Remote Access VPN (IPsec) - IOS - radius (ISE)

Today I change the configuration from my previous post, and instead of ACS I will add ISE (version 1.1).

First modification:

!
radius-server host 192.168.202.152 key cisco123
!

Next I add a new network device on ISE:

ra-ipsec4-1.jpg

ra-ipsec4-2.jpg

In next step I add a new user group and next a new user: “ezvpn”

ra-ipsec4-3.jpg

ra-ipsec4-4.jpg

And now the new user:

ra-ipsec4-5.jpg

Now it’s time to add a new authorization profile with radius attributes:

ra-ipsec4-6.jpg

ra-ipsec4-7.jpg

And then a new Authorization Profile:

ra-ipsec4-8.jpg

When I try to connect I see following log messages:

*Nov 24 20:17:04.534: RADIUS/ENCODE(00000086):Orig. component type = VPN IPSEC
*Nov 24 20:17:04.538: RADIUS:  AAA Unsupported Attr: interface         [221] 8   1767295532
*Nov 24 20:17:04.538: RADIUS(00000086): Config NAS IP: 0.0.0.0
*Nov 24 20:17:04.542: RADIUS(00000086): Config NAS IPv6: ::
*Nov 24 20:17:04.542: RADIUS/ENCODE(00000086): acct_session_id: 123
*Nov 24 20:17:04.546: RADIUS(00000086): sending
*Nov 24 20:17:04.550: RADIUS/ENCODE: Best Local IP-Address 10.0.0.2 for Radius-Server 192.168.202.152
*Nov 24 20:17:04.554: RADIUS(00000086): Sending a IPv4 Radius Packet
*Nov 24 20:17:04.558: RADIUS(00000086): Send Access-Request to 192.168.202.152:1645 id 1645/81,len 96
*Nov 24 20:17:04.558: RADIUS:  authenticator AA 57 75 1D DD AC 36 7C - 7B 50 8C E1 55 59 D3 D3
*Nov 24 20:17:04.562: RADIUS:  User-Name           [1]   7   "ezvpn"
*Nov 24 20:17:04.562: RADIUS:  User-Password       [2]   18  *
*Nov 24 20:17:04.566: RADIUS:  Calling-Station-Id  [31]  17  "192.168.202.1
R14#78"
*Nov 24 20:17:04.566: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*Nov 24 20:17:04.570: RADIUS:  NAS-Port            [5]   6   1
*Nov 24 20:17:04.574: RADIUS:  NAS-Port-Id         [87]  10  "10.0.0.2"
*Nov 24 20:17:04.574: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
*Nov 24 20:17:04.578: RADIUS:  NAS-IP-Address      [4]   6   10.0.0.2
*Nov 24 20:17:04.578: RADIUS(00000086): Started 5 sec timeout
*Nov 24 20:17:04.614: RADIUS: Received from id 1645/81 192.168.202.152:1645, Access-Reject, len 20
*Nov 24 20:17:04.614: RADIUS:  authenticator 94 87 98 D6 18 1D 00 1B - 49 9C C3 7C 2C 92 52 76
*Nov 24 20:17:04.618: RADIUS(00000086): Received from id 1645/81
*Nov 24 20:17:04.762: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 192.168.202.178 was not encrypted and it should've been.
*Nov 24 20:17:04.774: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 192.168.202.178 was not encrypted and it
R14# should've been.
R14#

On ISE I see:

ra-ipsec4-9.jpg

The problem is related with one IOS limitation which allows on one fixed password “cisco” for user = isakmp client group. You can change a password policy but minimum number of characters is 6:

ra-ipsec4-10.jpg

I can’t find any solution but if you know how to omit the limitation, let me know and I will update my post.

 
11
Kudos
 
11
Kudos

Now read this

IPv6 security – IPv6 First Hop Security - IPv6 RA Guard – part two.

In my last post I described ICMPv6 messages and one of them was Router Advertisement (RA). Today I would like to implement RA Guard feature. Router Advertisement (RA) – ICMPv6 – type 134 - the message can be sent as a response on the... Continue →