Ben, I'm afraid this is impossible to configure on ASA. Following "Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2": http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/vpngrp.html#wp1062323
*You configure connection profiles using tunnel-group commands. In this chapter, the terms "connection profile" and "tunnel group" are often used interchangeably. [...] Connection profiles are local to the ASA and are not configurable on external servers. * Although it doesn't strictly say that you have to define PSK on ASA, for me it's a quite clear message that the definition of the tunnel-group (name and PSK) has to be local. So apparently on ASA you can only have external authentication for users or external group-policy definition for tunnel-groups. I may be wrong, but I haven't seen any example of ISAKMP authorization on ASA so far. Marta Sokolowska. 2012/9/19 Ben Shaw <[email protected]> Hi All > > I am reviewing Easy VPN knowledge on both ASA and IOS this morning and > can't see how to check the group PSK against an external RADIUS server on > ASA. I can perform XAUTH against the RADIUS server and also reference an > external group policy on that server applied to the tunnel group but can't > see what I need to do to actually have the ASA check the RADIUS server for > the Phase 1 group password. > > On IOS I did the following to do this: > > aaa authorization network easyrad group radius > aaa authentication login easyrad group radius > > crypto isakmp profile vi > client authentication list easyrad > isakmp authorization list easyrad > > Is there a way to achieve the following in ASA for centralized P1 and P1.5 > authentication and authorization on ASA? > > Thanks > Ben > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > -- -- Marta SokoĊowska.
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
