10.6.4 Server L2TP VPN using external RADIUS - Authorization Failed

Similar Messages

• Server L2TP  VPN will not connect after OS X restart

  I have configured a L2TP VPN service in Server v4.1 running in Yosemite v10.10.3 on an OWC 480 GB SSD in a MB Mini late 2012. After any OS X restart the VPN service starts up normally but the client on my iOS8 phone, or clients on my three other devices, iMac, MB Air or MB Pro (all running the latest Yosemite) cannot connect to it.  They report service unavailable.  However, if I turn the service off and then on again in the Server app, everything works as planned and continues to work until the next restart. All the other Server services configured (Website, Caching and Time Machine) work without having perform the off then back on switch after Server app starts up. 
  This is generally not a problem but if I am abroad and the Mini reboots itself following a power cut, I lose my VPN service until I can either get someone to do the off then on switch or attempt it myself with Team Viewer VNC. Has anyone any idea how I can force the VPN service to work straight after the Server app starts?
  Thanks

  1. This procedure is a diagnostic test. It changes nothing, for better or worse, and therefore will not, in itself, solve the problem. But with the aid of the test results, the solution may take a few minutes, instead of hours or days.
  The test works on OS X 10.7 ("Lion") and later. I don't recommend running it on older versions of OS X. It will do no harm, but it won't do much good either.
  Don't be put off by the complexity of these instructions. The process is much less complicated than the description. You do harder tasks with the computer all the time.
  2. If you don't already have a current backup, back up all data before doing anything else. The backup is necessary on general principle, not because of anything in the test procedure. Backup is always a must, and when you're having any kind of trouble with the computer, you may be at higher than usual risk of losing data, whether you follow these instructions or not.
  There are ways to back up a computer that isn't fully functional. Ask if you need guidance.
  3. Below are instructions to run a UNIX shell script, a type of program. As I wrote above, it changes nothing. It doesn't send or receive any data on the network. All it does is to generate a human-readable report on the state of the computer. That report goes nowhere unless you choose to share it. If you prefer, you can act on it yourself without disclosing the contents to me or anyone else.
  You should be wondering whether you can believe me, and whether it's safe to run a program at the behest of a stranger. In general, no, it's not safe and I don't encourage it.
  In this case, however, there are a couple of ways for you to decide whether the program is safe without having to trust me. First, you can read it. Unlike an application that you download and click to run, it's transparent, so anyone with the necessary skill can verify what it does.
  You may not be able to understand the script yourself. But variations of it have been posted on this website thousands of times over a period of years. The site is hosted by Apple, which does not allow it to be used to distribute harmful software. Any one of the millions of registered users could have read the script and raised the alarm if it was harmful. Then I would not be here now and you would not be reading this message. See, for example, this discussion.
  Nevertheless, if you can't satisfy yourself that these instructions are safe, don't follow them. Ask for other options.
  4. Here's a general summary of what you need to do, if you choose to proceed:
  ☞ Copy a particular line of text to the Clipboard.
  ☞ Paste into the window of another application.
  ☞ Wait for the test to run. It usually takes a few minutes.
  ☞ Paste the results, which will have been copied automatically, back into a reply on this page.
  These are not specific instructions; just an overview. The details are in parts 7 and 8 of this comment. The sequence is: copy, paste, wait, paste again. You don't need to copy a second time.
  5. Try to test under conditions that reproduce the problem, as far as possible. For example, if the computer is sometimes, but not always, slow, run the test during a slowdown.
  You may have started up in safe mode. If the system is now in safe mode and works well enough in normal mode to run the test, restart as usual. If you can only test in safe mode, do that.
  6. If you have more than one user, and the one affected by the problem is not an administrator, then please run the test twice: once while logged in as the affected user, and once as an administrator. The results may be different. The user that is created automatically on a new computer when you start it for the first time is an administrator. If you can't log in as an administrator, test as the affected user. Most personal Macs have only one user, and in that case this section doesn’t apply. Don't log in as root.
  7. Load this linked web page (on the website "Pastebin.") The title of the page is "Diagnostic Test." Below the title is a text box headed by three small icons. The one on the right represents a clipboard. Click that icon to select the text, then copy it to the Clipboard on your computer by pressing the key combination command-C.
  If the text doesn't highlight when you click the icon, select it by triple-clicking anywhere inside the box. Don't select the whole page, just the text in the box.
  8. Launch the built-in Terminal application in any of the following ways:
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
  ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
  ☞ Open LaunchPad and start typing the name.
  Click anywhere in the Terminal window to activate it. Paste from the Clipboard into the window by pressing command-V, then press return. The text you pasted should vanish immediately.
  9. If you see an error message in the Terminal window such as "Syntax error" or "Event not found," enter
  exec bash
  and press return. Then paste the script again.
  10. If you're logged in as an administrator, you'll be prompted for your login password. Nothing will be displayed when you type it. You will not see the usual dots in place of typed characters. Make sure caps lock is off. Type carefully and then press return. You may get a one-time warning to be careful. If you make three failed attempts to enter the password, the test will run anyway, but it will produce less information. If you don't know the password, or if you prefer not to enter it, just press return three times at the password prompt. Again, the script will still run.
  If you're not logged in as an administrator, you won't be prompted for a password. The test will still run. It just won't do anything that requires administrator privileges.
  11. The test may take a few minutes to run, depending on how many files you have and the speed of the computer. A computer that's abnormally slow may take longer to run the test. While it's running, a series of lines will appear in the Terminal window like this:
  [Process started]
          Part 1 of 8 done at … sec
          Part 8 of 8 done at … sec
          The test results are on the Clipboard.
          Please close this window.
  [Process completed]
  The intervals between parts won't be exactly equal, but they give a rough indication of progress. The total number of parts may be different from what's shown here.
  Wait for the final message "Process completed" to appear. If you don't see it within about ten minutes, the test probably won't complete in a reasonable time. In that case, press the key combination control-C or command-period to stop it and go to the next step. You'll have incomplete results, but still something.
  12. When the test is complete, or if you stopped it because it was taking too long, quit Terminal. The results will have been copied to the Clipboard automatically. They are not shown in the Terminal window. Please don't copy anything from there. All you have to do is start a reply to this comment and then paste by pressing command-V again.
  At the top of the results, there will be a line that begins with the words "Start time." If you don't see that, but instead see a mass of gibberish, you didn't wait for the "Process completed" message to appear in the Terminal window. Please wait for it and try again.
  If any private information, such as your name or email address, appears in the results, anonymize it before posting. Usually that won't be necessary.
  13. When you post the results, you might see an error message on the web page: "You have included content in your post that is not permitted," or "The message contains invalid characters." That's a bug in the forum software. Please post the test results on Pastebin, then post a link here to the page you created.
  14. This is a public forum, and others may give you advice based on the results of the test. They speak for themselves, not for me. The test itself is harmless, but whatever else you're told to do may not be. For others who choose to run it, I don't recommend that you post the test results on this website unless I asked you to.
  Copyright © 2014, 2015 by Linc Davis. As the sole author of this work (including the referenced "Diagnostic Test"), I reserve all rights to it except as provided in the Use Agreement for the Apple Support Communities website ("ASC"). Readers of ASC may copy it for their own personal use. Neither the whole nor any part may be redistributed.

