did some research looks like the "client configuration group" command under isakmp profile is only needed when you are matching based on arbitrary fields in the certificate, using a certificate map etc.
if the match is based on OU, since it is default on the IOS, it knows to pick the matching group. On Sun, Jul 22, 2012 at 3:34 PM, GuardGrid <[email protected]> wrote: > Ben, > Yes GNS3 and You are absolutely right. I had gone through several rounds > of troubleshooting and several reboots and even recreated the pki config . > > Finally after resolving other issues like not defining group 2 explicitly > and identity dn it looks like i forgot to recreate the pki setup after my > last reboot. Once I did that it worked like a charm. > > Also, I did not need to explicitly specify the "client configuration > group" when the connections establishes from the PC it lands on that > profile and picks the appropriate settings. > > Thanks > SK > > > On Sun, Jul 22, 2012 at 3:43 AM, Ben Shaw <[email protected]> wrote: > >> Hi, >> >> first things first, check your local RSA keys, especially if you are >> doing this on a GNS router as I have worked out the painful way that they >> are lost on reboot so you may need to recreate your RSA keys and re-enroll >> with your CA. I was doing some similiar Easy VPN work to what you are >> trying to do and when testing this for you got the same issues as you but >> was able to resolve them and get it working after I realised my GNS router >> had lost its local RSA keys associated with its cert after a reboot. >> Deleting the trustpoint, recreating the keys and then reconfiguring the >> trustpoint resolved the issue and it started working. >> >> Additionally, it seems like you are missing the "client configuration >> group" command under the ISAKMP profile to apply the client group settings >> from a locally configured client group for connections that match the >> ISAKMP profile. I don't think there is any need to apply the "client pki >> authorization" command as this is used to extract a username for XAUTH from >> a certificate based on the field defined in the command "authorization >> username subjectname" under the trustpoint but you can still do XAUTH >> manually by entering the username and password via the client without these >> commands. >> >> Ben >> >> >> >> >> On Sun, Jul 22, 2012 at 7:03 AM, Eduardo De Los Cobos < >> [email protected]> wrote: >> >>> I think you should add the "crypto pki autjorization" to the isakmp >>> profile. >>> >>> Enviado desde mi iPhone >>> >>> El 21/07/2012, a las 15:21, GuardGrid <[email protected]> escribió: >>> >>> Actually i removed that and if you notice now just matching by identity >>> and I can see from the debugs that it is picking up the right profile. >>> >>> crypto isakmp profile ISAKMP_PROF >>> match identity group CCIE >>> >>> >>> Also, when I add OU=CCIE the IOS parser converts that and shows up as ou >>> = ccie on the sh run. >>> >>> On Sat, Jul 21, 2012 at 4:04 PM, Karthik sagar <[email protected]>wrote: >>> >>>> In your certificate map, the line 'subject-name co ou = ccie', can you >>>> try removing the spaces between 'ou = ccie'. I think the certificate >>>> matching is not happening correctly. Also, I am not sure if the matching is >>>> case insensitive. >>>> >>>> Regards, >>>> Karthik >>>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, >>> please visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, >>> please visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >>> >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
