IPsec IKEV2 Cisco AAA server
Nice day
Is it possible to configure the VPN Ipsec IKEv2 without AAA server? Or the use of any the less the ASA 5508 x as an AAA server for VPN users?
Hello
I have attached the screenshot ASDM to do LOCAL authentication and assignment of DHCP addresses for VPN users.
Kind regards
Aditya
Please evaluate the useful messages and mark the correct answers.
Tags: Cisco Security
Similar Questions
-
IPSec vpn cisco asa and acs 5.1
We have configured authentication ipsec vpn cisco asa acs 5.1:
Here is the config in cisco vpn 5580:
standard access list acltest allow 10.10.30.0 255.255.255.0
RADIUS protocol AAA-server Gserver
AAA-server host 10.1.8.10 Gserver (inside)
Cisco key
AAA-server host 10.1.8.11 Gserver (inside)
Cisco key
internal group gpTest strategy
gpTest group policy attributes
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list acltest
type tunnel-group test remote access
tunnel-group test general attributes
address localpool pool
Group Policy - by default-gpTest
authentication-server-group LOCAL Gserver
authorization-server-group Gserver
accounting-server-group Gserver
IPSec-attributes of tunnel-group test
pre-shared-key cisco123
GBA, we config user group: VPN users. all VPN users in this group. ACS can visit his political profile: If the user in the 'VPN users' group, access ACS.
When we connect from a VPN Client to the server, all users connect to success. When you see the parser in ACS journal, each user success connect also get
error:
22040 wrong password or invalid shared secret
(pls see picture to attach it)
the system still works, but I don't know why, we get the error log.
Thanks for any help you can provide!
Duyen
Hello Duyen,
I think I've narrowed the issue. When remote access VPN using RADIUS authentication we must keep in mind that authentication and authorization are included on the same package.
Depending on your configuration, the ACS is defined as a server RADIUS (Gserver Protocol radius aaa server) and becomes the VPN Tunnel authenticated and 'authorized' on this server group:
authentication-server-group LOCAL Gserver
authorization-server-group Gserver
As noted above, the RADIUS of request/response includes authentication and authorization on the same package. This seems to be a problem of incorrect configuration that we should not set up the 'permission' in the Tunnel of the group.
Please remove the authorization under the Tunnel of Group:
No authorization-server-group Gserver
Please test the connection again and check the logs of the ACS. At this point there are only sucessful newspaper reported on the side of the ACS.
Is 'Permission-server-group' LDAP permission when authenticating to a LDAP server so to retrieve the attributes of permission on the server. RAY doesn't have the command as explained above.
I hope this helps.
Kind regards.
-
ASA SHA256 integrity for proposal of IPSEC IKEV2
Hi team,
I tried to configure SHA256 integrity for IPSEC IKEV2 and SHA256 proposal wasn't available, the version that we run is 9.0 (3). The model of the SAA is 5540 (Legacy). Could someone please help us identify if the same support in the firewall of the inheritance if we improve the IOS in 9.1 (6) as this is the last version available for the box.
ASA(config-IPSec-Proposal) # integrity Protocol esp?
Options/IPSec proposal mode controls:
MD5 md5 hash value
set null null of hash
SHA-1 hash sha-1 game
Thank you
Vishnu
Hay he...
Book 3: Cisco ASA series VPN CLI Configuration Guide, 9.1 - IPSec and ISAKMP - creating a Configuration of Basic IPsec configuration -Note at the end of step 2:
HA - 256... can also be used for the protection of the ESP integrity on the new platforms ASA (and not 5505, 5510, 5520, 5540 and 5550).
Given that Cisco has announced the date of end of life for these older platforms
-
several hosts aaa server for authentication vpn
ASA5510 - 7.2 (1)
Using the following configuration, I try to have several radius servers configured for authentication backup in case of failure of the primary vpn. This seems to work ok. But once the main server upward when the asa will begin to use it again. The release of "aaa-Server 172.25.4.20 host" said
Server status: FAILURE, server disabled at 08:04:25.
How do reactivate you it?