• OTP of ASDM using external radius server ( Not RSA )

  Hello,
  Just seeing if the ASDM will support OTP using an external radius server, and not RSA.  I see there was a feature added to 8.2 that states its possible with RSA, but nothing of any other support.  Just checking to see if someone know for sure.
  Thanks,
  Jason

  I did see in the Release notes for ASDM 6.2, that SDI is support with RSA.  Can anyone confirm or not if it works with Radius too ( OTP ).
  http://www.cisco.com/en/US/docs/security/asdm/6_2/release/notes/asdmrn62.html

• Ise Authentication to two different forests second using External Radius, Not LDAP

  Hi Guys,
  I am hoping someone can help me.  We currently have two AD forests one for staff and one for students.  These forests do not have a two way trust between them nor do we want to. We currently have Ise 1.2 integration with our Student forest using AD working just fine. The ipads and other devices are playing nicely and cooperating well.    We want to get our staff to be able to use ISE as well.  Currently there is no way to use two AD forests so I was directed to use LDAP instead for the second domain.  Unfortunatley after playing around with it LDAP doesn't support mschapv2 which our mobile devices like ipads do play nicely with.  This causes an issue only because we would have to utilize certificates to get everything to work correctly.  This is not the route we want to go.  So i was speaking to Tac and they recommended using an External Radius server.  Then modify my auth profiles to look for the domain name in the authentication string.  If it starts for example student\ then i can have ise forward the auth request to the AD integrated PSNs for auth.  If the auth string starts with staff\ for example i should be able to forward this request to my external radius server. 
  This sounds all good in theory but i have not found any documentation to support this to help me configure it.  Has anyone tried this approach?  Or have any leads on where i can find some good documentation as to what radius servers are supported.  I am hoping Windows server 2008 R2 with a radius role installed, but i am just not sure.
  If anyone can help i would greatly appreciate it.
  Thank you
  Joey

