Thanks Srikant I am not sure if what you are suggesting will do what I am after though.
The external group policy even though it may provide many of the settings applied to the tunnel group to which it is mapped is as far as I understand just a location to store settings but does not reflect the phase 1 identity, the phase 1 identity is provided by the tunnel group. The group policy provide post login settings after authentication has completed where the tunnel group defines the pre-login settings including authentication. Once the authentication is configured under the tunnel group as you suggest this will query the AAA server but as far as I know only for P1.5/XAUTH not for the P1 authentication. As yet I have only been able to configure P1 authentication locally under the tunnel group. The password applied to the external group policy account is not the PSK for P1 it is just a basic piece of authentication when the ASA requests the policy attributes from the ASA server. What I am hoping to be able to do is actually remove the "pre-shared-key" setting from the tunnel group ipsec-attributes section and have that PSK just defined on the ACS server and the ASA then refer to the ACS server when authenticating the PSK for the tunnel group. Thanks Ben On Wed, Sep 19, 2012 at 12:14 PM, Guardgrid <[email protected]> wrote: > Ben, > Yes you can. > > On the asa, > creat aaa server group. > Create a group-policy and specify that it is external > Under the tunnel group general attributes specify > authentication-server-group as the server group crated earlier. > > -Srikant > > Sent from my iPhone > > On Sep 19, 2012, at 10:37 AM, Ben Shaw <[email protected]> wrote: > > Hi All > > I am reviewing Easy VPN knowledge on both ASA and IOS this morning and > can't see how to check the group PSK against an external RADIUS server on > ASA. I can perform XAUTH against the RADIUS server and also reference an > external group policy on that server applied to the tunnel group but can't > see what I need to do to actually have the ASA check the RADIUS server for > the Phase 1 group password. > > On IOS I did the following to do this: > > aaa authorization network easyrad group radius > aaa authentication login easyrad group radius > > crypto isakmp profile vi > client authentication list easyrad > isakmp authorization list easyrad > > Is there a way to achieve the following in ASA for centralized P1 and P1.5 > authentication and authorization on ASA? > > Thanks > Ben > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