RADIUS protocol AAA-server adauth
adauth AAA-server 172.25.4.20
key *.
authentication port 1812
accounting-port 1813
adauth AAA-server 172.25.4.40
key *.
authentication port 1812
accounting-port 1813
tunnel-group group general attributes
address pool pool
authentication-server-group adauth
by default-group-policy
You can add the option in the Group aaa-server:
"reactivation in timed mode.
This causes a dead server is added to the pool after 30 seconds.
The following link has some good info on the options available. I suggest looking for the doc for the "reactivation".
http://www.Cisco.com/univercd/CC/TD/doc/product/multisec/asa_sw/v_7_2/cmd_ref/crt_711.PDF
-Eric
Be sure to note all the useful messages.
-
How to use 2 AAA server to different connection end
Hello, could you help me?
It is a part of my setup; I would add another RADIUS server, witch should take care of the telnet at vty 0 4.
10,20,30,40 RADIUS server supports virtual access, and I have another RADIUS server which takes care of to connect to our network equipment.
! Cisco 7204 with system flash c7200-io3s56i - mz.121 - 4.bin
!
AAA new-model
AAA authentication login default group Ganymede +.
enable AAA authentication login no_tacacs
AAA authentication ppp default group Ganymede +.
AAA authorization exec default group Ganymede +.
AAA authorization network default group Ganymede +.
AAA accounting exec default start-stop Ganymede group.
AAA accounting network default start-stop Ganymede group.
Default connection accounting AAA power Ganymede group.
!
virtual-virtual-model profile 1
virtual - profile aaa
!
interface Serial2/0:15
ISDN30 description
no ip address
encapsulation ppp
no ip route cache
No keepalive
Dialer pool-Member 10
primary-net5 ISDN switch type
first request ISDN tei negotiation
XXXXXXX calling ISDN
no fair queue
compress the stac
No cdp enable
Chap PPP authentication protocol
multilink PPP Panel
!
interface virtual-Template1
IP unnumbered FastEthernet1/0
NAT outside IP
Chap PPP authentication protocol
!
host key 10,20,30,40 radius-server *.
!
Line con 0
exec-timeout 20 0
password *.
connection of authentication no_tacacs
transport of entry no
FlowControl hardware
line to 0
line vty 0 4
access-class 1
exec-timeout 60 0
password *.
connection of authentication no_tacacs
transport telnet entry
telnet output transport
If I just add
AAA authentication login vtymethod group Ganymede + activate
10.50.60.70 host key radius-server *.
line vty 0 4
connection of authentication vtymethod
My telnet request 10,20,30,40 and I refused! Could help you make a secure solution?
Thank you
Jens
I think that your solution would be to set up a group of different RADIUS servers with the new server of the new group and use the new group to authenticate your vty. The config might look like this:
AAA server Ganymede group + vty_TAC
Server 10.50.60.70
enable AAA authentication login vtymethod group vty_TAC
10.50.60.70 host key radius-server *.
I set up this kind of thing and it worked fine. When I set it up I have explicitly configured (so named) two different RADIUS server groups and referenced groups of specific servers for each authentication method. I did not understand if it works to keep the default group Ganymede + and use it for your authentication normal or if you may need to configure a default group for this.
Try it and tell us what is happening.
HTH
Rick
-
Anyconnect with IPSEC IKeV2 certificate requirement
Hello world
We are implementing Anyconnect with IKEv2.
Need to know if I can do this without a valid CA certificate?
Will this work with ASA self-signed certificate?
Concerning
Mahesh
Mahesh,
SSL is used only for a few initial steps ("customer service" - such as downloading AnyConnect package and profile.xml file) in a remote IPsec IKEv2 VPN access.
As with the more familiar SSL VPN, you can use a self-signed certificate on the SAA in conjunction with IKEv2.
Your customers will have to or click beyond the warning of the untrusted server every time or else install the certificate self-signed SAA in their store of trusted CA root. with a certificate issued by the CA public they can't do either of those things.
There are a few excellent documents elsewhere here on CSC that you reference in your deployment. Here are the links to them:
-
In Cisco Doc: http://www.cisco.com/en/US/customer/docs/security/asa/asa80/command/reference/a1.html#wp1510772
the command:
AAA-server host 192.168.125.60
is referenced, but is an addition 8.02.
Does anyone know how to do the same thing in rel 7.2.2.x of the ASA code?
