Hello, Have that in production since 3 years: IOS 12.4(9)T (server), remote IPSec clients with isakmp preshared and group authentication and authorization via radius. This was done with DVTI but you may use classical crypto maps instead.
Key config excerpts follow: Server (cisco2811): ---------------------- ! aaa authentication login VPN_XAUTH-rad group radius aaa authorization network VPN_ISAK_Authoriz-rad group radius aaa accounting network IPSecVPN_Acct start-stop group radius ! crypto isakmp policy 2 encr aes 256 authentication pre-share group 2 ! crypto isakmp profile ISAK_Prof-1 description "PRESHARED + AAA + DVTI" match identity group VPN_GRP-1_preshared isakmp authorization list VPN_ISAK_Authoriz-rad client configuration address respond client authentication list VPN_XAUTH-rad accounting IPSecVPN_Acct keepalive 45 retry 10 virtual-template 1 ! crypto ipsec transform-set esp.aes-md5 esp-aes 256 esp-md5-hmac ! crypto ipsec profile IPSec_Prof-1 description "To be used with Virtual Tunnel" set transform-set esp.aes-md5 set isakmp-profile ISAK_Prof-1 ! interface Virtual-Template1 type tunnel description "VirtTempl for VPN Clients cons" ip unnumbered Loopback1 tunnel mode ipsec ipv4 tunnel protection ipsec profile IPSec_Prof-1 ! ip local pool IPSecVPNPool-1 172.17.2.251 172.17.2.254 ! access-list 101 remark "IPSecVPN Split Tunneling" ... ! radius-server host ... key ... ! --------------------------------------------- Radius server (cisco acs 4.0) ---------------------------- Group named "VPN_GRP-1_preshared" with the following cisco av-pairs: (among these only tunnel-type is a must, the rest is optional and may be set within the individual user setup) [009\001] cisco-av-pair ipsec:tunnel-type=ESP ipsec:key-exchange=ike ipsec:tunnel-password=isakkey ipsec:addr-pool=IPSecVPNPool-1 ipsec:inacl=101 ipsec:include-local-lan=1 ipsec:save-password=1 ipsec:max-users=20 ------------------- user named "VPN_GRP-1_preshared" with password set to "cisco" and a member of the above group (this is a foo user used for isakmp authorization); no other params needed --------------------------------- other users (real users), not necessarily members of the above group, with the following cisco av-pairs set: [009\001] cisco-av-pair ipsec:user-vpn-group=VPN_GRP-1_preshared (other av-pairs as needed) --------------------------- cisco IPSec (unity) Client: ------------------------------ Set a profile with Group Authentication and its password set to pre-shared key used (it is "isakkey" as shown above. This key is stored on radius!) ======================================== More fun with certificates instead of pre-shared, and with per-client PKI attributes download from radius (have this working as well). ======================================= I do not see any technical obstacle to use tacacs instead of radius for this config; you should only use tacacs attributes instead of radius vsa's. ======================================= good luck with making that work. alex ========================================== _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