  That is correct! Cisco ISE supports integration with a single Active  Directory identity source. Cisco ISE uses this Active Directory identity  source to join itself to an Active Directory domain. If this Active  Directory source has a multidomain forest, trust relationships must  exist between its domain and the other domains in order for Cisco ISE to  retrieve information from all domains within the forest.
  However,  you may create multiple instances for LDAP. Cisco ISE can communicate  via LDAP to Active Directory servers in an untrusted domain. The only  limitation you would see with LDAP being a database that it doesn't  support PEAP MSCHAPv2 ( native microsoft supplicant). However it does  suppport EAP-TLS.
  For more information you may go through the below listed link
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_45_multiple_active_directories.pdf

• Using external radius with ise for guest authentication

  Hi Everyone,
  I am trying to migrate from NAC Guest Server to Cisco ISE Guest CWA on wireless, and can't figure out whether what i am trying is just unsupported or i just can't find out how to do this ?
  I am attempting to authenticate my existing guest users, using a radius lookup towards my existing NAC Guest server, which has many hundred guest users with long account duration, which i really don't want to recreate on ISE, and send new passwords to all those users. Problem is i can't export the user list from NAC guest server with the password intact, and ISE can't import guest users with a set password.
  Any ideas ?

  Setting up ISE as radius  proxy server will work because NAC guest user does not support exporting user information with passwords
  Step 1 Choose Administration > Network Resources > External RADIUS Servers.
  The External RADIUS Servers page appears.
  Step 2 Click Filter > Advanced Filter to perform your search. The Filter page appears.
  Step 3 You must define whether the search should match any or all of the rules that you define on this page.
  Step 4 Enter your search criteria based on the name or description of the RADIUS server, choose an operator, and enter the value.
  Step 5 You can do the following:
  •To add a filter condition, click the plus sign (+).
  •To remove a filter condition, click the minus sign (-).
  •To clear all filter conditions, click Clear Filter.
  Step 6 Click Go to perform your search.
  You can also save the filter criteria so that it can be used again. Click the Save icon to save the filter condition.

• How to allow access from LAN to server on LAN using external FQDN? (Outlook web access issue)

  I may have phrased the topic not too clearly, but I have an external domain name of mail.company.com , I want my users INSIDE the company be able to also get to https://mail.company.com , currently they cannot (nothing loads, looks to me as if firewall simply drops it) and I'm drawing a blank on how to get this done. Externally this works fine so if you're outside the company you can load up OWA just fine since my NAT rule translates the external IP to internal IP, but something is blocking this from the inside.
  I have an ASA 5510.
  If you can just sent me on the right path with theory I'll figure it out on my own, I don't need exact steps, but I must be thinking of this wrong as I'm not getting anywhere.

  Hello Martin,
  Maybe what is happening is that the DNS entry is pointing to the public IP address of the server, so it could be that the internal users are forwarding the traffic to the public IP address of the server and the ASA will drop the packet since the hosts are going to try to contact the server from the inside when actually there is a NAT rule that translate the internal server on the outside with a public IP. The traffic will try to contact that server going to the outside interface, but the ASA will notice that the connection was initiated on the inside interface, so it will refuse the connection.
  There is a solution for this issue. You can create a static NAT rule that matches le that translate the internal host to the public IP address, in this case, instead of -inside,outside-, the rule is going to be -inside,inside-.
  For example:
  Let`s say that there is a static NAT that match the following statement for the inbound traffic coming on the outside:
  static (inside,outside) {public IP} {private IP}
  There should be one that says the same but with inside,inside:
  static (inside,inside) {public IP} {private IP}
  Please configure that rule and let me know the results.
  Thanks.
  --Armando Rojas

