Alexander, Simon is asking for TACACS not radius.
With regards Kings On Thu, Sep 17, 2009 at 5:57 PM, Alexander Zlatkin <[email protected]>wrote: > Hello, > > Have that in production since 3 years: > IOS 12.4(9)T (server), remote IPSec clients > with isakmp preshared and group authentication > and authorization via radius. This was done with > DVTI but you may use classical crypto maps instead. > > Key config excerpts follow: > > Server (cisco2811): > ---------------------- > ! > aaa authentication login VPN_XAUTH-rad group radius > aaa authorization network VPN_ISAK_Authoriz-rad group radius > aaa accounting network IPSecVPN_Acct start-stop group radius > ! > crypto isakmp policy 2 > encr aes 256 > authentication pre-share > group 2 > ! > crypto isakmp profile ISAK_Prof-1 > description "PRESHARED + AAA + DVTI" > match identity group VPN_GRP-1_preshared > isakmp authorization list VPN_ISAK_Authoriz-rad > client configuration address respond > client authentication list VPN_XAUTH-rad > accounting IPSecVPN_Acct > keepalive 45 retry 10 > virtual-template 1 > ! > crypto ipsec transform-set esp.aes-md5 esp-aes 256 esp-md5-hmac > ! > crypto ipsec profile IPSec_Prof-1 > description "To be used with Virtual Tunnel" > set transform-set esp.aes-md5 > set isakmp-profile ISAK_Prof-1 > ! > interface Virtual-Template1 type tunnel > description "VirtTempl for VPN Clients cons" > ip unnumbered Loopback1 > tunnel mode ipsec ipv4 > tunnel protection ipsec profile IPSec_Prof-1 > ! > ip local pool IPSecVPNPool-1 172.17.2.251 172.17.2.254 > ! > access-list 101 remark "IPSecVPN Split Tunneling" > ... > ! > radius-server host ... key ... > ! > --------------------------------------------- > Radius server (cisco acs 4.0) > ---------------------------- > > Group named "VPN_GRP-1_preshared" with > the following cisco av-pairs: > (among these only tunnel-type is a must, > the rest is optional and may be set within the > individual user setup) > [009\001] cisco-av-pair > ipsec:tunnel-type=ESP > ipsec:key-exchange=ike > ipsec:tunnel-password=isakkey > ipsec:addr-pool=IPSecVPNPool-1 > ipsec:inacl=101 > ipsec:include-local-lan=1 > ipsec:save-password=1 > ipsec:max-users=20 > ------------------- > user named "VPN_GRP-1_preshared" > with password set to "cisco" and > a member of the above group > (this is a foo user used for isakmp > authorization); no other params needed > --------------------------------- > other users (real users), > not necessarily members of the above group, with the following > cisco av-pairs set: > [009\001] cisco-av-pair > ipsec:user-vpn-group=VPN_GRP-1_preshared > (other av-pairs as needed) > --------------------------- > > cisco IPSec (unity) Client: > ------------------------------ > Set a profile with Group Authentication > and its password set to pre-shared key used > (it is "isakkey" as shown above. This key > is stored on radius!) > > ======================================== > > More fun with certificates instead of pre-shared, > and with per-client PKI attributes download from > radius (have this working as well). > ======================================= > > I do not see any technical obstacle to use tacacs instead > of radius for this config; you should only use > tacacs attributes instead of radius vsa's. > > ======================================= > > good luck with making that work. > > alex > ========================================== > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
