OK, We ruled out any hidden surpises on the router and zoomed in on your ACS. Interesting... Let me test it tomorrow in my lab and see how it goes. I remember doing something similar and received IP addresses from the right pool
Sent from iPhone On Jul 22, 2012, at 1:07 AM, "Ben Shaw" <[email protected]<mailto:[email protected]>> wrote: Hi Eugene I disabled XAUTH by removing the command you suggested and it still worked. I intentionally configured a different pool on the EZVPN client group account to the XAUTH user account and can see that the IPSec client (that is the Cisco software client) receives an address from the pool defined in the radius settings on the EZVPN group account with XAUTH disable and when I enable XAUTH the VPN client gets an ip address from the pool defined in the radius settings on the XAUTH user account. So that makes sense in a way and reassuring to know that the IPSec client can receive IP address pool settings based on the client group account but just still doesn't explain why I have to define an address pool on the user account when using XAUTH via radius. As another test, I took the radius/AAA stuff out of the equation and kept everything local, authentication and authorising against the local DB as follows aaa authentication login locallogin local aaa authorization network localnetwork local crypto isakmp profile isapro1 match identity group EZVPN client authentication list locallogin isakmp authorization list localnetwork client configuration address respond client configuration group EZVPN virtual-template 1 username ben password 0 cisco crypto isakmp client configuration group EZVPN key cisco dns 1.1.1.1 wins 2.2.2.2 domain EZYVPN.COM<http://EZYVPN.COM> pool red acl 199 include-local-lan Now with this configuration, everything works fine. The remote user "ben" who authenticates with an RSA certificate first and then performs XAUTH against the local DB is given an IP address from the ip pool "red" which is defined under the local client configuration group and obviously in this case does not have any address pool configuration under his local account, it is just taken from the client configuration group. I still don't know why when switching to ACS/RADIUS all of a sudden the router doesn't accept the value "ipsec:addr-pool=pool1" under the EZVPN group account and requires this to be configured under the user account for "ben" in ACS. Thanks Ben On Sun, Jul 22, 2012 at 4:04 AM, Eugene Pefti <[email protected]<mailto:[email protected]>> wrote: I meant to say “no client authentication list rlogin” to disable XAUTH Do you use Cisco software IPSec client ? What do you see in its log ? Eugene From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Ben Shaw Sent: Saturday, July 21, 2012 7:15 AM To: [email protected]<mailto:[email protected]> Subject: [OSL | CCIE_Security] Easy VPN Server with RADIUS Hi All I am configuring an Easy VPN server to authentication the client group against an external ACS server based on shared password and then perform XAUTH against the same ACS server. I believe I had this working before but now it fails and I get the following error in the debugs *Mar 1 02:23:31.415: ISAKMP:(1025):attributes sent in message: *Mar 1 02:23:31.415: Address: 0.2.0.0 *Mar 1 02:23:31.415: ISAKMP: Using Framed-IP-Address 255.255.255.255 *Mar 1 02:23:31.415: ISAKMP:(1025):Could not get address from pool! I have two accounts in ACS, one for the tunnel group (EZVPN) with a password of 'cisco' as required and a tunnel-password of "CISCO". The second account is for XAUTH and the logs show both these are authenticating successfully when I try and connect via the VPN Client. I have the following settings defined for the Cisco AV pair for the user EZVPN and a pool of the name 'pool1' exists on my router ipsec:key-exchange=ike ipsec:addr-pool=pool1 ipsec:inacl=199 ipsec:tunnel-type=ESP ipsec:default-domain=AAA.COM<http://AAA.COM> However this doesn't work. Obviously the issue is related to IP addressing and after a bit of playing I found that defining the address pool under the second user account as below resolved the issue ipsec:addr-pool=pool1 I am sure though that I didn't have to do this before and the router was able to take all the IPSec settings from the account defined for the Easy VPN group. It also seem counter-intuitive to have to define these kinds of settings on a per user basis in ACS. Can anyone suggest why I am having to apply the address pool setting to the user account to get this to work? Below is my configuration for the client group on the router R3(config)#aaa authentication login rlogin group radius R3(config)#aaa authorization network rnetwork group radius R3(config)#crypto isakmp profile isapro1 R3(conf-isa-prof)#match identity group EZVPN R3(conf-isa-prof)#client authentication list rlogin R3(conf-isa-prof)#isakmp authorization list rnetwork R3(conf-isa-prof)#client configuration address respond R3(conf-isa-prof)#virtual-template 1 Thanks Ben
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
