Troubleshooting PIX firewall and IAS 2003

Sorry about this guys but I've been all over hell and back trying to find the solution to this problem and the boss is getting a little impatient. Sorry in advance if this is a little verbose, but I wanted to make sure all the info needed was supplied, thanks in advance and just ask for any extra debug output or configuration info, and thy shall receive.

I'm currently trying in a test environment (cut off from the internet) to configure a PIX 501 with OS version 6.3(4) to authenticate VPN clients via RADIUS using IAS 2003. I've set it up as is shown in this document:

formatting link
I've gone over the document two or three times and I'm pretty sure that I have it set up basically how it has it, I'm sure the shared secrets are the same, and that the user has been given VPN priv's.

here is my PIX configuration: Building configuration...

: Saved

:

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 2zZ07gPEI9TAr1VS encrypted

passwd 2zZ07gPEI9TAr1VS encrypted

hostname PIX501-RadiusVPN

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.1.2 Windows2003

name 24.1.1.2 WindowsXP

access-list 108 remark Define VPN Traffic

access-list 108 permit ip 192.168.1.0 255.255.255.0 192.168.2.0

255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 24.1.1.1 255.0.0.0

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool VPNPool 192.168.2.1-192.168.2.200

pdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa-server PartnerAuth protocol radius

aaa-server PartnerAuth max-failed-attempts 3

aaa-server PartnerAuth deadtime 10

aaa-server PartnerAuth (outside) host Windows2003 cisco timeout 10

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map DynMap 10 set transform-set myset

crypto map MyMap 10 ipsec-isakmp dynamic DynMap

crypto map MyMap client configuration address initiate

crypto map MyMap client configuration address respond

crypto map MyMap client authentication PartnerAuth

crypto map MyMap interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup RemoteStaff address-pool VPNPool

vpngroup RemoteStaff dns-server Windows2003

vpngroup RemoteStaff default-domain breakout.edu

vpngroup RemoteStaff split-tunnel 108

vpngroup RemoteStaff idle-time 1800

vpngroup RemoteStaff password ********

telnet Windows2003 255.255.255.255 inside

telnet timeout 45

ssh timeout 5

console timeout 0

terminal width 80

this is the typical debug output:

9: xauth authentication in progress for user: , session id: 1737599205

10: Received response: UserA, session id 1737599205

11: Making authentication request for host Windows2003, user UserA, session id: 1737599205

12: Processing challenge for user UserA, session id: 1737599205, challenge: Password:

13: Received xauth challenge: Password: , session id: 1737599205

14: Received response: , session id 1737599205

15: Making authentication request for host Windows2003, user UserA, session id: 1737599205

16: xauth authentication failed for user: UserA, session id: 1737599205

Reply to
Fuzzy Britches
Loading thread data ...

Hi,

I had problems with this when I first tried. Can I ask a few questions:

  1. Did you create this via command line or PDM? Reason I ask, I have found if you set up via PDM it does not always bind XAUTH to OUTSIDE interface.
  2. Have you checked the password between the RADIUS server and PIX.
  3. Does the group password on the PIX match the Client.

HTH's Jay

Reply to
thejayman

Hi,

I had problems with this when I first tried. Can I ask a few questions:

  1. Did you create this via command line or PDM? Reason I ask, I have found if you set up via PDM it does not always bind XAUTH to OUTSIDE interface.
  2. Have you checked the password between the RADIUS server and PIX.
  3. Does the group password on the PIX match the Client.

HTH's Jay

Reply to
thejayman
  1. Command Line through console mostly
  2. Yes several times.
  3. Yes, I've retyped it to match both group name and password
Reply to
Fuzzy Britches

None of the views contain any new entries except for "Security" which has a bunch of "Logon/Logoff" and "Privilege Use" events for user "SYSTEM"

I probably should mention that the error is "User Failed Authentication" and I'm sure the suer/pass is right with the VPN right set.

Reply to
Fuzzy Britches

I've found the solution to my problem in this document:

formatting link
I stilll have no clue as to what was wrong with that configuration I posted, but it should be educational and will probably save me and whoever may be reading this a headache in the future if someone could still explain what the deal was. It was obviously only a problem with the PIX configuration because I changed nothing on the client, and nothing on the radius, I took the PIX down (it was a test) and re-worked the entire configuration again going by that document.

Reply to
Fuzzy Britches

What does the event viewer say?

Wil my 3¢

Fuzzy Britches wrote:

formatting link

Reply to
Wil

Ok after posting that I ran into another roadblock, I couldn't communicate with the internal machines on the other side of the test VPN. The problem was solved by setting up a NAT and configuring the usual NAT exceptions for the VPN traffic.

My only real question is, why does the VPN function of a PIX firewall _NEED_ a NAT? I mean since I'm basically configuring a NAT and telling the PIX to never use it?

Reply to
Fuzzy Britches

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.