Read this http://blog.ine.com/2009/05/18/understanding-external-easy-vpn-authorization/
R. 19. 9. 2012 v 21:34, Ben Shaw <[email protected]>: > Thanks Srikant > > I am not sure if what you are suggesting will do what I am after though. > > The external group policy even though it may provide many of the settings > applied to the tunnel group to which it is mapped is as far as I understand > just a location to store settings but does not reflect the phase 1 identity, > the phase 1 identity is provided by the tunnel group. The group policy > provide post login settings after authentication has completed where the > tunnel group defines the pre-login settings including authentication. > > Once the authentication is configured under the tunnel group as you suggest > this will query the AAA server but as far as I know only for P1.5/XAUTH not > for the P1 authentication. As yet I have only been able to configure P1 > authentication locally under the tunnel group. The password applied to the > external group policy account is not the PSK for P1 it is just a basic piece > of authentication when the ASA requests the policy attributes from the ASA > server. > > What I am hoping to be able to do is actually remove the "pre-shared-key" > setting from the tunnel group ipsec-attributes section and have that PSK just > defined on the ACS server and the ASA then refer to the ACS server when > authenticating the PSK for the tunnel group. > > Thanks > Ben > > On Wed, Sep 19, 2012 at 12:14 PM, Guardgrid <[email protected]> wrote: > Ben, > Yes you can. > > On the asa, > creat aaa server group. > Create a group-policy and specify that it is external > Under the tunnel group general attributes specify authentication-server-group > as the server group crated earlier. > > -Srikant > > Sent from my iPhone > > On Sep 19, 2012, at 10:37 AM, Ben Shaw <[email protected]> wrote: > > Hi All > > I am reviewing Easy VPN knowledge on both ASA and IOS this morning and can't > see how to check the group PSK against an external RADIUS server on ASA. I > can perform XAUTH against the RADIUS server and also reference an external > group policy on that server applied to the tunnel group but can't see what I > need to do to actually have the ASA check the RADIUS server for the Phase 1 > group password. > > On IOS I did the following to do this: > > aaa authorization network easyrad group radius > aaa authentication login easyrad group radius > > crypto isakmp profile vi > client authentication list easyrad > isakmp authorization list easyrad > > Is there a way to achieve the following in ASA for centralized P1 and P1.5 > authentication and authorization on ASA? > > Thanks > Ben > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
