this setup works just fine for us.
check out this document: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/config/basclnt.htm#16057 it has step-by-step instructions for what you're trying to do. the only thing that's not outlined in that document is how to configure the radius server to send the access-list back to the PIX after authentication. for freeradius, we needed to add a line to the user entries like this: Reply-Message = "acl=xxx" where xxx is the number of the access list that the PIX should use to identify which services the client should be permitted to use. are you using Reply-Message, or something else? It looks like you have "Access-Accept": Sending Access-Accept of id 92 to 192.168.1.1:1645 but i'm not familiar enough with freeradius or its debug output to say if that's wrong. dan > Did anyone worked with Cisco VPN-Client 3.0 and PIX with authentication on > freeradius ? > > I'have a Vpnclient Cisco 3.0 and i want to establish a connection with my > PIX. > In Pix i have write "crypto map MYMAP client authentication RADIUS_AUTH", to > query my radius server. > When i try to connect from my PC the vpv-client ask me the username and > password, freeradius make regular authentication and then all is blocking. > I'have see in the debug of freeradius that PIX make a second request of > authentication, freeradius respond whit "OK" another time, but PIX don't > like this answer and don't conclude the ipsec session. > Must i reply whit a particular attribute to PIX, to authenticate this > Vpn-Client. > > thanks for help. > > > This is the debug of freeradius > > > > --- Walking the entire request list --- > Cleaning up request 13 ID 68 with timestamp 3c7cfdd2 > Nothing to do. Sleeping until we see a request. > rad_recv: Access-Request packet from host 192.168.1.1:1645, id=92, length=60 > User-Name = "mauipsec" > NAS-IP-Address = 192.168.1.1 > Password = "\t\343\356O\300\341U.\303*\020#/%\366\300" > NAS-Port = 5 > modcall: entering group authorize > modcall[authorize]: module "preprocess" returns ok > modcall[authorize]: module "suffix" returns ok > rlm_sql: Reserving sql socket id: 4 > radius_xlat: 'mauipsec' > sql_escape in: 'mauipsec' > sql_escape out: 'mauipsec' > sql_set_user: escaped user --> 'mauipsec' > radius_xlat: 'SELECT id,UserName,Attribute,Value FROM radcheck WHERE > Username = 'mauipsec' ORDER BY id' > radius_xlat: 'SELECT > radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche > ck.Value FROM radgroupcheck,usergroup WHERE usergroup.Username = 'mauipsec' > AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' > radius_xlat: 'SELECT id,UserName,Attribute,Value FROM radreply WHERE > Username = 'mauipsec' ORDER BY id' > radius_xlat: 'SELECT > radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep > ly.Value FROM radgroupreply,usergroup WHERE usergroup.Username = 'mauipsec' > AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' > rlm_sql: Released sql socket id: 4 > modcall[authorize]: module "sql" returns ok > modcall: group authorize returns ok > auth: type Local > auth: user supplied Password matches local Password > Login OK: [mauipsec] (from nas PIX port 5) > Sending Access-Accept of id 92 to 192.168.1.1:1645 > Finished request 14 > Going to the next request > --- Walking the entire request list --- > Waking up in 6 seconds... > rad_recv: Access-Request packet from host 192.168.1.1:1645, id=92, length=60 > Sending duplicate authentication reply to client PIX:1645 - ID: 92 > Sending Access-Accept of id 92 to 192.168.1.1 > rl_next: returning NULL > Waking up in 6 seconds... > --- Walking the entire request list --- > Cleaning up request 14 ID 92 with timestamp 3c7cfe63 > Nothing to do. Sleeping until we see a request. > > > > ------------------------------------- > Maurice Foschiatti > Estel s.p.a > Via del Teatro 4 > 34100 Trieste > mailto: [EMAIL PROTECTED] > cel. +39.329.9028085 > tel. +39.040.2629047 > ------------------------------------- > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