• Native iOS L2TP VPN not working on Lion Server

  Hi Folks,
  I have a very strange issue concerning making VPN work on two iOS devices I have. I have recently setup Lion Server on a MacMini here in the office with L2TP VPN using a shared secrert phrase and a password authentication.
  I have Lion running on an a MacBook Air (which I setup VPN using the provisioning profile "VPN.mobileprovision") and Snow Leopard running on an iMac. (VPN was set up manually). Both systems have been tested to work both inside and outsideof my internal network as I have tested with an air card.
  I also have an iPhone running 4.3.4/4.3.5 that I setup by emailing the provisioning profile and and iPad 1 running iOS 5 beta 4 setup with the vpn provisioning profile. Neither the iPad nor iPhone seem to work at all either internally nor externally. In fact I never see any activity in the vpnd.log when I attempt to connect to with these devices. All I get is the standard "The L2TP-VPN server did not respond. Try reconnecting. ..."
  Based on my success with the OSX Clients both inside and outside my local network I feel it is safe to say that I do not think the issue resides on the Lion Server nor the network/firewall configuration. I am running a Time Capsule with FW 7.5.2/7.4.2. There was no change in behavior with either version of the Time capsule firmware for the clients whether they were OSX or iOS. I must be clearly missing something here and I don't know what. Any help any of you could provide would be greatly appreciated. Thanks!
  Please see the below settings for my VPN Settings on the host and iOS client
  root# serveradmin settings vpn
  vpn:vpnHost = ""
  vpn:Servers:com.apple.ppp.pptp:Server:Logfile = "/var/log/ppp/vpnd.log"
  vpn:Servers:com.apple.ppp.pptp:Server:VerboseLogging = 1
  vpn:Servers:com.apple.ppp.pptp:Server:MaximumSessions = 128
  vpn:Servers:com.apple.ppp.pptp:DNS:OfferedSearchDomains:_array_index:0 = "ri.cox.net"
  vpn:Servers:com.apple.ppp.pptp:DNS:OfferedServerAddresses:_array_index:0 = "192.168.15.1"
  vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:0:SharedSecret = "1"
  vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:0:Address = "1.1.1.1"
  vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:1:SharedSecret = "2"
  vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:1:Address = "2.2.2.2"
  vpn:Servers:com.apple.ppp.pptp:enabled = no
  vpn:Servers:com.apple.ppp.pptp:Interface:SubType = "PPTP"
  vpn:Servers:com.apple.ppp.pptp:Interface:Type = "PPP"
  vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoFailure = 5
  vpn:Servers:com.apple.ppp.pptp:PPP:DisconnectOnIdle = 1
  vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorEAPPlugins:_array_index:0 = "EAP-RSA"
  vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorACLPlugins:_array_index:0 = "DSACL"
  vpn:Servers:com.apple.ppp.pptp:PPP:CCPEnabled = 1
  vpn:Servers:com.apple.ppp.pptp:PPP:IPCPCompressionVJ = 0
  vpn:Servers:com.apple.ppp.pptp:PPP:ACSPEnabled = 1
  vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoEnabled = 1
  vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoInterval = 60
  vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize128 = 1
  vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorProtocol:_array_index:0 = "MSCHAP2"
  vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize40 = 0
  vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorPlugins:_array_index:0 = "DSAuth"
  vpn:Servers:com.apple.ppp.pptp:PPP:Logfile = "/var/log/ppp/vpnd.log"
  vpn:Servers:com.apple.ppp.pptp:PPP:VerboseLogging = 1
  vpn:Servers:com.apple.ppp.pptp:PPP:DisconnectOnIdleTimer = 7200
  vpn:Servers:com.apple.ppp.pptp:PPP:CCPProtocols:_array_index:0 = "MPPE"
  vpn:Servers:com.apple.ppp.pptp:IPv4:ConfigMethod = "Manual"
  vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:0 = "192.168.15.224"
  vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:1 = "192.168.15.254"
  vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteAddresses = _empty_array
  vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteTypes = _empty_array
  vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteMasks = _empty_array
  vpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingAddress = "1.2.3.4"
  vpn:Servers:com.apple.ppp.l2tp:Server:MaximumSessions = 128
  vpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingEnabled = 0
  vpn:Servers:com.apple.ppp.l2tp:Server:Logfile = "/var/log/ppp/vpnd.log"
  vpn:Servers:com.apple.ppp.l2tp:Server:VerboseLogging = 1
  vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedSearchDomains:_array_index:0 = "ri.cox.net"
  vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedServerAddresses:_array_index:0 = "192.168.15.1"
  vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:0:SharedSecret = "1"
  vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:0:Address = "1.1.1.1"
  vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:1:SharedSecret = "2"
  vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:1:Address = "2.2.2.2"
  vpn:Servers:com.apple.ppp.l2tp:enabled = yes
  vpn:Servers:com.apple.ppp.l2tp:Interface:SubType = "L2TP"
  vpn:Servers:com.apple.ppp.l2tp:Interface:Type = "PPP"
  vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoFailure = 5
  vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdle = 1
  vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorEAPPlugins:_array_index:0 = "EAP-KRB"
  vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorACLPlugins:_array_index:0 = "DSACL"
  vpn:Servers:com.apple.ppp.l2tp:PPP:VerboseLogging = 1
  vpn:Servers:com.apple.ppp.l2tp:PPP:IPCPCompressionVJ = 0
  vpn:Servers:com.apple.ppp.l2tp:PPP:ACSPEnabled = 1
  vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoInterval = 60
  vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoEnabled = 1
  vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorProtocol:_array_index:0 = "MSCHAP2"
  vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorPlugins:_array_index:0 = "DSAuth"
  vpn:Servers:com.apple.ppp.l2tp:PPP:Logfile = "/var/log/ppp/vpnd.log"
  vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdleTimer = 7200
  vpn:Servers:com.apple.ppp.l2tp:IPSec:SharedSecretEncryption = "Keychain"
  vpn:Servers:com.apple.ppp.l2tp:IPSec:LocalIdentifier = ""
  vpn:Servers:com.apple.ppp.l2tp:IPSec:SharedSecret = "com.apple.ppp.l2tp"
  vpn:Servers:com.apple.ppp.l2tp:IPSec:AuthenticationMethod = "SharedSecret"
  vpn:Servers:com.apple.ppp.l2tp:IPSec:RemoteIdentifier = ""
  vpn:Servers:com.apple.ppp.l2tp:IPSec:IdentifierVerification = "None"
  vpn:Servers:com.apple.ppp.l2tp:IPSec:LocalCertificate = <>
  vpn:Servers:com.apple.ppp.l2tp:IPv4:ConfigMethod = "Manual"
  vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:0 = "192.168.15.241"
  vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:1 = "192.168.15.249"
  vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteAddresses = _empty_array
  vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteTypes = _empty_array
  vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteMasks = _empty_array
  vpn:Servers:com.apple.ppp.l2tp:L2TP:Transport = "IPSec"