I have multiple AAA servers in State failure and need to restart/refresh their. If I do the command in aaa-server test, it works so I know that the AAA server is now online.
You can do this via ASDM. In ASDM, you can set the method with which the servers will be activated. The following link can help you
http://www.Cisco.com/en/us/docs/security/ASA/asa72/asdm52/user/guide/aaasetup.html#wp1160615
-
Remote access to the network when AAA server is out of service help
Hi all, I have a Cisco ASA 5510. I configured Cisco Anyconnect to authenticate via IAS from Windows. We recently had a server crash and I tried to control it remotely and via anyconnect and couldn't. Once the IAS server came, I could come back in the network.
Y at - there a command that I'm missing that will allow me to connect to the network, even if my AAA server fell Anyconnect?
Here is my part of the config AAA command...
RADIUS protocol AAA-server WindowsIAS
Max - a attempts failed 5
AAA-server host 192.168.2.15 WindowsIAS (inside)
XXXXXXXXXX key
RADIUS-common-pw xxxxxxxxxx
Thanks in advance... Dan
Dan,
Try to add the LOCAL keyword to your authentication server group statement in your group of tunnel or group policy.
http://www.Cisco.com/en/us/docs/security/ASA/asa90/command/reference/A3...
Thank you
Sent by Cisco Support technique iPad App
-
Start the server wds with cisco dhcp server
Salvation;
I want to use the cisco dhcp server and I do not know which option I need to put my dhcp server
Tanx
You must contact Cisco support to help them with their product.
-
AAA server group does not work
All,
I have an aaa server group set up on my router to use for Wells, AAA, but it doesn't work that way, but when I simply specify a server and not the list of group everything works. Any ideas why this is. I'm going to pos the config.
*****************************************************
version 12.2
horodateurs service debug datetime localtime
Log service timestamps datetime localtime
encryption password service
!
host BUSINESS name
!
AAA new-model
AAA server Ganymede group + TACSLOG
Server 192.x.x.x
Server 192.x.x.x
!
Group AAA authentication login default local TACSLOG
default AAA authorization exec TACSLOG local group
AAA exec by default start-stop accounting TACSLOG group
AAA commands 5 default start-stop accounting TACSLOG group
AAA commands 15 arrhythmic default accounting TACSLOG group
activate the password xxx
!
username password xxx xxx
username privilege 15 xxx
username xxx autocommand menu ADMIN1
IP subnet zero
!
!
IP - SBA.GOV domain name
!
!
call the rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
IP address 255.255.255.0 192.x.x.x
automatic duplex
automatic speed
!
interface Serial0/0
no ip address
Shutdown
!
IP classless
no ip address of the http server
!
!
ADMIN1 menu prompt ^ CSELECT YEAR OPTION PUNK ^ C
ADMIN1 1 SHO IP INTERFACE BRIEF text menu
by menu ADMIN1 1 SHOW IP INTERFACE BRIEF command
menu text ADMIN1 2 SHOW the INTERFACE FA0/0
order by menu ADMIN1 2 SHO INT FA0/0
menu text ADMIN1 3 SHOW RUN the INTERFACE FA0/0
order by menu ADMIN1 3 SHOW RUN INT FA0/0
menu ADMIN1 text 4 see THE ARP
4 ARP see by ADMIN1 menu command
ADMIN1 5 OUTPUT text menu
order by ADMIN1 5 LOGOUT menu
!
Dial-peer cor custom
!
!
!
!
privilege exec level 5 show ip interface brief
privilege exec level 5 show interface fa0/0
privilege exec level 5 show show passage interface fa0/0
show privileges exec level 5 show arp
!
Line con 0
line to 0
line vty 0 4
password xxx
!
end
When you define an AAA server group, you associate an IP address from the server on behalf of the group. You must always define the AAA server separately where you also set up the key that is used. In your case, you must add to your configuration:
RADIUS-server host 192.x.x.x Council key
RADIUS-server host 192.x.x.x Council key
HTH
Steve
-
Cisco IOS server certificate - is it supported on routers 857/877
Please can someone confirm if the certificate of Cisco IOS server feature is supported on the Cisco 857 router. We have checked with the Software Advisor and no picture for the 857 when the server certificate of IOS feature is selected, but advancedIpservices image v 12.4 (11) T arrives to the 877.
