Jason, That is by design, don't know why though. Check the below section on Easy VPN server Doc also with the radius attributes needed for group authorization parameters.
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_esyvpn/configuration/12-4t/sec-easy-vpn-srvr.html#GUID-D0BC5B4D-7BDB-44B6-B49F-EBBD79F1D185 - *To define group policy attributes for RADIUS, you must do the following task on your RADIUS server:* - Define a user that has a name equal to the group name as defined in the client graphical user interface (GUI). *For example, if users will be connecting to the Cisco IOS VPN device using the group name "sales," you will need a user whose name is "sales." The password for this user is "cisco," which is a special identifier that is used by the router for RADIUS purposes.* The username must then be made a member of a group in which the correct policy is defined. For simplicity, it is recommended that the group name be the same as the username. On Fri, Sep 7, 2012 at 2:49 AM, Jason Madsen <[email protected]> wrote: > Hi group, > > I just did a mini lab scenario where I setup Remote Access IOS EZVPN > Server using ACS for authentication and authorization. No ISAKMP Client > Group config's were in IOS...they were all on ACS. Pretty much everything > was straight forward, but one thing struck me as a bit weird. For the > ISAKMP Client Group to work, I had to create a user with the same name of > the group (not that weird I guess), and then I had to specify that this > user's password be "cisco" (very weird) even though to authenticate the > group I have to use the group password and not "cisco" in the IPSec VPN > client. I looked everywhere in my IOS and ACS config's, and I didn't see > anything where "cisco" could have been referenced. If I change this user's > password to anything other than "cisco", everything breaks. This wasn't > the XAUTH user either...that was a different one in the default group. > > Is this just something to remember to do to make this configuration work, > or can anyone provide a little more background info about it? > > Please let me know if more information is needed. > > Thanks, > Jason > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
