Re: [OSL | CCIE_Security] Easy VPN Server with RADIUS

[Eugene Pefti]

OMG …
Christ, Kings, if this is a workaround what method is the one to stick to 
during the lab. I was already lost while I was reading it ;)
I tried to reproduce it and got absolutely the same results today as Ben had 
even though I clearly remember it worked for me somehow earlier and I didn't to 
jump through many hoops with different AV (understand the IP pool) assigned to 
the XAUTH user.

Eugene

From: Kingsley Charles 
<kingsley.char...@gmail.com<mailto:kingsley.char...@gmail.com>>
Date: Sunday, July 22, 2012 11:54 PM
To: Eugene Pefti <eug...@koiossystems.com<mailto:eug...@koiossystems.com>>
Cc: Ben Shaw <veeduby...@gmail.com<mailto:veeduby...@gmail.com>>, 
"ccie_security@onlinestudylist.com<mailto:ccie_security@onlinestudylist.com>" 
<ccie_security@onlinestudylist.com<mailto:ccie_security@onlinestudylist.com>>
Subject: Re: [OSL | CCIE_Security] Easy VPN Server with RADIUS

The User AVs overrides the Groups. The following are some workarounds:


EzVPN Radius Authentication
===========================

Pre-shares keys
---------------

Method 1
--------

Put the Group and User in any group

Group should always have the pre-shared key
The other AVs can be placed anywhere as desired

Group is authenticated first and then user


Method 2
========

Create an EZVPN and put all the AVs in that group. If group authentication is 
performed again, user AVs are lost

First group is authenticated, then user and then group



Certificates with Xauth
=======================

Put all AVs in group and nothing in the User. This makes group and user to 
authenticate, If group authentication is performed again, user AVs are lost.
User is authenticated first and then group.



Either put all AVs in ACS group and make group/user the member or put all AVs 
in the User. The group is never authenticated.
Only user is authenticated


Certificates with PKI
=====================


Put all AVs in group and specifics in user. User is authenticated second and 
hence it's av takes precedence.

First group is authenticated and then user.

Group AVs are retained





With regards
Kings

On Sat, Jul 21, 2012 at 11:09 PM, Eugene Pefti 
<eug...@koiossystems.com<mailto:eug...@koiossystems.com>> wrote:
Hi Ben,
I’m wondering what happens if you for the sake of the test disable XAUTH ?


From:ccie_security-boun...@onlinestudylist.com<mailto:ccie_security-boun...@onlinestudylist.com>
 
[mailto:ccie_security-boun...@onlinestudylist.com<mailto:ccie_security-boun...@onlinestudylist.com>]
 On Behalf Of Ben Shaw
Sent: Saturday, July 21, 2012 7:15 AM
To: ccie_security@onlinestudylist.com<mailto:ccie_security@onlinestudylist.com>
Subject: [OSL | CCIE_Security] Easy VPN Server with RADIUS

Hi All

I am configuring an Easy VPN server to authentication the client group against 
an external ACS server based on shared password and then perform XAUTH against 
the same ACS server.

I believe I had this working before but now it fails and I get the following 
error in the debugs

*Mar  1 02:23:31.415: ISAKMP:(1025):attributes sent in message:
*Mar  1 02:23:31.415:         Address: 0.2.0.0
*Mar  1 02:23:31.415: ISAKMP: Using Framed-IP-Address 255.255.255.255
*Mar  1 02:23:31.415: ISAKMP:(1025):Could not get address from pool!

I have two accounts in ACS, one for the tunnel group (EZVPN) with a password of 
'cisco' as required and a tunnel-password of "CISCO". The second account is for 
XAUTH and the logs show both these are authenticating successfully when I try 
and connect via the VPN Client. I have the following settings defined for the 
Cisco AV pair for the user EZVPN and a pool of the name 'pool1' exists on my 
router

ipsec:key-exchange=ike
ipsec:addr-pool=pool1
ipsec:inacl=199
ipsec:tunnel-type=ESP
ipsec:default-domain=AAA.COM<http://AAA.COM>

However this doesn't work. Obviously the issue is related to IP addressing and 
after a bit of playing I found that defining the address pool under the second 
user account as below resolved the issue

ipsec:addr-pool=pool1

I am sure though that I didn't have to do this before and the router was able 
to take all the IPSec settings from the account defined for the Easy VPN group. 
It also seem counter-intuitive to have to define these kinds of settings on a 
per user basis in ACS. Can anyone suggest why I am having to apply the address 
pool setting to the user account to get this to work? Below is my configuration 
for the client group on the router

R3(config)#aaa authentication login rlogin group radius
R3(config)#aaa authorization network rnetwork group radius
R3(config)#crypto isakmp profile isapro1
R3(conf-isa-prof)#match identity group EZVPN
R3(conf-isa-prof)#client authentication list rlogin
R3(conf-isa-prof)#isakmp authorization list rnetwork
R3(conf-isa-prof)#client configuration address respond
R3(conf-isa-prof)#virtual-template 1

Thanks
Ben

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com<http://www.ipexpert.com>

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>


_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com