Is there a reason you are using legacy configuration? Why not use the newer configuration set. Also are those the only attributes added to ACS? If so it isn't enough. If you go thru lab 20 in volume 2 it will show you how to do this. To my knowledge that is the only place in the world that this is documented.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of yusef sheriff Sent: Friday, March 04, 2011 4:44 AM To: OSL Security Subject: [OSL | CCIE_Security] Remote VPN using Tacacs authentiation Hi All, Please help me on following issue:- Remote access vpn using tacacs authentication and authorization is not working. howvever local username/password is working with same vpn configuration. i have add ike ipsec attributes to username on acs server. username is assigned to new group (rack04). the same group name is used in crypto configuration. the following are the attributed add to ike ipsec user-vpn-group=rack04 tunnel-password=cisco123 addr-pool=VPN on acs server failed attempts the username is showing the groupname (rack04), when i am tring to connect the using vpn client software i am not getting usernname/password prompt and the following messge is appearing on the router *Mar 4 12:44:39.127: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 4.4.155.10 was not encrypted and it should've been. *Mar 4 12:44:39.135: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 4.4.155.10 was not encrypted and it should've been. the following is parital router configuration aaa new-model aaa authentication login default group tacacs+ aaa authentication login acs group tacacs+ local aaa authentication login noacs line none aaa authorization exec default group tacacs+ aaa authorization network acs group tacacs+ local crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp client configuration group RACK04 key cisco123 pool VPN acl vpn-traffic crypto ipsec transform-set myset esp-3des esp-md5-hmac crypto dynamic-map dynamic 10 set transform-set myset reverse-route crypto map remotevpn client authentication list acs crypto map remotevpn isakmp authorization list acs crypto map remotevpn client configuration address respond crypto map remotevpn 10 ipsec-isakmp dynamic dynamic int fa1/0 crypto map remotevpn ip local pool VPN 192.168.0.1 192.168.0.10 ip tacacs source-interface Ethernet1/0 tacacs-server host 150.0.4.241 key cisco ip access-list extended vpn-traffic permit ip 4.4.5.0 0.0.0.255 192.168.0.0 0.0.0.255
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
