With EzVPN, after ISAKMP Phase 1, there is phase 1.5 which is known as Xauth. This is for user authentication.
For authentication, you need to use AAA. This is for both with pre-shared or certs. Remember, the cert or preshared key is checked in Phase 1 that is before Xauth. For more scalalability, the authentication of user can be in the cert itself. With this user no more needs to enter username/password on the client side. Instead, the clients enrolls a cert with username in the cert itself and that username is authorized instead of Xauth. This is known as PKI user authorization. This is only applicable for EzVPN with certs. For this authentication is removed and cert authorization is configured. The username from the cert is taken from the cert and sent to ACS for authorization. Note : The user attribute is cert can be any paramneter in the cert. With regards Kings On Sat, Apr 3, 2010 at 10:10 PM, Terry Little (terlittl) <[email protected] > wrote: > In Lab 4 part 2 sec 4.10 and 4.11. They are both remote access vpn > configs, first with no CA then with a CA. Both with ACS for user > authentication. Question…. > > > > In 4.10 the solution requires the tunnel group to define an Authentication > server group and in 4.11 there is only the authorization server group, with > authorization required. I understand the difference between Authentication > and Authorization generally. What I don’t see is why with the CA there is no > Authentication and with out the CA there is no Authorization. How do these > map into the remote access vpn process? > > > > Terry Little > > [email protected] > Phone: +1 425 468 1057 > > Mobile: +1 425 894 4109 > > Cisco Systems, Inc. > > Network Consulting Engineer > World Wide Security Services Practice > Cisco.com - http://www.cisco.com > > > > This email may contain confidential and privileged material for the sole > use of the intended recipient. Any review, use, distribution or disclosure > by others is strictly prohibited. If you are not the intended recipient (or > authorized to receive for the recipient), please contact the sender by reply > email and delete all copies of this message. > > For corporate legal information go to: > http://www.cisco.com/web/about/doing_business/legal/cri/index.html > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
