Thanks Marta I was wondering whether or not it was possible considering there didn't seem to be an obvious way to do it and I couldn't remember coming across something similar in the past.
I had a read of the link you sent and I would agree that though it doesn't specifically state it, saying that tunnel groups are local only implies that P1 must be authenticated locally and cannot use AAA like IOS can. Thanks for your input. Ben On Wed, Sep 19, 2012 at 9:58 AM, Marta Sokolowska < [email protected]> wrote: > Ben, > > I'm afraid this is impossible to configure on ASA. Following "Cisco ASA > 5500 Series Configuration Guide using the CLI, 8.2": > > http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/vpngrp.html#wp1062323 > > *You configure connection profiles using tunnel-group commands. In this > chapter, the terms "connection profile" and "tunnel group" are often used > interchangeably. > [...] > Connection profiles are local to the ASA and are not configurable on > external servers. * > > Although it doesn't strictly say that you have to define PSK on ASA, for > me it's a quite clear message that the definition of the tunnel-group (name > and PSK) has to be local. So apparently on ASA you can only have external > authentication for users or external group-policy definition for > tunnel-groups. > > I may be wrong, but I haven't seen any example of ISAKMP authorization on > ASA so far. > > > Marta Sokolowska. > > > 2012/9/19 Ben Shaw <[email protected]> > > Hi All >> >> I am reviewing Easy VPN knowledge on both ASA and IOS this morning and >> can't see how to check the group PSK against an external RADIUS server on >> ASA. I can perform XAUTH against the RADIUS server and also reference an >> external group policy on that server applied to the tunnel group but can't >> see what I need to do to actually have the ASA check the RADIUS server for >> the Phase 1 group password. >> >> On IOS I did the following to do this: >> >> aaa authorization network easyrad group radius >> aaa authentication login easyrad group radius >> >> crypto isakmp profile vi >> client authentication list easyrad >> isakmp authorization list easyrad >> >> Is there a way to achieve the following in ASA for centralized P1 and >> P1.5 authentication and authorization on ASA? >> >> Thanks >> Ben >> >> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > > > > -- > -- > > Marta SokoĊowska. > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
