Question : Problem: Configure Cisco 1841 to use IAS Radius and Local user authentication

Hi experts.

We have a site that has quite a simple setup. 30 users on the LAN, an 1841 on the perimiter (with an ADSL modem on the external IF) and some remote users who connect using the Cisco VPN software client with local user authentication.

We'd like to implement IAS and do a phased integration - bring in Radius AND Local authentication, then eventually get rid of Local (give us a chance to get everyone over to using their AD account).

I haven't set up IAS before, but have another client's site I can refer to - I'm pretty much told the only real gotcha is to make sure we're using unauthenticated PAP. Have followed a few tutorials and have got this set up (but as below, it's not quite working).

So, the question is... what commands / config changes do I need to implement to make the existing VPN setup use both local AND Radius.

The Radius Server will be 192.168.1.83 - the internal IF of the 1841 is 192.168.1.1 (doh!).

The current (edited for security) config is below. It was created using SDM, so the ACLs are huge... I've removed the middle parts of some ACLs to save room here:

================================
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname MYROUTER
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 warnings
enable secret 5 $1$Swze$JoeKKQvZmxOefHFjCZ3k50
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec local_author local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 12
clock summer-time PCTime date Mar 16 2003 3:00 Oct 5 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip tcp synwait-time 10
!
!
ip ips sdf location flash://128MB.sdf autosave
ip ips notify SDEE
ip ips name sdm_ips_rule
no ip bootp server
ip domain name mydomain.local
ip name-server 192.168.1.83
ip name-server 20.27.32.3
!
!
!
crypto pki trustpoint TP-self-signed-3444143421
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3444143421
 revocation-check none
 rsakeypair TP-self-signed-3444143421
!
!
crypto pki certificate chain TP-self-signed-3444143421
 certificate self-signed 01
  3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33343434 31343334 3231301E 170D3038 30313233 32313335
  35305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34343431
  34333432 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100D2BD FF681910 A2742EDA 021E70C7 6D5DE95D 269CA554 81C6D71A 82816BD6
  E172A575 2E9733C2 6884113F A8547643 FF921172 FF2630F3 4BE7766E F05C8018
  BDF70ABF 45F128BC 8A07FB15 A2211445 9941A7DE DEB42AF0 8751AE12 6A6D0BCB
  BD312666 E93BC64E 7F42FBA6 3D94F5B6 BF8645D2 38098F62 3DD9CBC7 34902103
  9CB50203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
  551D1104 19301782 1543554C 48524F30 312E6375 6C68616D 2E6C6F63 616C301F
  0603551D 23041830 16801412 E3D7AF25 C2243E4C 62F155C8 E07B7BC8 4A893E30
  1D060355 1D0E0416 041412E3 D7AF25C2 243E4C62 F155C8E0 7B7BC84A 893E300D
  06092A86 4886F70D 01010405 00038181 00A36D7F 504BB969 06F49701 092D6AFB
  8A4D4CBF 84B79B0A 13DAD21E 4104B6BA 331CDF2B DED372B7 F7591CE5 9EE8294A
  132663F7 455D8FE2 73288E77 7CB2ACFC DE5A373B B00FB5E4 0710CD07 A06D9236
  1C10FA5F 5B345442 CAB2F988 20571B7B B2B4BDBE D8B05680 3257AEEE F1666F39
  EE33C3CB 17763B20 D7EBEE0F 3047F70C 50
  quit
username administrator privilege 15 secret 5 BLAHBLAH
username fred password 7 BLAHBLAH
username shane password 7 BLAHBLAH
username bill password 7 BLAHBLAH
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp xauth timeout 15

