
 
Join Date: Feb 2011
Posts: 2
carey4 has 10 reputation points
Default

Thank you Bala for your reply,

No the IPSEC tunnel is between Nortel VPN Client(remote user) and SR 4134 the RADIUS server is on the local LAN through a trusted interface

I have left the phase 2 config as default so have left it out and do not have it handy at the moment but will post it tomorrow

I am using NN47263-600-03.01 Configuration-Security

Thank you in advance

Jeff
Reply With Quote
  #4  
Old 03-12-2011, 02:09 PM
kspeic kspeic is offline
Aspiring Member
 
Join Date: Mar 2011
Posts: 1
kspeic has 10 reputation points
Default

Hi Jeff,

I am experiencing similar difficulties. In my case, I am trying to set up RADIUS authentication for the VPN client on an SR2330. I am not fairing as well as you, since I don't ever see packets arrive at the RADIUS server.

I am running V10.3 code on the Secure Router and using the "contivity-iras" option. My VPN client is at version 6_02.022.

If I configure this to use Username/Password authentication, I can establish a VPN client tunnel.

I am unsure how the VPN client's "ike policy" gets tied back to the RADIUS server. I don't see any options in the IKE policy or IPSEC policy that point back to AAA or the RADIUS. So, I have added it to my trusted interface, but that does not seem quite right to me.

interface ethernet 0/1
ip address 10.247.53.10 255.255.255.0
aaa
authentication IRAS IRASPROT
exit aaa
crypto trusted
chassis
exit ethernet




The following are key parts of my configuration, which are quite similar to yours.


aaa
authentication login IRAS radius/local
authentication protocols IRASPROT pap
enable
radius
primary_server
ipaddress 10.1.99.124
shared_key **********
exit primary_server
exit radius
source-address 10.247.53.10
exit aaa
crypto
ike policy AAA-USER
local-address *.*.*.*
remote-id group-name "groupname" ********
proposal 1
exit proposal
client configuration
address-pool 1 10.247.53.80 10.247.53.95
private-side-address 10.247.53.10
dns-server 10.1.99.121 10.1.100.5
client-domain-name mydomain.com
no client-may-store-password
client-screen-saver 15
banner-enable
banner-text "For Authorized Use ONLY."
keepalive
exit keepalive
split-tunnel
exit split-tunnel
exit configuration
ipsec policy AAA-USER
proposal 1
lifetime seconds 3600
exit proposal
exit policy
exit contivity-iras
no keepalive mode periodic
exit crypto


For the record, I have been working from NN47263-600, 04.01 which came out in October with V10.3.

Not sure if any of this helps, since I, too, have yet to get this working.


Regards,
Kerry
Reply With Quote
  #5  
Old 03-05-2013, 11:28 PM
rsuguna1 rsuguna1 is offline
Aspiring Member
 
Join Date: Mar 2013
Posts: 2
rsuguna1 has 10 reputation points
Default Im also unable to get the radius communicate with sr2330

Hi,

Anyone had luck to get the Avaya VPN client to get authenticated with Windows Radius Server through SR2330 Router?

Im trying to cofigure SR 2330 with a WIndows 2003 IAS server. Am able to establish a vpn connection with user id and password configured in the contivity-iras.

thanks!

su
Reply With Quote
  #6  
Old 03-26-2013, 01:21 AM
rsuguna1 rsuguna1 is offline
Aspiring Member
 
Join Date: Mar 2013
Posts: 2
rsuguna1 has 10 reputation points
Default

I am able to authenticate thru the group name and in my radius server, receive access accept for the domain login credential entered in the vpn client. But I dont see that the radius server pass the attributes back to the vpn router. Also, the vpn client status shows as connecting.

below are my config in the router:


aaa
accounting network acct start_stop
accounting system rad2330 start_stop
authentication login iras radius/local
authentication protocols irasprtc pap
authorization commands auth local
tacacs
exit tacacs
enable
radius
primary_server
ipaddress xx.xx.xx.xxxx
shared_key password
time_out 100
retries 5
exit primary_server
secondary_server
exit secondary_server
exit radius
source-address xx.xx.xx.xx
exit aaa

interface ethernet 0/1
description Internet
ip address xx.xx.xx.xx
aaa
accounting network acct
authentication iras irasprtc
authorization auth
exit aaa
crypto untrusted
qos
module
exit module
chassis
exit chassis
exit qos
exit ethernet


ike policy vpnusers
local-address xx.xx.xx.xx
remote-id group-name "vpnusers" *****
proposal 1
dh-group group2
encryption-algorithm 3des-cbc
exit proposal
client configuration
address-pool 1 xx.xx.xx.xx xx.xx.xx.xx
private-side-address xx.xx.xx.xx
dns-server xx.xx.xx.xxxxxx
wins-server xx.xx.xx.xxxxxx
banner-enable
banner-text "Welcome!"
keepalive
enable
interval 60
exit keepalive
split-tunnel
mode enabled
network xx.xx.xx.xx
network xx.xx.xx.xx
exit split-tunnel
nat-keepalive 20
exit configuration
exit policy
ipsec policy vpnusers
proposal 1
lifetime seconds 3600
exit proposal
exit policy
exit contivity-iras

is there anything that im missing?

Thanks for the assistance!

su
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -7. The time now is 07:16 PM.

This Forum is provided solely for the use and convenience of Avaya customers and partners. Use of the Forum is subject to the Terms and Use and Privacy Statement found at www.avaya.com. No other use is permitted. The Forum including all content posted is “AS IS” and Avaya expressly disclaims all warranties and/or guarantees as to its accuracy, reliability, usefulness, quality or non-infringement of intellectual property. Avaya reserves the right to remove any content posted on the Forum at any time and for whatever reason.

Avaya will not be liable for any content posted on this Forum, including, without limitation, any errors or omissions or for any losses or damages of any kind incurred as a result of use or reliance on any content, regardless of its origin.

You expressly understand and agree that you assume all risks associated with use or reliance on this content.