works for me :-). Thanks!! Sent from my iPhone
On Sep 7, 2012, at 7:34 AM, GuardGrid <[email protected]> wrote: > Jason, > That is by design, don't know why though. Check the below section on Easy VPN > server Doc also with the radius attributes needed for group authorization > parameters. > > http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_esyvpn/configuration/12-4t/sec-easy-vpn-srvr.html#GUID-D0BC5B4D-7BDB-44B6-B49F-EBBD79F1D185 > > > To define group policy attributes for RADIUS, you must do the following task > on your RADIUS server: > Define a user that has a name equal to the group name as defined in the > client graphical user interface (GUI). For example, if users will be > connecting to the Cisco IOS VPN device using the group name "sales," you will > need a user whose name is "sales." The password for this user is "cisco," > which is a special identifier that is used by the router for RADIUS purposes. > The username must then be made a member of a group in which the correct > policy is defined. For simplicity, it is recommended that the group name be > the same as the username. > > > > On Fri, Sep 7, 2012 at 2:49 AM, Jason Madsen <[email protected]> wrote: > Hi group, > > I just did a mini lab scenario where I setup Remote Access IOS EZVPN Server > using ACS for authentication and authorization. No ISAKMP Client Group > config's were in IOS...they were all on ACS. Pretty much everything was > straight forward, but one thing struck me as a bit weird. For the ISAKMP > Client Group to work, I had to create a user with the same name of the group > (not that weird I guess), and then I had to specify that this user's password > be "cisco" (very weird) even though to authenticate the group I have to use > the group password and not "cisco" in the IPSec VPN client. I looked > everywhere in my IOS and ACS config's, and I didn't see anything where > "cisco" could have been referenced. If I change this user's password to > anything other than "cisco", everything breaks. This wasn't the XAUTH user > either...that was a different one in the default group. > > Is this just something to remember to do to make this configuration work, or > can anyone provide a little more background info about it? > > Please let me know if more information is needed. > > Thanks, > Jason > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