  Issue is resolved. I used the initial random generated shared secret that was generated by Lion Server. The shared secret has special characters. IOS did not like the special characters. See iPhone Console Log below:
  Jul 26 20:00:36 iPhone-4 racoon[718] <Info>: [718] INFO: @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/)
  Jul 26 20:00:36 iPhone-4 racoon[718] <Info>: [718] INFO: Reading configuration from "/etc/racoon/racoon.conf"
  Jul 26 20:00:36 iPhone-4 racoon[718] <Info>: [718] ERROR: /var/run/racoon/68.9.232.78.conf:6: "?gLA" syntax error
  Jul 26 20:00:36 iPhone-4 racoon[718] <Info>: [718] ERROR: fatal parse failure (1 errors)
  That is why I never saw any attempt to connect. The actual process would bomb out before attempting to make a connection to the server.
  The shared secret key was:
  Y|WNwvM_O"?gLA$F@adT
  Looks like it was the " or the ? symbols.
  Once I changed the shared secret key the issue went away and the iPhone and iPad could connect to vpn without issue.
  Figured I'd let you all know

• Cisco ISE with both internal and External RADIUS Server

  Hi
  I have ISE 1.2 , I configured it as management monitor and PSN and it work fine
  I would like to know if I can integrate an external radius server and work with both internal and External RADIUS Server simultanously
  So some computer (groupe_A in active directory ) will continu to made radius authentication on the ISE internal radius and other computer (groupe_B in active directory) will made radius authentication on an external radius server
  I will like to know if it is possible to configure it and how I can do it ?
  Thanks in advance for your help
  Regards
  Blaise

  Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. Cisco ISE accepts the results of the requests and returns them to the NAS.
  Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. The External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description, or both. In both simple and rule-based authentication policies, you can use the RADIUS server sequences to proxy the requests to a RADIUS server.
  The RADIUS server sequence strips the domain name from the RADIUS-Username attribute for RADIUS authentications. This domain stripping is not applicable for EAP authentications, which use the EAP-Identity attribute. The RADIUS proxy server obtains the username from the RADIUS-Username attribute and strips it from the character that you specify when you configure the RADIUS server sequence. For EAP authentications, the RADIUS proxy server obtains the username from the EAP-Identity attribute. EAP authentications that use the RADIUS server sequence will succeed only if the EAP-Identity and RADIUS-Username values are the same.

