I meant to say "no client authentication list rlogin" to disable XAUTH Do you use Cisco software IPSec client ? What do you see in its log ?
Eugene From: [email protected] [mailto:[email protected]] On Behalf Of Ben Shaw Sent: Saturday, July 21, 2012 7:15 AM To: [email protected] Subject: [OSL | CCIE_Security] Easy VPN Server with RADIUS Hi All I am configuring an Easy VPN server to authentication the client group against an external ACS server based on shared password and then perform XAUTH against the same ACS server. I believe I had this working before but now it fails and I get the following error in the debugs *Mar 1 02:23:31.415: ISAKMP:(1025):attributes sent in message: *Mar 1 02:23:31.415: Address: 0.2.0.0 *Mar 1 02:23:31.415: ISAKMP: Using Framed-IP-Address 255.255.255.255 *Mar 1 02:23:31.415: ISAKMP:(1025):Could not get address from pool! I have two accounts in ACS, one for the tunnel group (EZVPN) with a password of 'cisco' as required and a tunnel-password of "CISCO". The second account is for XAUTH and the logs show both these are authenticating successfully when I try and connect via the VPN Client. I have the following settings defined for the Cisco AV pair for the user EZVPN and a pool of the name 'pool1' exists on my router ipsec:key-exchange=ike ipsec:addr-pool=pool1 ipsec:inacl=199 ipsec:tunnel-type=ESP ipsec:default-domain=AAA.COM<http://AAA.COM> However this doesn't work. Obviously the issue is related to IP addressing and after a bit of playing I found that defining the address pool under the second user account as below resolved the issue ipsec:addr-pool=pool1 I am sure though that I didn't have to do this before and the router was able to take all the IPSec settings from the account defined for the Easy VPN group. It also seem counter-intuitive to have to define these kinds of settings on a per user basis in ACS. Can anyone suggest why I am having to apply the address pool setting to the user account to get this to work? Below is my configuration for the client group on the router R3(config)#aaa authentication login rlogin group radius R3(config)#aaa authorization network rnetwork group radius R3(config)#crypto isakmp profile isapro1 R3(conf-isa-prof)#match identity group EZVPN R3(conf-isa-prof)#client authentication list rlogin R3(conf-isa-prof)#isakmp authorization list rnetwork R3(conf-isa-prof)#client configuration address respond R3(conf-isa-prof)#virtual-template 1 Thanks Ben
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
