Thanks Radim that's a good document I hadn't seen. It confirms the PSK on an ASA tunnel group can only be defined locally/statically on the ASA and cannot be defined on the AAA server as can be with IOS.
"The IOS routers allow you to pull the group pre-shared key from the RADIUS server when the client uses PSK authentication. This is not possible with the ASA firewall, as the key is statically defined under the respective tunnel-group." Ben On Wed, Sep 19, 2012 at 2:45 PM, Radim Jurica <[email protected]>wrote: > Read this > > http://blog.ine.com/2009/05/18/understanding-external-easy-vpn-authorization/ > > R. > > 19. 9. 2012 v 21:34, Ben Shaw <[email protected]>: > > Thanks Srikant > > I am not sure if what you are suggesting will do what I am after though. > > The external group policy even though it may provide many of the settings > applied to the tunnel group to which it is mapped is as far as I understand > just a location to store settings but does not reflect the phase 1 > identity, the phase 1 identity is provided by the tunnel group. The group > policy provide post login settings after authentication has completed where > the tunnel group defines the pre-login settings including authentication. > > Once the authentication is configured under the tunnel group as you > suggest this will query the AAA server but as far as I know only for > P1.5/XAUTH not for the P1 authentication. As yet I have only been able to > configure P1 authentication locally under the tunnel group. The password > applied to the external group policy account is not the PSK for P1 it is > just a basic piece of authentication when the ASA requests the policy > attributes from the ASA server. > > What I am hoping to be able to do is actually remove the "pre-shared-key" > setting from the tunnel group ipsec-attributes section and have that PSK > just defined on the ACS server and the ASA then refer to the ACS server > when authenticating the PSK for the tunnel group. > > Thanks > Ben > > On Wed, Sep 19, 2012 at 12:14 PM, Guardgrid <[email protected]> wrote: > >> Ben, >> Yes you can. >> >> On the asa, >> creat aaa server group. >> Create a group-policy and specify that it is external >> Under the tunnel group general attributes specify >> authentication-server-group as the server group crated earlier. >> >> -Srikant >> >> Sent from my iPhone >> >> On Sep 19, 2012, at 10:37 AM, Ben Shaw <[email protected]> wrote: >> >> Hi All >> >> I am reviewing Easy VPN knowledge on both ASA and IOS this morning and >> can't see how to check the group PSK against an external RADIUS server on >> ASA. I can perform XAUTH against the RADIUS server and also reference an >> external group policy on that server applied to the tunnel group but can't >> see what I need to do to actually have the ASA check the RADIUS server for >> the Phase 1 group password. >> >> On IOS I did the following to do this: >> >> aaa authorization network easyrad group radius >> aaa authentication login easyrad group radius >> >> crypto isakmp profile vi >> client authentication list easyrad >> isakmp authorization list easyrad >> >> Is there a way to achieve the following in ASA for centralized P1 and >> P1.5 authentication and authorization on ASA? >> >> Thanks >> Ben >> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