• Authentication Policy ISE with External RADIUS Server

  Hi All,
  I would like to authenticate client by using External RADIUS. Once I create authentication policy using the new compound condition (wireless dot1x + Radius Username Matches "domainB\") I would like to forward the user authentication who make an authen using domainB\username to the External RADIUS Server Sequence. But when I check on the authentication dashboard, it still authenticate using the default authentication rule.
  Please suggest about this scenario.
  Regards,
  Sent from Cisco Technical Support Android App

  Hi jrabinow,
  Which details you would like to see ?
  Here is some infos.
  ISEs are deployed in 2 domains such as "acme.com" and "sub.acme.com"
  Each domain does not make a trusted relationship so these 2 domains cannot communicate between them.
  Each domain has owned Enterprise Root CA (Microsoft)
  Client who need to access the network need to authenticate with EAP-TLS.
  My environment
  My ISE node joined into domain "acme.com"
  User will be "[email protected]"
  Once the user from "[email protected]" try to authenticate, I would like to forward the RADIUS request from ISEs (acme.com) to other ISEs (sub.acme.com)
  After ISEs in "sub.acme.com" return RADIUS-ACCEPT then ISEs in "acme.com" will process an authorization policy.
  Regards,
  Pongsatorn

• Cisco ISE: External RADIUS Server

  Hi,
  I would like to forward RADIUS from PSN to another PSN. I already defined "External RADIUS Servers".
  So, how can I use this external RADIUS server to process my request ?
  Looking at the user guide but didn't find any information about this setting (For rule based not simple rule)
  If anyone use this, please suggest this to me.
  Thanks,
  Pongsatorn

  Defining an External RADIUS Server
  The Cisco Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, the Cisco Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. The Cisco Cisco ISE accepts the results of the requests and returns them to the NAS. You must configure the external RADIUS servers in the Cisco Cisco ISE to enable it to forward requests to the external RADIUS servers. You can define the timeout period and the number of connection attempts.
  The Cisco Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. This External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description or both.
  To create an external RADIUS server, complete the following steps:
  Step 1 Choose Administration > Network Resources > External RADIUS Servers.
  The RADIUS Servers page appears with a list of external RADIUS servers that are defined in Cisco ISE.
  Step 2 Click Add to add an external RADIUS server.
  Step 3 Enter the values as described:
  •Name—(Required) Enter the name of the external RADIUS server.
  •Description—Enter a description of the external RADIUS server.
  •Host IP—(Required) Enter the IP address of the external RADIUS server.
  •Shared Secret—(Required) Enter the shared secret between Cisco Cisco ISE and the external RADIUS server that is used for authenticating the external RADIUS server. A shared secret is an expected string of text that a user must provide to enable the network device to authenticate a username and password. The connection is rejected until the user supplies the shared secret. The shared secret can be up to 128 characters in length.
  •Enable KeyWrap—This option increases RADIUS protocol security via an AES KeyWrap algorithm, to help enable FIPS 140-2 compliance in Cisco ISE.
  •Key Encryption Key—This key is used for session encryption (secrecy).
  •Message Authenticator Code Key—This key is used for keyed HMAC calculation over RADIUS messages.
  •Key Input Format—Specify the format you want to use to enter the Cisco ISE FIPS encryption key, so that it matches the configuration that is available on the WLAN controller. (The value you specify must be the correct [full] length for the key as defined below—shorter values are not permitted.)
  –ASCII—The Key Encryption Key must be 16 characters (bytes) long, and the Message Authenticator Code Key must be 20 characters (bytes) long.
  –Hexadecimal—The Key Encryption Key must be 32 bytes long, and the Message Authenticator Code Key must be 40 bytes long.
  •Authentication Port—(Required) Enter the RADIUS authentication port number. The valid range is from 1 to 65535. The default is 1812.
  •Accounting Port—(Required) Enter the RADIUS accounting port number. The valid range is from 1 to 65535. The default is 1813.
  •Server Timeout—(Required) Enter the number of seconds that the Cisco Cisco ISE waits for a response from the external RADIUS server. The default is 5 seconds. Valid values are from 5 to 120.
  •Connection Attempts—(Required) Enter the number of times that the Cisco Cisco ISE attempts to connect to the external RADIUS server. The default is 3 attempts. Valid values are from 1 to 9.
  Step 4 Click Submit to save the external RADIUS server configuration.

