Hi Eugene I disabled XAUTH by removing the command you suggested and it still worked. I intentionally configured a different pool on the EZVPN client group account to the XAUTH user account and can see that the IPSec client (that is the Cisco software client) receives an address from the pool defined in the radius settings on the EZVPN group account with XAUTH disable and when I enable XAUTH the VPN client gets an ip address from the pool defined in the radius settings on the XAUTH user account.
So that makes sense in a way and reassuring to know that the IPSec client can receive IP address pool settings based on the client group account but just still doesn't explain why I have to define an address pool on the user account when using XAUTH via radius. As another test, I took the radius/AAA stuff out of the equation and kept everything local, authentication and authorising against the local DB as follows aaa authentication login locallogin local aaa authorization network localnetwork local crypto isakmp profile isapro1 match identity group EZVPN client authentication list locallogin isakmp authorization list localnetwork client configuration address respond client configuration group EZVPN virtual-template 1 username ben password 0 cisco crypto isakmp client configuration group EZVPN key cisco dns 1.1.1.1 wins 2.2.2.2 domain EZYVPN.COM pool red acl 199 include-local-lan Now with this configuration, everything works fine. The remote user "ben" who authenticates with an RSA certificate first and then performs XAUTH against the local DB is given an IP address from the ip pool "red" which is defined under the local client configuration group and obviously in this case does not have any address pool configuration under his local account, it is just taken from the client configuration group. I still don't know why when switching to ACS/RADIUS all of a sudden the router doesn't accept the value "ipsec:addr-pool=pool1" under the EZVPN group account and requires this to be configured under the user account for "ben" in ACS. Thanks Ben On Sun, Jul 22, 2012 at 4:04 AM, Eugene Pefti <[email protected]>wrote: > I meant to say “no client authentication list rlogin” to disable XAUTH*** > * > > Do you use Cisco software IPSec client ? What do you see in its log ?**** > > ** ** > > Eugene**** > > ** ** > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Ben Shaw > *Sent:* Saturday, July 21, 2012 7:15 AM > *To:* [email protected] > *Subject:* [OSL | CCIE_Security] Easy VPN Server with RADIUS**** > > ** ** > > Hi All > > > I am configuring an Easy VPN server to authentication the client group > against an external ACS server based on shared password and then perform > XAUTH against the same ACS server. > > I believe I had this working before but now it fails and I get the > following error in the debugs > > *Mar 1 02:23:31.415: ISAKMP:(1025):attributes sent in message: > *Mar 1 02:23:31.415: Address: 0.2.0.0 > *Mar 1 02:23:31.415: ISAKMP: Using Framed-IP-Address 255.255.255.255 > *Mar 1 02:23:31.415: ISAKMP:(1025):Could not get address from pool! > > I have two accounts in ACS, one for the tunnel group (EZVPN) with a > password of 'cisco' as required and a tunnel-password of "CISCO". The > second account is for XAUTH and the logs show both these are authenticating > successfully when I try and connect via the VPN Client. I have the > following settings defined for the Cisco AV pair for the user EZVPN and a > pool of the name 'pool1' exists on my router > > ipsec:key-exchange=ike > ipsec:addr-pool=pool1 > ipsec:inacl=199 > ipsec:tunnel-type=ESP > ipsec:default-domain=AAA.COM > > However this doesn't work. Obviously the issue is related to IP addressing > and after a bit of playing I found that defining the address pool under the > second user account as below resolved the issue > > ipsec:addr-pool=pool1 > > I am sure though that I didn't have to do this before and the router was > able to take all the IPSec settings from the account defined for the Easy > VPN group. It also seem counter-intuitive to have to define these kinds of > settings on a per user basis in ACS. Can anyone suggest why I am having to > apply the address pool setting to the user account to get this to work? > Below is my configuration for the client group on the router > > R3(config)#aaa authentication login rlogin group radius > R3(config)#aaa authorization network rnetwork group radius > R3(config)#crypto isakmp profile isapro1 > R3(conf-isa-prof)#match identity group EZVPN > R3(conf-isa-prof)#client authentication list rlogin > R3(conf-isa-prof)#isakmp authorization list rnetwork > R3(conf-isa-prof)#client configuration address respond > R3(conf-isa-prof)#virtual-template 1 > > Thanks > Ben**** > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
