[vpn-help] Using Shrewsoft with IAS Radius + Cisco

Matthew Grooms mgrooms at shrew.net
Fri Feb 19 00:30:56 CST 2010


On 2/11/2010 10:32 AM, Shawn Edwards wrote:
> We are using a Cisco ISR with Easy VPN Server to connect remote users to
> our network. We've been using it for quite some time with Cisco VPN
> Client but obviously need a 64 bit VPN Client. I came across shrewsoft
> VPN Client not too long ago, and would love if I could get this software
> working as it seems too good to be true.. In any case Here's what we have:
>
> Cisco ISR 2821 Running IPSEC VPN , doing radius authentication to a
> Windows Server 2003 Radius Server. Everything's configured properly as
> we use it successfully with the Cisco VPN Client.
>
> I installed shrewsoft 2.1.5, and it successfully imported the existing
> cisco PCF File we had. When I attempt to connect it asks me for username
> and password (No Domain field like Cisco VPN Though) I enter in
> credentials of a user that has permission's to connect.. Here is the
> output of shrewsoft:
>

I wish I had some good insight for you. There are a few ways in which 
Xauth can operate. The most typical is to request the raw password ( 
encrypted using ISAKMP ) which can be used to create a MS-CHAP hash used 
during your session between the gateway and your radius server. The only 
CHAP method defined in the Xauth documents ( where a client actually 
participates in the CHAP conversation ) is CHAP-MD5. However, this 
wouldn't be compatible with your MS-CHAP RADIUS session because you 
can't turn a CHAP-MD5 response into an MS-CHAP response. Have you looked 
at the VPN Client debug level output to see if its responding to a CHAP 
( ie. CHAP-MD5 ) Xauth request? It should be pretty easy to spot.

http://shrew.net/support/wiki/BugReportVpnWindows

-Matthew



More information about the vpn-help mailing list