• VPN Problems - The L2TP-VPN server did not respond

  Okay, so I read quite a few threads about this and can't really figure it out. Would be great if I can get some handholding.
  I'm a complete newbie, trying to set up Server for home use. The VPN service seems to be running fine, but I just can't connect from the clients, it just keeps saying "The L2TP-VPN server did not respond". Here is a glimpse at my settings:
  - I have opened up all the relevant ports for UDP (500,1701,4500) and TCP (1723). But this is only required for the Server, right?
  - I don't have a domain name yet so just using my external IP. This is what I put in under VPN Host name in the Server and Client settings.
  - I login with username and password credentials for one of my network users as created in the Server. Format is [email protected] and the password is the same as the login password.
  ** I seem to get a 'authentication failed' error if I just use my local IP address... Not sure whats happening their, but before that I need to be able to connect to Server with the external IP!
  Am I missing something? Why won't my client connect and that too when I'm at home?

  To run a public VPN server behind an NAT gateway, you need to do the following:
  1. Give the gateway either a static external address or a dynamic DNS name. The latter must be a DNS record on a public DNS registrar, not on the server itself. Also in the latter case, you must run a background process to keep the DNS record up to date when your IP address changes.
  2. Give the VPN server a static address on the local network, and a hostname that is not in the top-level domain "local" (which is reserved for Bonjour.)
  3. Forward external UDP ports 500, 1701, and 4500 (for L2TP) and TCP port 1723 (for PPTP) to the corresponding ports on the VPN server.
  If your router is an Apple device, select the Network tab in AirPort Utility and click Network Options. In the sheet that opens, check the box marked
  Allow incoming IPSec authentication
  if it's not already checked, and save the change.
  With a third-party router, there may be a similar setting.
  4. Configure any firewall in use to pass this traffic.
  5. Each client must have an address on a netblock that doesn't overlap the one assigned by the VPN endpoint. For example, if the endpoint assigns addresses in the 10.0.0.0/24 range, and the client has an address on a local network in the 10.0.1.0/24 range, that's OK, but if the local network is 10.0.1.0/16, there will be a conflict. To lessen the chance of such conflicts, it's best to assign addresses in a random sub-block of 10.0.0.0./0 with a 24-bit netmask.
  6. "Back to My Mac" on the server is incompatible with the VPN service.
  If the server is directly connected to the Internet, see this blog post.

• Can not establish L2TP connection to Mac Server via VPN

  Hi,
  I am asking for some help on this VPN Problem:
  since yesterday I have a new Mac mini Server running OS X 10.9.3 and Server Software 3.1.2 - my goal is to reach some deivces in my home network from outside, mainly with the iPhone or iPad.
  Dyn.org
  I registered with Dyn.com a hostname using my outside IP Address. Server Type: Host with IP Address and used the IP Address presented to me in the stup wizard. This one is shown as active and when I ping or Lookup the Host Name it is responding - so I think I am fine here.
  Mac Mini Server
  Next I have setup a user on the server who can use VPN. Next I have setup the VPN service with L2TP, using the Host name von dyn.org, a nice shared secret, IP range 10.0.1.190 to 10.0.1.199, DNS 10.0.1.1, no routs.
  I exported this as config file to my iPhone.
  The VPN Protocol in the Server says, it is listening for connections.
  When I turn on VPN on the iPhone it replies always L2TP-VPN-Server has not answered.
  AirPort Extreme
  The AirPort Extreme is configured by the Server with Ports 500, 1701, 4500 and the Mac Server 10.0.1.26 as Privat IP Address.
  The Internet Tab shows Router and DNS as 192.168.211.1 and IPv4 Address as 192.168.211.109
  I actually do not understand why I have a 192.168.xxx.xxx DNS and router entry while I have the Privat Network on 10.0.1.xxx
  The Protocol for VPN just says nothing at all, besides that it is listening. I guess something is blocking the connection to the server.
  By looking at my above configutation - what am I doing wrong? Why do I get this L2TP-VPN-Server error message? I changed the password for the user to be sure I am not miss spelling it. Did not help.
  Any idea?
  Thank you for your support!
  Regards
  Klaus-Martin

