YEs i used the group option because the IOS EZVPN server e.g did so, but when i specified the framed IP at the user level as required by the task it did not work till i moved the user to that ACS group, which had the specific isakmp group parameters.
Almost like it got the values from the user but then decided override it with the pool setting on the group. I tried without setting a pool on the group and the connection won't complete because no pool specified. so it was ignoring the user setting until the user was moved to that ACS group. On Wed, Jul 25, 2012 at 6:01 AM, Ben Shaw <[email protected]> wrote: > Mike, I agree with you. I understand there is a order of preference but > considering it was set at the Easy VPN client group level via a user > account defined for that group on ACS I would have thought that this was > enough and didn't need the setting explicitly applied to the user account > in ACS which is used for XAUTH. I am not using ACS groups to define these > settings, though this could be done, I am just using two seperate user > account, the first represents the Easy VPN client group and the second the > XAUTH user account. Maybe that is the issue, maybe I should be using groups > in ACS but that doesn't seem to make sense to me. > > GG, as for the user specific values with PKI I am not sure it relates here > as I am using PSK. That being said, you talk about using groups, which I > presume to mean groups in ACS, and maybe I should be taking that approach. > By that I mean, creating an ACS group applying the required settings at > group level as opposed to user level. > > > On Tue, Jul 24, 2012 at 11:02 PM, GuardGrid <[email protected]> wrote: > >> On Certificates with PKI I noted that the user specific values, like >> specific IP to assign are lost unless the user is part of that group. >> does that sound right? >> >> >> On Mon, Jul 23, 2012 at 2:54 AM, Kingsley Charles < >> [email protected]> wrote: >> >>> The User AVs overrides the Groups. The following are some workarounds: >>> >>> >>> EzVPN Radius Authentication >>> =========================== >>> >>> Pre-shares keys >>> --------------- >>> >>> Method 1 >>> -------- >>> >>> Put the Group and User in any group >>> >>> Group should always have the pre-shared key >>> The other AVs can be placed anywhere as desired >>> >>> Group is authenticated first and then user >>> >>> >>> Method 2 >>> ======== >>> >>> Create an EZVPN and put all the AVs in that group. If group >>> authentication is performed again, user AVs are lost >>> >>> First group is authenticated, then user and then group >>> >>> >>> >>> Certificates with Xauth >>> ======================= >>> >>> Put all AVs in group and nothing in the User. This makes group and user >>> to authenticate, If group authentication is performed again, user AVs are >>> lost. >>> User is authenticated first and then group. >>> >>> >>> >>> Either put all AVs in ACS group and make group/user the member or put >>> all AVs in the User. The group is never authenticated. >>> Only user is authenticated >>> >>> >>> Certificates with PKI >>> ===================== >>> >>> >>> Put all AVs in group and specifics in user. User is authenticated second >>> and hence it's av takes precedence. >>> >>> First group is authenticated and then user. >>> >>> Group AVs are retained >>> >>> >>> >>> >>> >>> With regards >>> Kings >>> >>> On Sat, Jul 21, 2012 at 11:09 PM, Eugene Pefti >>> <[email protected]>wrote: >>> >>>> Hi Ben,**** >>>> >>>> I’m wondering what happens if you for the sake of the test disable >>>> XAUTH ?**** >>>> >>>> ** ** >>>> >>>> ** ** >>>> >>>> *From:* [email protected] [mailto: >>>> [email protected]] *On Behalf Of *Ben Shaw >>>> *Sent:* Saturday, July 21, 2012 7:15 AM >>>> *To:* [email protected] >>>> *Subject:* [OSL | CCIE_Security] Easy VPN Server with RADIUS**** >>>> >>>> ** ** >>>> >>>> Hi All >>>> >>>> I am configuring an Easy VPN server to authentication the client group >>>> against an external ACS server based on shared password and then perform >>>> XAUTH against the same ACS server. >>>> >>>> I believe I had this working before but now it fails and I get the >>>> following error in the debugs >>>> >>>> *Mar 1 02:23:31.415: ISAKMP:(1025):attributes sent in message: >>>> *Mar 1 02:23:31.415: Address: 0.2.0.0 >>>> *Mar 1 02:23:31.415: ISAKMP: Using Framed-IP-Address 255.255.255.255 >>>> *Mar 1 02:23:31.415: ISAKMP:(1025):Could not get address from pool! >>>> >>>> I have two accounts in ACS, one for the tunnel group (EZVPN) with a >>>> password of 'cisco' as required and a tunnel-password of "CISCO". The >>>> second account is for XAUTH and the logs show both these are authenticating >>>> successfully when I try and connect via the VPN Client. I have the >>>> following settings defined for the Cisco AV pair for the user EZVPN and a >>>> pool of the name 'pool1' exists on my router >>>> >>>> ipsec:key-exchange=ike >>>> ipsec:addr-pool=pool1 >>>> ipsec:inacl=199 >>>> ipsec:tunnel-type=ESP >>>> ipsec:default-domain=AAA.COM >>>> >>>> However this doesn't work. Obviously the issue is related to IP >>>> addressing and after a bit of playing I found that defining the address >>>> pool under the second user account as below resolved the issue >>>> >>>> ipsec:addr-pool=pool1 >>>> >>>> I am sure though that I didn't have to do this before and the router >>>> was able to take all the IPSec settings from the account defined for the >>>> Easy VPN group. It also seem counter-intuitive to have to define these >>>> kinds of settings on a per user basis in ACS. Can anyone suggest why I am >>>> having to apply the address pool setting to the user account to get this to >>>> work? Below is my configuration for the client group on the router >>>> >>>> R3(config)#aaa authentication login rlogin group radius >>>> R3(config)#aaa authorization network rnetwork group radius >>>> R3(config)#crypto isakmp profile isapro1 >>>> R3(conf-isa-prof)#match identity group EZVPN >>>> R3(conf-isa-prof)#client authentication list rlogin >>>> R3(conf-isa-prof)#isakmp authorization list rnetwork >>>> R3(conf-isa-prof)#client configuration address respond >>>> R3(conf-isa-prof)#virtual-template 1 >>>> >>>> Thanks >>>> Ben**** >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> Are you a CCNP or CCIE and looking for a job? Check out >>>> www.PlatinumPlacement.com >>>> >>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, >>> please visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >>> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