The two 857/877 supports IOS server Certificate
to 857 you need the ADVANCED SECURITY feature set 12.3 (14) YT
877 offers more IOSes with Certificate server supports when I chose the certificate server Cisco IOS feature with featured navigator I got a lot of IOSes supporting this feature
Go to navigator feature
http://Tools.Cisco.com/ITDIT/CFN/JSP/index.jsp
Select search by function and select element Cisco IOS Certificate Server, you can filter the results by platform (857/877)
M.
-
access to AAA server to remote problems
Hi all. I can ping and trace to this GANYMEDE server. but I can't authenticate my telnet users. I configured local AAA relief so that he tries the remote server several times and then returns to the local GANYMEDE. I noticed the logs show the TCP FINS. Which indicates that I am actually reach the remote server, but the server sends a TCP FIN or is the server simply is not available, as indicated by the newspapers. Why the server will be not not accessible if I can ping and trace it.
I also checked the NOC extranet firewall accepted my traffic through the RADIUS server. they took the newspapers showing that my traffic has been accepted.
February 4, 2011 13:04:12: % ASA-7-609001: built internal local host: AAA_SERVER
February 4, 2011 13:04:12: % ASA-6-302013: built 24726 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/28055 (17.2.2.2/28055)
February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
February 4, 2011 13:04:12: % ASA-6-302013: built 24727 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/32029 (17.2.2.2/32029)
February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24726 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/28055 duration 0: 00:00 bytes TCP fins 41
February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
February 4, 2011 13:04:12: % ASA-6-302013: built 24728 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/39039 (17.2.2.2/39039)
February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24727 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/32029 duration 0: 00:00 bytes TCP fins 41
February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
February 4, 2011 13:04:12: % ASA-6-302013: built 24729 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/33702 (17.2.2.2/33702)
February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24728 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/39039 duration 0: 00:00 bytes TCP fins 41
February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
February 4, 2011 13:04:12: % ASA-2-113022: AAA marking GANYMEDE + Server AAA_SERVER aaa-server group MYGROUP as being broken
February 4, 2011 13:04:12: % ASA-4-409023: method of rescue attempt LOCAL AAA for authentication of user vzz19 request: inaccessible Server Auth MYGROUP group
February 4, 2011 13:04:12: % ASA-6-113015: rejected AAA user authentication: reason = invalid password: local database: user = vzz19
February 4, 2011 13:04:12: % ASA-6-611102: failed authentication user: Uname: vzz19
February 4, 2011 13:04:12: % ASA-6-605004: connection refused from 10.2.2.2/26089 to inside:17.2.2.2/telnet for the user "vzz19".
February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24729 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/33702 duration 0: 00:00 bytes TCP fins 41
February 4, 2011 13:04:12: % ASA-7-609002: duration of dismantling inside local host: AAA_SERVER 0:00:00Here is my config from aaa
AAA-server protocol Ganymede MYGROUP +.
Max - a failed attempts 4
AAA-server host AAA_SERVER MYGROUP (inside)
timeout 3
Console Telnet AAA authentication LOCAL MYGROUP
Console to enable AAA authentication LOCAL MYGROUP
privilege MYGROUP 15 AAA accounting commandI can ping AND trace on the RADIUS server
ATLUSA01-FW01 # ping AAA_SERVER
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to AAA_SERVER, wait time is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = ms 02/01/10
ATLUSA01-FW01 # trace AAA_SERVERType to abort escape sequence.
The route to 151.162.239.2391 17.2.2.3 0 ms 0 ms 0 ms
2 17.2.2.4 0 ms 0 ms 0 ms - extranet fire barrier
3 10.4.7.1 0 0 0 ms ms ms
4 10.4.7.13 0 0 0 ms ms ms
5 10.4.7.193 0 0 0 ms ms ms
6 AAA_SERVER (10.5.5.5) 0 ms 10 ms 10 msYou'll certainly need the assistance of the administrator of the AAA, troubleshooting on the AAA client side shows only a fraction of what's going on.
Ask him or her to do the following:
Much easier and the most important thing is to check an 'attempt' journal and watch if there is no entry at all for your ASA.
