Configure Cisco 1941 to use Windows Radius Server for VPN Access

Been having an issue configuring a remote Cisco 1941 to use our windows radius server.  Currently we use this radius server for the ASA VPN access without any issues.

Trying to see if I am missing a command.  VPN is working using the local VPN account.  When trying to change it to the radius aaa group nothing happens.


Building configuration...

Current configuration : 7825 bytes
!
! Last configuration change at 14:47:53 GMT Tue Dec 5 2017 by administrator
! NVRAM config last updated at 14:42:00 GMT Tue Dec 5 2017 by administrator
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ARG-ROUTER01
!
boot-start-marker
boot system flash:c1900-universalk9-mz.SPA.154-3.M6a.bin
boot-end-marker
!
!
enable secret 5
enable password 7
!
aaa new-model
!
!
aaa group server radius CHI
 ip radius source-interface GigabitEthernet0/0
!
aaa authentication login SSLVPN_AAA local
aaa authentication login CHI group radius local
!
!
!
!
!
aaa session-id common
clock timezone GMT -4 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip domain name dental.priv
ip name-server 10.204.1.1
ip inspect name SAARG_TRAFFIC tcp
ip inspect name SAARG_TRAFFIC udp
ip inspect name SAARG_TRAFFIC telnet
ip inspect name SAARG_TRAFFIC snmp
ip inspect name SAARG_TRAFFIC smtp
ip inspect name SAARG_TRAFFIC skinny
ip inspect name SAARG_TRAFFIC rtsp
ip inspect name SAARG_TRAFFIC realaudio
ip inspect name SAARG_TRAFFIC pop3
ip inspect name SAARG_TRAFFIC pptp
ip inspect name SAARG_TRAFFIC pop3s
ip inspect name SAARG_TRAFFIC pcanywheredata
ip inspect name SAARG_TRAFFIC pcanywherestat
ip inspect name SAARG_TRAFFIC netbios-dgm
ip inspect name SAARG_TRAFFIC netbios-ns
ip inspect name SAARG_TRAFFIC netbios-ssn
ip inspect name SAARG_TRAFFIC ms-sql
ip inspect name SAARG_TRAFFIC lotusnote
ip inspect name SAARG_TRAFFIC lotusmtap
ip inspect name SAARG_TRAFFIC kerberos
ip inspect name SAARG_TRAFFIC http
ip inspect name SAARG_TRAFFIC https
ip inspect name SAARG_TRAFFIC ftp
ip inspect name SAARG_TRAFFIC dns
ip inspect name SAARG_TRAFFIC ica
ip inspect name SAARG_TRAFFIC icmp
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
crypto pki trustpoint SSLVPN_CERT
 enrollment selfsigned
 subject-name CN=argvpn.gumbrand.com
 revocation-check crl
 rsakeypair SSLVPN_KEYPAIR
!
!
crypto pki certificate chain SSLVPN_CERT
 certificate self-signed 01
 
        quit
license udi pid CISCO1941/K9 sn
!
!
username VPNUSER password 7
username administrator privilege 15 secret 5
username ARGVPN password 7
!
redundancy
!
!
!
!
!
!
!
crypto vpn anyconnect flash0:/webvpn/anyconnect-win-4.3.04027-k9.pkg sequence 1
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 172.16.1.1 255.255.255.255
!
interface Embedded-Service-Engine0/0
 ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/0
 description TO_INTERNET
 ip address xxxxxxxxxxxxxxx
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description ARGENTINA_LAN
 ip address xxxxxxxxxxxxxxx
 ip nat inside
 ip inspect SAARG_TRAFFIC in
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/0/0
 switchport access vlan 11
 no ip address
 spanning-tree portfast
!
interface FastEthernet0/0/1
 no ip address
 shutdown
!
interface FastEthernet0/0/2
 no ip address
 shutdown
!
interface FastEthernet0/0/3
 switchport access vlan 10
 no ip address
 speed 100
 no cdp enable
 spanning-tree portfast
!
interface Virtual-Template1
 ip unnumbered Loopback0
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 ip address xxxxxxxxxx 255.255.255.252
!
interface Vlan11
 ip address 10.248.2.1 255.255.255.0
!
router bgp xxxxxx
 synchronization
 bgp log-neighbor-changes
 network xxxxxxxxxxxx
 network xxxxxxxxxxx mask 255.255.255.0
 neighbor xxxxxxxxxx remote-as xxxx
 auto-summary
!
ip local pool SSLVPN_POOL 10.248.1.240 10.248.1.254
ip forward-protocol nd
!
ip http server
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map NONAT interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 xxxxxxxxxxx
!
ip access-list extended NONAT
 deny   ip 10.248.0.0 0.0.255.255 10.0.0.0 0.255.255.255
 permit ip 10.248.0.0 0.0.255.255 any
ip access-list extended OUTSIDE_ACL
 permit tcp any any eq 22
 permit udp any any eq bootps
 permit udp any any eq bootpc
 permit icmp any any echo-reply
 permit icmp any any time-exceeded
 permit icmp any any packet-too-big
 permit icmp any any traceroute
 permit icmp any any unreachable

 deny   ip any any
 deny   tcp any any
 deny   udp any any
!
ip radius source-interface GigabitEthernet0/0
!
route-map NONAT permit 10
 match ip address NONAT
!
!
access-list 1 permit 10.248.0.0 0.0.255.255
!
radius server CHI
 address ipv4 xxxxxxxxx auth-port 1645 acct-port 1646
 key 7
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 password 7
 transport input ssh
!
scheduler allocate 20000 1000
ntp server north-america.pool.ntp.org source GigabitEthernet0/0
!
!
webvpn gateway SSLVPN_GATEWAY
 ip address xxxxxxxxxx port 443
 http-redirect port 80
 ssl trustpoint SSLVPN_CERT
 inservice
 !
webvpn context SSL_Context
 virtual-template 1
 aaa authentication list SSLVPN_AAA
 gateway SSLVPN_GATEWAY
 !
 ssl authenticate verify all
 inservice
 !
 policy group SSL_Policy
   functions svc-enabled
   svc address-pool "SSLVPN_POOL" netmask 255.255.255.0
   svc split include acl 1
   svc dns-server primary xxxxxxxx
   svc dns-server secondary xxxxxxx
 default-group-policy SSL_Policy
!
end

ARG-ROUTER01#
sunstaramericasincITAsked:
Who is Participating?
 
sunstaramericasincConnect With a Mentor ITAuthor Commented:
Was about to close this as I found the solution.  NPS logs was showing the RADIUS Client as a different IP.  Router was using the MPLS IP instead of the LAN IP.
0
 
kevinhsiehCommented:
Have you looked at the NPS logs? They will often tell you what is going on.

I like to paste them into this tool for easy formatting and parsing.
https://iso.csusb.edu/tools/nps-log-interpreter
0
 
kevinhsiehCommented:
You can force which interface the router uses.

ip radius source-interface g0/xx
0
 
Seth SimmonsSr. Systems AdministratorCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Accept: sunstaramericasinc (https:#a42447015)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

seth2740
Experts-Exchange Cleanup Volunteer
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.