OK, thanks very much for the input, I'll take a look further at your approach.
Thanks Ben On Fri, Jul 27, 2012 at 1:09 AM, GuardGrid <[email protected]> wrote: > YEs i used the group option because the IOS EZVPN server e.g did so, but > when i specified the framed IP at the user level as required by the task it > did not work till i moved the user to that ACS group, which had the > specific isakmp group parameters. > > Almost like it got the values from the user but then decided override it > with the pool setting on the group. > I tried without setting a pool on the group and the connection won't > complete because no pool specified. so it was ignoring the user setting > until the user was moved to that ACS group. > > > On Wed, Jul 25, 2012 at 6:01 AM, Ben Shaw <[email protected]> wrote: > >> Mike, I agree with you. I understand there is a order of preference but >> considering it was set at the Easy VPN client group level via a user >> account defined for that group on ACS I would have thought that this was >> enough and didn't need the setting explicitly applied to the user account >> in ACS which is used for XAUTH. I am not using ACS groups to define these >> settings, though this could be done, I am just using two seperate user >> account, the first represents the Easy VPN client group and the second the >> XAUTH user account. Maybe that is the issue, maybe I should be using groups >> in ACS but that doesn't seem to make sense to me. >> >> GG, as for the user specific values with PKI I am not sure it relates >> here as I am using PSK. That being said, you talk about using groups, which >> I presume to mean groups in ACS, and maybe I should be taking that >> approach. By that I mean, creating an ACS group applying the required >> settings at group level as opposed to user level. >> >> >> On Tue, Jul 24, 2012 at 11:02 PM, GuardGrid <[email protected]> wrote: >> >>> On Certificates with PKI I noted that the user specific values, like >>> specific IP to assign are lost unless the user is part of that group. >>> does that sound right? >>> >>> >>> On Mon, Jul 23, 2012 at 2:54 AM, Kingsley Charles < >>> [email protected]> wrote: >>> >>>> The User AVs overrides the Groups. The following are some workarounds: >>>> >>>> >>>> EzVPN Radius Authentication >>>> =========================== >>>> >>>> Pre-shares keys >>>> --------------- >>>> >>>> Method 1 >>>> -------- >>>> >>>> Put the Group and User in any group >>>> >>>> Group should always have the pre-shared key >>>> The other AVs can be placed anywhere as desired >>>> >>>> Group is authenticated first and then user >>>> >>>> >>>> Method 2 >>>> ======== >>>> >>>> Create an EZVPN and put all the AVs in that group. If group >>>> authentication is performed again, user AVs are lost >>>> >>>> First group is authenticated, then user and then group >>>> >>>> >>>> >>>> Certificates with Xauth >>>> ======================= >>>> >>>> Put all AVs in group and nothing in the User. This makes group and user >>>> to authenticate, If group authentication is performed again, user AVs are >>>> lost. >>>> User is authenticated first and then group. >>>> >>>> >>>> >>>> Either put all AVs in ACS group and make group/user the member or put >>>> all AVs in the User. The group is never authenticated. >>>> Only user is authenticated >>>> >>>> >>>> Certificates with PKI >>>> ===================== >>>> >>>> >>>> Put all AVs in group and specifics in user. User is authenticated >>>> second and hence it's av takes precedence. >>>> >>>> First group is authenticated and then user. >>>> >>>> Group AVs are retained >>>> >>>> >>>> >>>> >>>> >>>> With regards >>>> Kings >>>> >>>> On Sat, Jul 21, 2012 at 11:09 PM, Eugene Pefti <[email protected] >>>> > wrote: >>>> >>>>> Hi Ben,**** >>>>> >>>>> I’m wondering what happens if you for the sake of the test disable >>>>> XAUTH ?**** >>>>> >>>>> ** ** >>>>> >>>>> ** ** >>>>> >>>>> *From:* [email protected] [mailto: >>>>> [email protected]] *On Behalf Of *Ben Shaw >>>>> *Sent:* Saturday, July 21, 2012 7:15 AM >>>>> *To:* [email protected] >>>>> *Subject:* [OSL | CCIE_Security] Easy VPN Server with RADIUS**** >>>>> >>>>> ** ** >>>>> >>>>> Hi All >>>>> >>>>> I am configuring an Easy VPN server to authentication the client group >>>>> against an external ACS server based on shared password and then perform >>>>> XAUTH against the same ACS server. >>>>> >>>>> I believe I had this working before but now it fails and I get the >>>>> following error in the debugs >>>>> >>>>> *Mar 1 02:23:31.415: ISAKMP:(1025):attributes sent in message: >>>>> *Mar 1 02:23:31.415: Address: 0.2.0.0 >>>>> *Mar 1 02:23:31.415: ISAKMP: Using Framed-IP-Address 255.255.255.255 >>>>> *Mar 1 02:23:31.415: ISAKMP:(1025):Could not get address from pool! >>>>> >>>>> I have two accounts in ACS, one for the tunnel group (EZVPN) with a >>>>> password of 'cisco' as required and a tunnel-password of "CISCO". The >>>>> second account is for XAUTH and the logs show both these are >>>>> authenticating >>>>> successfully when I try and connect via the VPN Client. I have the >>>>> following settings defined for the Cisco AV pair for the user EZVPN and a >>>>> pool of the name 'pool1' exists on my router >>>>> >>>>> ipsec:key-exchange=ike >>>>> ipsec:addr-pool=pool1 >>>>> ipsec:inacl=199 >>>>> ipsec:tunnel-type=ESP >>>>> ipsec:default-domain=AAA.COM >>>>> >>>>> However this doesn't work. Obviously the issue is related to IP >>>>> addressing and after a bit of playing I found that defining the address >>>>> pool under the second user account as below resolved the issue >>>>> >>>>> ipsec:addr-pool=pool1 >>>>> >>>>> I am sure though that I didn't have to do this before and the router >>>>> was able to take all the IPSec settings from the account defined for the >>>>> Easy VPN group. It also seem counter-intuitive to have to define these >>>>> kinds of settings on a per user basis in ACS. Can anyone suggest why I am >>>>> having to apply the address pool setting to the user account to get this >>>>> to >>>>> work? Below is my configuration for the client group on the router >>>>> >>>>> R3(config)#aaa authentication login rlogin group radius >>>>> R3(config)#aaa authorization network rnetwork group radius >>>>> R3(config)#crypto isakmp profile isapro1 >>>>> R3(conf-isa-prof)#match identity group EZVPN >>>>> R3(conf-isa-prof)#client authentication list rlogin >>>>> R3(conf-isa-prof)#isakmp authorization list rnetwork >>>>> R3(conf-isa-prof)#client configuration address respond >>>>> R3(conf-isa-prof)#virtual-template 1 >>>>> >>>>> Thanks >>>>> Ben**** >>>>> >>>>> _______________________________________________ >>>>> For more information regarding industry leading CCIE Lab training, >>>>> please visit www.ipexpert.com >>>>> >>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>> www.PlatinumPlacement.com >>>>> >>>> >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> Are you a CCNP or CCIE and looking for a job? Check out >>>> www.PlatinumPlacement.com >>>> >>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, >>> please visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >>> >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