If there is an entry, it should be automatic explaining like "Unknown SIN" or "Ganymede key bad argument" - be convinced on a good config and check it are two different things.
I have seen weird things like walking into a key on an AAA server via remote desktop and keyboard settings were inconsistent: English/German, traded resulting from letters 'Y' and 'Z' - do not trust your config until it you checked.
If there is no entry at all then it could be a device on the way which is allowing ping/traceroute tcp/49 but drops or a device is to translate the address of the ASA (well in this case, you should see an "unknown SIN" in the failed attempts).
You have the possibility to connect a device inside the network of the SAA as a laptop? If so, try Telnet for tcp/49 of the AAA server, you should see immediately, if it is allowed tcp/49 (get a blank screen immediately = connectivity, timeout = no connectivity)
That's all you can do on your side, unfortunately tha ASA isn't a telnet client.
Rgds,
MiKa
-
Cisco dear team,
One of our customer asked for a HDMI Port on Cisco's UCS servers.
Can someone help me with this please?
In the affirmative, please let me know in which Cisco UCS Server is available?
Kind regards
Farhan.
As far as I know, none of the UCS servers have an HDMI port.
-
Exchange of TMS 3.0.1 & TMS 13.2 Cisco TMS server does not respond. Put an end.
Hello
I recently upgraded to TMS 13.2 and installed Exchange TMS 3.0.1. Installation and Configuration worked well, but no event is synchronized to MSDS. If I look at the log file, I see the following line:
Cisco TMS Server is not responding. Halting.It seems that TMS Exchange is not able to communicate with the TMS. Setup worked well, and the TMS user is Super Administrator, so I don't think it's a problem of permission.
I have attached the journal exchange of tms with level Debug of the game.
Any ideas?
Hey
Using HTTPS or HTTP to communicate with the SMT server through the TMSXE service?
Also, I would look in the Windows event logs to see if there's something interesting here. Especially check the application + TMSXE the event logs. I Don t want to join here (it's for the TAC) but if you see something that could be linked to the issue, please let us know.
Otherwise, I recommend you get help from TAC on this since it is more appropriate for a deeper repair.
/ Magnus
-
The implications of Cisco Telepresence server operation mode
I have a CISCO Telepresence server that is currently running in mode managed locally, if change you it remotely and add it to my TMS, will I lose all my permament locally created conference rooms? (be they get deleted?)
Thank you!
HI Douglas. TS blade didn't need to be mode remotely managed so that it can be managed by TMS. This mode is used for the management as a conductor Telepresense.
When it was presented, was 3.0 TS.
Release notes:
Page 2 pretty much answer your questions here.
If your not using a conductor or by using your own program API to use TS in this mode, its better to leave behind in managed mode and add the system to MSD and leave it that way. This is the normal operating mode if you use the TMS. Let in managed mode locally, add it to the TMS and you can book etc. against it using TMS meetings. If automatic discovery is enabled in TMS, permanent meetings should appear in the CCC.
I hope this helps.
VR
Patrick
Maybe you are looking for
-
Hello world... I use 2012 Middle macbook pro I have 5 with el capitan... I used windows with my pc for music recorings, but I decided to use mac now I have a sound card named edirol fa101 firewire I coundt find any drievrs for el capitan and No audio
-
Write to register using EITHER Modbus
OK, so this should be a pretty easy question, because I'm sure most of you have done this before. I need right in a register in a slave device modbus, I know the TCP/IP address and the register but I'm looking for help on how to write data to the re
-
OpenG library blocks request Builder
If I use the string to 1 d array [String of 1 d array__ogtk] VI inside my VI main, generator of application generates this error. Why? Thanks for your time
-
If I have Windows XP with Service Pack 3 installed, can I uninstall SP2?
I have the original installation disc of Windows XP Home Edition with Service Pack 2. I've upgraded to Service Pack 3. From Add/Remove Programs, now uninstall Service Pack 2? http://answers.Microsoft.com/en-us/Windows/Forum/windows_xp-windows_insta
-
Webcam not found - tried everything, please help!
I can't get my webcam to be detected in any program, I've tried so far. I have a laptop ASUS. It has an internal webcam. This webcam, used to work. He says its fine all in Manager devices etc. Just that when I go to use Skype or whatever it is he jus