The User AVs overrides the Groups. The following are some workarounds:
EzVPN Radius Authentication =========================== Pre-shares keys --------------- Method 1 -------- Put the Group and User in any group Group should always have the pre-shared key The other AVs can be placed anywhere as desired Group is authenticated first and then user Method 2 ======== Create an EZVPN and put all the AVs in that group. If group authentication is performed again, user AVs are lost First group is authenticated, then user and then group Certificates with Xauth ======================= Put all AVs in group and nothing in the User. This makes group and user to authenticate, If group authentication is performed again, user AVs are lost. User is authenticated first and then group. Either put all AVs in ACS group and make group/user the member or put all AVs in the User. The group is never authenticated. Only user is authenticated Certificates with PKI ===================== Put all AVs in group and specifics in user. User is authenticated second and hence it's av takes precedence. First group is authenticated and then user. Group AVs are retained With regards Kings On Sat, Jul 21, 2012 at 11:09 PM, Eugene Pefti <[email protected]>wrote: > Hi Ben,**** > > I’m wondering what happens if you for the sake of the test disable XAUTH ? > **** > > ** ** > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Ben Shaw > *Sent:* Saturday, July 21, 2012 7:15 AM > *To:* [email protected] > *Subject:* [OSL | CCIE_Security] Easy VPN Server with RADIUS**** > > ** ** > > Hi All > > I am configuring an Easy VPN server to authentication the client group > against an external ACS server based on shared password and then perform > XAUTH against the same ACS server. > > I believe I had this working before but now it fails and I get the > following error in the debugs > > *Mar 1 02:23:31.415: ISAKMP:(1025):attributes sent in message: > *Mar 1 02:23:31.415: Address: 0.2.0.0 > *Mar 1 02:23:31.415: ISAKMP: Using Framed-IP-Address 255.255.255.255 > *Mar 1 02:23:31.415: ISAKMP:(1025):Could not get address from pool! > > I have two accounts in ACS, one for the tunnel group (EZVPN) with a > password of 'cisco' as required and a tunnel-password of "CISCO". The > second account is for XAUTH and the logs show both these are authenticating > successfully when I try and connect via the VPN Client. I have the > following settings defined for the Cisco AV pair for the user EZVPN and a > pool of the name 'pool1' exists on my router > > ipsec:key-exchange=ike > ipsec:addr-pool=pool1 > ipsec:inacl=199 > ipsec:tunnel-type=ESP > ipsec:default-domain=AAA.COM > > However this doesn't work. Obviously the issue is related to IP addressing > and after a bit of playing I found that defining the address pool under the > second user account as below resolved the issue > > ipsec:addr-pool=pool1 > > I am sure though that I didn't have to do this before and the router was > able to take all the IPSec settings from the account defined for the Easy > VPN group. It also seem counter-intuitive to have to define these kinds of > settings on a per user basis in ACS. Can anyone suggest why I am having to > apply the address pool setting to the user account to get this to work? > Below is my configuration for the client group on the router > > R3(config)#aaa authentication login rlogin group radius > R3(config)#aaa authorization network rnetwork group radius > R3(config)#crypto isakmp profile isapro1 > R3(conf-isa-prof)#match identity group EZVPN > R3(conf-isa-prof)#client authentication list rlogin > R3(conf-isa-prof)#isakmp authorization list rnetwork > R3(conf-isa-prof)#client configuration address respond > R3(conf-isa-prof)#virtual-template 1 > > Thanks > Ben**** > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