  According to your IP addresses you listed, you might have two devices that are trying to create a NATed network (one in the 10.0.0.0/8 and 192.168.0.0/16 networks). Can you list what devices you have between your server and the Internet?
  I'm going to take a guess that you have a router/modem prodived by your ISP, and this is going to give you a 192.168.211.0/24 network (since it set up as a router to provide its own network). You then plugged an Airport into this router and configured it to set up its own wireless network on its own subnet (10.0.1.0/24). The server is on this network, sees the Airport (and lets you configure it). So while your hostname points to your external address (which is good), it's just that external address is the WAN side of the modem/router and not the Airport. I think your network is set up like this: Internet  --> ISP modem  -->  Airport --> Server. If this is the case, you need to set up the ISP modem/router to port forward L2TP ports to your Airport (which in turn, port forward to your server). Or you could set your ISP modem/router into bridge mode and have the Airport dial the connection to the ISP (more complicated).
  Have you tried VPN from the local network, say put the phone on wifi and make sure that works? This would be a quick test to make sure the phone and server are set up properly.
  Also, have you tried port scanning your host from a computer outside your network, like from an iPhone on celluar? That would help you determine if you have routing configured properly for the L2TP VPN ports.

• Steps needed to properly setup L2TP VPN in Mac OS X Server 10.6

  I've been spending hours configuring my network and cannot get my L2TP VPN to connect both inside and outside my network. I am guessing I am having an IP conflict as every time I try to make a connection I get an error message of "The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your administrator"
  In my AEBS I have my beginning DHCP address as 10.0.1.1 and ending at 10.0.1.100. In my VPN config under Server Preferences I am asked for a range of IPs to assign for the VPN where I select 10.0.1.101 and end at 10.0.1.105. Am I doing something wrong? Can somebody list the proper steps to get this going ok?
  Thanks again for the great support.

  If you enable the extended logging using the following commands you will get all the details you are after in the radius log.
  $ sudo radiusconfig -setconfig log_auth yes
  $ sudo radiusconfig -setconfig logauthgoodpass yes
  $ sudo radiusconfig -setconfig logauthbadpass yes
  In the log you will then see entries like this
  Auth: Login OK: [002500xxxxxx/password] (from client Airport BaseStation port 0 cli 00-25-00-xx-xx-xx)
  where 'Airport BaseStation' will be the name of your access point as defined in the RADIUS server admin section.
  Charlie at ewhizz d0t net
  ewhizz dot net

• OS X Server / VPN /The L2TP-VPN server did not respond...HELP!

  I am very new to OS X Server and my goal is to setup DNS & VPN!  I would like to have this setup to be able to connect into my apple computer from work or friends house.  I am using an Apple Airport Extreme router and im also using the latest version OS X Mountain Lion with OS X Server installed.  I have started an account with dyndns website for user host name (using a [email protected] address). I assume this would be used as an alternate way of being able to connect without starting a personal website.  I also signed up for another site (no-ip) and I now have a different IP address (not sure if that was necessary). I then followed instructions on youtube (instructional videos by todd for OS X Server Mountain Lion) which seemed to be very easy to understand. But after setting up my VPN on the client side (network setting in system preferences), i tried to connect VPN (L2TP) and i receive this error message "The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your Administrator.". When I open Consol in the utilities folder, I am seeing part of the following message below;
  racoon[117]: IKE Packet: transmit success. (Phase1 Retransmit).
  racoon[117]: IKE Packet: receive failed. (malformed or unexpected cookie).
  pppd[490]: IPSec connection failed
  Does anyone know what's happening or what I need to do to fix this?  Or can someone tell me the basic requirements to setting things up correctly?

  Im using Comcast for my ISP and from the wall I have a Motorola Surfboard 6120 cable modem (not sure how to access my setting on the modem). So basically I have my 6120 cable modem connected to the Apple AirportExtreme router and is then wirelessly connected to my macbook pro.  im providing screen shots of my apple router settings, OS X Server settings and firewall (which is turned off) settings.  Any suggestion on how i should set things up or if you can tell me step by step would be greatly appreciated.

• "The L2TP-VPN server did not respond"

  I just bought an Airport extreme base station, and installed lion server, and configured it for VPN. I have checked all my settings and even looked using AirPort utility. I have tried connecting to my VPN from 2 different Macs and an iPad, and all yield the same error:"The L2TP-VPN server did not respond". When I look at my vpnd.log it is pretty bare:
  2011-08-31 18:27:34 EDT          Loading plugin /System/Library/Extensions/L2TP.ppp
  2011-08-31 18:27:38 EDT          Listening for connections...
  it looks like the VPN connection requests aren't making it from the airport to the server. Any ideas

  FWIW, my Lion Server VPN issue has been solved...
  https://discussions.apple.com/thread/2696981?start=30&tstart=0