Remote Access VPN (IPsec) - IOS - radius (ISE)

Today I change the configuration from my previous post, and instead of ACS I will add ISE (version 1.1).

First modification:

!
radius-server host 192.168.202.152 key cisco123
!

Next I add a new network device on ISE:

ra-ipsec4-1.jpg

ra-ipsec4-2.jpg

In next step I add a new user group and next a new user: “ezvpn”

ra-ipsec4-3.jpg

ra-ipsec4-4.jpg

And now the new user:

ra-ipsec4-5.jpg

Now it’s time to add a new authorization profile with radius attributes:

ra-ipsec4-6.jpg

ra-ipsec4-7.jpg

And then a new Authorization Profile:

ra-ipsec4-8.jpg

When I try to connect I see following log messages:

*Nov 24 20:17:04.534: RADIUS/ENCODE(00000086):Orig. component type = VPN IPSEC
*Nov 24 20:17:04.538: RADIUS:  AAA Unsupported Attr: interface         [221] 8   1767295532
*Nov 24 20:17:04.538: RADIUS(00000086): Config NAS IP: 0.0.0.0
*Nov 24 20:17:04.542: RADIUS(00000086): Config NAS IPv6: ::
*Nov 24 20:17:04.542: RADIUS/ENCODE(00000086): acct_session_id: 123
*Nov 24 20:17:04.546: RADIUS(00000086): sending
*Nov 24 20:17:04.550: RADIUS/ENCODE: Best Local IP-Address 10.0.0.2 for Radius-Server 192.168.202.152
*Nov 24 20:17:04.554: RADIUS(00000086): Sending a IPv4 Radius Packet
*Nov 24 20:17:04.558: RADIUS(00000086): Send Access-Request to 192.168.202.152:1645 id 1645/81,len 96
*Nov 24 20:17:04.558: RADIUS:  authenticator AA 57 75 1D DD AC 36 7C - 7B 50 8C E1 55 59 D3 D3
*Nov 24 20:17:04.562: RADIUS:  User-Name           [1]   7   "ezvpn"
*Nov 24 20:17:04.562: RADIUS:  User-Password       [2]   18  *
*Nov 24 20:17:04.566: RADIUS:  Calling-Station-Id  [31]  17  "192.168.202.1
R14#78"
*Nov 24 20:17:04.566: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*Nov 24 20:17:04.570: RADIUS:  NAS-Port            [5]   6   1
*Nov 24 20:17:04.574: RADIUS:  NAS-Port-Id         [87]  10  "10.0.0.2"
*Nov 24 20:17:04.574: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
*Nov 24 20:17:04.578: RADIUS:  NAS-IP-Address      [4]   6   10.0.0.2
*Nov 24 20:17:04.578: RADIUS(00000086): Started 5 sec timeout
*Nov 24 20:17:04.614: RADIUS: Received from id 1645/81 192.168.202.152:1645, Access-Reject, len 20
*Nov 24 20:17:04.614: RADIUS:  authenticator 94 87 98 D6 18 1D 00 1B - 49 9C C3 7C 2C 92 52 76
*Nov 24 20:17:04.618: RADIUS(00000086): Received from id 1645/81
*Nov 24 20:17:04.762: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 192.168.202.178 was not encrypted and it should've been.
*Nov 24 20:17:04.774: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 192.168.202.178 was not encrypted and it
R14# should've been.
R14#

On ISE I see:

ra-ipsec4-9.jpg

The problem is related with one IOS limitation which allows on one fixed password “cisco” for user = isakmp client group. You can change a password policy but minimum number of characters is 6:

ra-ipsec4-10.jpg

I can’t find any solution but if you know how to omit the limitation, let me know and I will update my post.

 
11
Kudos
 
11
Kudos

Now read this

DMVPN - phase one - EIGRP

Today I would like to implement DMVPN with EIGRP. This protocol is very popular because of its scalability. Please read this post before you start because I’m not going to implement it from scratch:... Continue →