[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 925
  • Last Modified:

Cisco 1841 VPN fails user authentication using Cisco VPN Client

I'm attemping to set up an IPsec vpn for remote users, I've got a lab at home which I'm using to test the configuration (test conns coming in from Serial0/0/0), and it's failing to authenticate the users with a Reason 413: User Authentication Failed. I've got another site I tried the same VPN config on, and the same probems happens there too.

Few things to keep in mind:

- The vpdn-group PPTP_WIN2KClient is the old PPTP vpn, it has nothing to do with the new one I'm trying to set up. however, it does work.
- I've tried both local authentication and even put winradius on a pc to test radius, both fail in the same way.
- When i remove the line "crypto map testlab client authentication list testlab.vpn" from the running config, it connects fine, but without user authentication obviously.
- From what I've read, it's supposed to give me 3 goes at authenticating by default, I only get one, so it's possibly not communicating properly?

Below are links to the the running config, the debug output during a connection attempt, and the log from the cisco vpn client. It's the first time i'm trying to set this up so i really don't know what else is required.

The router is an 1841, with the IOS ver in the config linked below. The other router I'm testing this on is also an 1800 series with a similar IOS, not sure of the specifics off the top of my head, but I can get them if needed.

http://rainbows.ath.cx/rotuer_config.txt
http://rainbows.ath.cx/router_debug.txt
http://rainbows.ath.cx/client_log.txt

Thanks.
0
syslab
Asked:
syslab
  • 4
  • 2
1 Solution
 
lrmooreCommented:
>radius-server host 192.168.1.1
The radius-server is setup to be the router itself? I don't see the other radius-server configuration
I've only seen local radius used for wireless, but you might be able to adapt it to vpn use
http://www.cisco.com/en/US/docs/ios/12_4t/wlan/configuration/guide/wlcgsrvr.html

0
 
syslabAuthor Commented:
Fixed that line up now, it points to the right IP, however, it still won't authenticate. There's no RADIUS debug output at all, even with the wrong IP I would have expected something, even if it was just "unable to contact radius server", after which it should fall back to local auth.
0
 
naughtonCommented:
The group and user and password are case sensitive.  have you tried this?
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
syslabAuthor Commented:
yes, i've tried numerous usernames/passwords. even if i got them wrong, i would still expect the default three attempts at authenticating, instead of getting the 413 error after the first.
0
 
syslabAuthor Commented:
fixed it

removed group-lock from the isakmp client configuration group and it authenticates flawlessly.
0
 
lrmooreCommented:
I should at least get partial credit for pointing out that you had the wrong IP address for the radius server.
Thanks for the update!
0
 
syslabAuthor Commented:
done. thanks for your efforts guys.

(let me know if i need to do anything else do give you partial credit, i've just accepted it as a solution, not sure if anything else is required)
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now