Mike, I agree with you. I understand there is a order of preference but considering it was set at the Easy VPN client group level via a user account defined for that group on ACS I would have thought that this was enough and didn't need the setting explicitly applied to the user account in ACS which is used for XAUTH. I am not using ACS groups to define these settings, though this could be done, I am just using two seperate user account, the first represents the Easy VPN client group and the second the XAUTH user account. Maybe that is the issue, maybe I should be using groups in ACS but that doesn't seem to make sense to me.
GG, as for the user specific values with PKI I am not sure it relates here as I am using PSK. That being said, you talk about using groups, which I presume to mean groups in ACS, and maybe I should be taking that approach. By that I mean, creating an ACS group applying the required settings at group level as opposed to user level. On Tue, Jul 24, 2012 at 11:02 PM, GuardGrid <[email protected]> wrote: > On Certificates with PKI I noted that the user specific values, like > specific IP to assign are lost unless the user is part of that group. > does that sound right? > > > On Mon, Jul 23, 2012 at 2:54 AM, Kingsley Charles < > [email protected]> wrote: > >> The User AVs overrides the Groups. The following are some workarounds: >> >> >> EzVPN Radius Authentication >> =========================== >> >> Pre-shares keys >> --------------- >> >> Method 1 >> -------- >> >> Put the Group and User in any group >> >> Group should always have the pre-shared key >> The other AVs can be placed anywhere as desired >> >> Group is authenticated first and then user >> >> >> Method 2 >> ======== >> >> Create an EZVPN and put all the AVs in that group. If group >> authentication is performed again, user AVs are lost >> >> First group is authenticated, then user and then group >> >> >> >> Certificates with Xauth >> ======================= >> >> Put all AVs in group and nothing in the User. This makes group and user >> to authenticate, If group authentication is performed again, user AVs are >> lost. >> User is authenticated first and then group. >> >> >> >> Either put all AVs in ACS group and make group/user the member or put all >> AVs in the User. The group is never authenticated. >> Only user is authenticated >> >> >> Certificates with PKI >> ===================== >> >> >> Put all AVs in group and specifics in user. User is authenticated second >> and hence it's av takes precedence. >> >> First group is authenticated and then user. >> >> Group AVs are retained >> >> >> >> >> >> With regards >> Kings >> >> On Sat, Jul 21, 2012 at 11:09 PM, Eugene Pefti >> <[email protected]>wrote: >> >>> Hi Ben,**** >>> >>> I’m wondering what happens if you for the sake of the test disable XAUTH >>> ?**** >>> >>> ** ** >>> >>> ** ** >>> >>> *From:* [email protected] [mailto: >>> [email protected]] *On Behalf Of *Ben Shaw >>> *Sent:* Saturday, July 21, 2012 7:15 AM >>> *To:* [email protected] >>> *Subject:* [OSL | CCIE_Security] Easy VPN Server with RADIUS**** >>> >>> ** ** >>> >>> Hi All >>> >>> I am configuring an Easy VPN server to authentication the client group >>> against an external ACS server based on shared password and then perform >>> XAUTH against the same ACS server. >>> >>> I believe I had this working before but now it fails and I get the >>> following error in the debugs >>> >>> *Mar 1 02:23:31.415: ISAKMP:(1025):attributes sent in message: >>> *Mar 1 02:23:31.415: Address: 0.2.0.0 >>> *Mar 1 02:23:31.415: ISAKMP: Using Framed-IP-Address 255.255.255.255 >>> *Mar 1 02:23:31.415: ISAKMP:(1025):Could not get address from pool! >>> >>> I have two accounts in ACS, one for the tunnel group (EZVPN) with a >>> password of 'cisco' as required and a tunnel-password of "CISCO". The >>> second account is for XAUTH and the logs show both these are authenticating >>> successfully when I try and connect via the VPN Client. I have the >>> following settings defined for the Cisco AV pair for the user EZVPN and a >>> pool of the name 'pool1' exists on my router >>> >>> ipsec:key-exchange=ike >>> ipsec:addr-pool=pool1 >>> ipsec:inacl=199 >>> ipsec:tunnel-type=ESP >>> ipsec:default-domain=AAA.COM >>> >>> However this doesn't work. Obviously the issue is related to IP >>> addressing and after a bit of playing I found that defining the address >>> pool under the second user account as below resolved the issue >>> >>> ipsec:addr-pool=pool1 >>> >>> I am sure though that I didn't have to do this before and the router was >>> able to take all the IPSec settings from the account defined for the Easy >>> VPN group. It also seem counter-intuitive to have to define these kinds of >>> settings on a per user basis in ACS. Can anyone suggest why I am having to >>> apply the address pool setting to the user account to get this to work? >>> Below is my configuration for the client group on the router >>> >>> R3(config)#aaa authentication login rlogin group radius >>> R3(config)#aaa authorization network rnetwork group radius >>> R3(config)#crypto isakmp profile isapro1 >>> R3(conf-isa-prof)#match identity group EZVPN >>> R3(conf-isa-prof)#client authentication list rlogin >>> R3(conf-isa-prof)#isakmp authorization list rnetwork >>> R3(conf-isa-prof)#client configuration address respond >>> R3(conf-isa-prof)#virtual-template 1 >>> >>> Thanks >>> Ben**** >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, >>> please visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >>> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
