Just do all the scenarios once and pick your best. It is complex one and remembering it will be difficult. I wrote them and used to glance them before every attempt.
With regards Kings On Mon, Jul 23, 2012 at 12:51 PM, Eugene Pefti <[email protected]>wrote: > OMG … > Christ, Kings, if this is a workaround what method is the one to stick to > during the lab. I was already lost while I was reading it ;) > I tried to reproduce it and got absolutely the same results today as Ben > had even though I clearly remember it worked for me somehow earlier and I > didn't to jump through many hoops with different AV (understand the IP > pool) assigned to the XAUTH user. > > Eugene > > From: Kingsley Charles <[email protected]> > Date: Sunday, July 22, 2012 11:54 PM > To: Eugene Pefti <[email protected]> > Cc: Ben Shaw <[email protected]>, "[email protected]" < > [email protected]> > Subject: Re: [OSL | CCIE_Security] Easy VPN Server with RADIUS > > The User AVs overrides the Groups. The following are some workarounds: > > > EzVPN Radius Authentication > =========================== > > Pre-shares keys > --------------- > > Method 1 > -------- > > Put the Group and User in any group > > Group should always have the pre-shared key > The other AVs can be placed anywhere as desired > > Group is authenticated first and then user > > > Method 2 > ======== > > Create an EZVPN and put all the AVs in that group. If group authentication > is performed again, user AVs are lost > > First group is authenticated, then user and then group > > > > Certificates with Xauth > ======================= > > Put all AVs in group and nothing in the User. This makes group and user to > authenticate, If group authentication is performed again, user AVs are lost. > User is authenticated first and then group. > > > > Either put all AVs in ACS group and make group/user the member or put all > AVs in the User. The group is never authenticated. > Only user is authenticated > > > Certificates with PKI > ===================== > > > Put all AVs in group and specifics in user. User is authenticated second > and hence it's av takes precedence. > > First group is authenticated and then user. > > Group AVs are retained > > > > > > With regards > Kings > > On Sat, Jul 21, 2012 at 11:09 PM, Eugene Pefti <[email protected]>wrote: > >> Hi Ben,**** >> >> I’m wondering what happens if you for the sake of the test disable XAUTH ? >> **** >> >> ** ** >> >> ** ** >> >> *From:*[email protected] [mailto: >> [email protected]] *On Behalf Of *Ben Shaw >> *Sent:* Saturday, July 21, 2012 7:15 AM >> *To:* [email protected] >> *Subject:* [OSL | CCIE_Security] Easy VPN Server with RADIUS**** >> >> ** ** >> >> Hi All >> >> I am configuring an Easy VPN server to authentication the client group >> against an external ACS server based on shared password and then perform >> XAUTH against the same ACS server. >> >> I believe I had this working before but now it fails and I get the >> following error in the debugs >> >> *Mar 1 02:23:31.415: ISAKMP:(1025):attributes sent in message: >> *Mar 1 02:23:31.415: Address: 0.2.0.0 >> *Mar 1 02:23:31.415: ISAKMP: Using Framed-IP-Address 255.255.255.255 >> *Mar 1 02:23:31.415: ISAKMP:(1025):Could not get address from pool! >> >> I have two accounts in ACS, one for the tunnel group (EZVPN) with a >> password of 'cisco' as required and a tunnel-password of "CISCO". The >> second account is for XAUTH and the logs show both these are authenticating >> successfully when I try and connect via the VPN Client. I have the >> following settings defined for the Cisco AV pair for the user EZVPN and a >> pool of the name 'pool1' exists on my router >> >> ipsec:key-exchange=ike >> ipsec:addr-pool=pool1 >> ipsec:inacl=199 >> ipsec:tunnel-type=ESP >> ipsec:default-domain=AAA.COM >> >> However this doesn't work. Obviously the issue is related to IP >> addressing and after a bit of playing I found that defining the address >> pool under the second user account as below resolved the issue >> >> ipsec:addr-pool=pool1 >> >> I am sure though that I didn't have to do this before and the router was >> able to take all the IPSec settings from the account defined for the Easy >> VPN group. It also seem counter-intuitive to have to define these kinds of >> settings on a per user basis in ACS. Can anyone suggest why I am having to >> apply the address pool setting to the user account to get this to work? >> Below is my configuration for the client group on the router >> >> R3(config)#aaa authentication login rlogin group radius >> R3(config)#aaa authorization network rnetwork group radius >> R3(config)#crypto isakmp profile isapro1 >> R3(conf-isa-prof)#match identity group EZVPN >> R3(conf-isa-prof)#client authentication list rlogin >> R3(conf-isa-prof)#isakmp authorization list rnetwork >> R3(conf-isa-prof)#client configuration address respond >> R3(conf-isa-prof)#virtual-template 1 >> >> Thanks >> Ben**** >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
