Hi All, Maybe I read it too quick. But if the pool is defined under the group... shouldnt that one just take it and assign the IP address to it? I dont know why there was the need to assign it on the user itself....
Mike. Date: Mon, 23 Jul 2012 13:21:38 +0530 From: [email protected] To: [email protected] CC: [email protected] Subject: Re: [OSL | CCIE_Security] Easy VPN Server with RADIUS Just do all the scenarios once and pick your best. It is complex one and remembering it will be difficult. I wrote them and used to glance them before every attempt. With regards Kings On Mon, Jul 23, 2012 at 12:51 PM, Eugene Pefti <[email protected]> wrote: OMG … Christ, Kings, if this is a workaround what method is the one to stick to during the lab. I was already lost while I was reading it ;) I tried to reproduce it and got absolutely the same results today as Ben had even though I clearly remember it worked for me somehow earlier and I didn't to jump through many hoops with different AV (understand the IP pool) assigned to the XAUTH user. Eugene From: Kingsley Charles <[email protected]> Date: Sunday, July 22, 2012 11:54 PM To: Eugene Pefti <[email protected]> Cc: Ben Shaw <[email protected]>, "[email protected]" <[email protected]> Subject: Re: [OSL | CCIE_Security] Easy VPN Server with RADIUS The User AVs overrides the Groups. The following are some workarounds: EzVPN Radius Authentication =========================== Pre-shares keys --------------- Method 1 -------- Put the Group and User in any group Group should always have the pre-shared key The other AVs can be placed anywhere as desired Group is authenticated first and then user Method 2 ======== Create an EZVPN and put all the AVs in that group. If group authentication is performed again, user AVs are lost First group is authenticated, then user and then group Certificates with Xauth ======================= Put all AVs in group and nothing in the User. This makes group and user to authenticate, If group authentication is performed again, user AVs are lost. User is authenticated first and then group. Either put all AVs in ACS group and make group/user the member or put all AVs in the User. The group is never authenticated. Only user is authenticated Certificates with PKI ===================== Put all AVs in group and specifics in user. User is authenticated second and hence it's av takes precedence. First group is authenticated and then user. Group AVs are retained With regards Kings On Sat, Jul 21, 2012 at 11:09 PM, Eugene Pefti <[email protected]> wrote: Hi Ben, I’m wondering what happens if you for the sake of the test disable XAUTH ? From:[email protected] [mailto:[email protected]] On Behalf Of Ben Shaw Sent: Saturday, July 21, 2012 7:15 AM To: [email protected] Subject: [OSL | CCIE_Security] Easy VPN Server with RADIUS Hi All I am configuring an Easy VPN server to authentication the client group against an external ACS server based on shared password and then perform XAUTH against the same ACS server. I believe I had this working before but now it fails and I get the following error in the debugs *Mar 1 02:23:31.415: ISAKMP:(1025):attributes sent in message: *Mar 1 02:23:31.415: Address: 0.2.0.0 *Mar 1 02:23:31.415: ISAKMP: Using Framed-IP-Address 255.255.255.255 *Mar 1 02:23:31.415: ISAKMP:(1025):Could not get address from pool! I have two accounts in ACS, one for the tunnel group (EZVPN) with a password of 'cisco' as required and a tunnel-password of "CISCO". The second account is for XAUTH and the logs show both these are authenticating successfully when I try and connect via the VPN Client. I have the following settings defined for the Cisco AV pair for the user EZVPN and a pool of the name 'pool1' exists on my router ipsec:key-exchange=ike ipsec:addr-pool=pool1 ipsec:inacl=199 ipsec:tunnel-type=ESP ipsec:default-domain=AAA.COM However this doesn't work. Obviously the issue is related to IP addressing and after a bit of playing I found that defining the address pool under the second user account as below resolved the issue ipsec:addr-pool=pool1 I am sure though that I didn't have to do this before and the router was able to take all the IPSec settings from the account defined for the Easy VPN group. It also seem counter-intuitive to have to define these kinds of settings on a per user basis in ACS. Can anyone suggest why I am having to apply the address pool setting to the user account to get this to work? Below is my configuration for the client group on the router R3(config)#aaa authentication login rlogin group radius R3(config)#aaa authorization network rnetwork group radius R3(config)#crypto isakmp profile isapro1 R3(conf-isa-prof)#match identity group EZVPN R3(conf-isa-prof)#client authentication list rlogin R3(conf-isa-prof)#isakmp authorization list rnetwork R3(conf-isa-prof)#client configuration address respond R3(conf-isa-prof)#virtual-template 1 Thanks Ben _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
