Thanks Karthik. I feel a little more comfortable about this now :-). I'll just add it to my list of random stuff to remember. That list is growing!
I just thought of one more question related to this same scenario. In ACS I specified the "ipsec:user-vpn-group=MYGROUP" Cisco IOS AV Pair value in my XAUTH User's ACS account / page, but I'm not sure if it actually does anything. I created another user without any "ipsec:user-vpn-group" value specified at all, and it too seemed to work fine for XAUTH. Additionally, I thought maybe by specifying this value it would limit this particular user account to only being used for XAUTH purposes, but I was successfully able to Telnet and SSH to devices with this account so that didn't seem to be the case. Any ideas? Thanks, Jason On Fri, Sep 7, 2012 at 1:14 AM, Karthik sagar <[email protected]> wrote: > Yes, this is how it is designed. The Router sends the "vpn-group/cisco" as > username/password to the ACS server. The actual vpn-group-password is then > validated against "tunnel-pre-shared-key " attribute in the profile. This > method is to be used only with IOS/RADIUS. > > With the ASA, the ACS profile will have the actual > "vpn-group/vpn-group-password" as username/password. > > Why was it designed this way ? No idea :-) If anybody knows why, please > share.. > > Regards, > Karthik > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