!
crypto isakmp client configuration group culham-vpn
 key mysecretk3y
 dns 192.168.1.83
 domain mydomain.local
 pool SDM_POOL_1
 acl 106
 split-dns mydomain.local
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0/0
 description Internal Network$ETH-LAN$$FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description To ADSL Internet Modem$ETH-WAN$$FW_OUTSIDE$
 ip address 192.168.200.1 255.255.255.0
 ip access-group 101 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect SDM_LOW out
 ip ips sdm_ips_rule in
 ip ips sdm_ips_rule out
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
 crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 192.168.101.201 192.168.101.254
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.200.254
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.1.31 10019 interface FastEthernet0/1 10019
ip nat inside source static tcp 192.168.1.31 8201 interface FastEthernet0/1 8201
ip nat inside source static tcp 192.168.1.31 8200 interface FastEthernet0/1 8200
ip nat inside source static tcp 192.168.1.31 8016 interface FastEthernet0/1 8016
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.83 25 interface FastEthernet0/1 25
!
access-list 1 remark SDM_ACL Category=16
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny   any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit udp host 192.168.1.83 eq domain any
access-list 100 deny   ip 192.168.200.0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip host 192.168.101.201 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.101.202 192.168.1.0 0.0.0.255
...
access-list 101 permit ip host 192.168.101.253 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.101.254 192.168.1.0 0.0.0.255
access-list 101 permit udp host 202.27.184.3 eq domain any
access-list 101 permit udp host 202.27.184.5 eq domain any
access-list 101 permit udp host 202.27.18.3 eq domain any
access-list 101 permit tcp any host 192.168.200.1 eq smtp
access-list 101 permit tcp any host 192.168.200.1 eq 10019
access-list 101 permit tcp any host 192.168.200.1 eq 8201
access-list 101 permit tcp any host 192.168.200.1 eq 8200
access-list 101 permit tcp any host 192.168.200.1 eq 8016
access-list 101 permit ip host 192.168.101.201 any
access-list 101 permit ip host 192.168.101.202 any
access-list 101 permit ip host 192.168.101.203 any
...
access-list 101 permit ip host 192.168.101.252 any
access-list 101 permit ip host 192.168.101.253 any
access-list 101 permit ip host 192.168.101.254 any
access-list 101 permit udp any host 192.168.200.1 eq non500-isakmp
access-list 101 permit udp any host 192.168.200.1 eq isakmp
access-list 101 permit esp any host 192.168.200.1
access-list 101 permit ahp any host 192.168.200.1
access-list 101 permit udp host 20.27.32.5 eq domain host 192.168.200.1
access-list 101 permit udp host 20.27.32.3 eq domain host 192.168.200.1
access-list 101 deny   ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any host 192.168.200.1 echo-reply
access-list 101 permit icmp any host 192.168.200.1 time-exceeded
access-list 101 permit icmp any host 192.168.200.1 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 deny   ip any any
access-list 103 remark SDM_ACL Category=2
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.101.201
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.101.202
...
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.101.252
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.101.253
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.101.254
access-list 103 deny   ip any host 192.168.101.201
access-list 103 deny   ip any host 192.168.101.202
...
access-list 103 deny   ip any host 192.168.101.253
access-list 103 deny   ip any host 192.168.101.254
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
access-list 106 remark SDM_ACL Category=4
access-list 106 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
!
!
control-plane
!
banner login ^CUNAUTHORISED ACCESS PROHIBITED^C
!
line con 0
 login authentication local_authen
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 102 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
line vty 5 15
 access-class 102 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler allocate 4000 1000
end
================================

I've been trying to get just the RADIUS authenticating for testing, and added:

aaa authentication login sdm_vpn_xauth_ml_1 radius
aaa accounting network default start-stop group radius
aaa accounting system default start-stop group radius
radius-server host 192.168.1.83 auth-port 1812 acct-port 1813 key 7 MYKEYHERE
ip radius source-interface FastEthernet0/0

... but the VPN client doesn't authenticate with a user I've added in my AD Group (and set up in IAS) or (of course) a local Cisco user. There have been no IAS logs created either, even though I've enabled logging, so I guess the router isn't talking to IAS at all just yet.

IAS setup is basically:

RADIUS CLIENTS
Friendly name = Router name
Address = Router address
Client-Vendor = Cisco
Shared Secret = ... shared secret

REMOTE ACCESS POLICIES (all deleted, except for:)
Name = Cisco VPN Connections
Conditions = Client-Vendor matches "Cisco" AND Windows-Group matches "DOMAIN\CiscoVPNUsers

Edit Profile Settings:
Authentication = everything unticked except for Unencrypted Authentication

... pretty much everything else has been left unchanged I think.

Have had a really good play with this, but I'm hitting the brick wall... :(

Looking forward to hearing back!

Thanks in advance!

Answer : Problem: Configure Cisco 1841 to use IAS Radius and Local user authentication

The local will be hit if radius does not answer.  What do the radius logs indicate?