is radius authorization for isakmp useful if authentication is working?

dan.tesch · ‎02-14-2008

I am setting up a 2801 router for Cisco clients to connect to and working on getting it to work with IAS server. I've been looking at lots of configuration examples and see that I can do isakmp authorization to Radius but can't get it to work. I have crypto map xxyy client authentication working to Radius but crypto map xxyy isakmp authorization isn't working - I can only get connections by setting it to local. I've read a bunch of different guides on aaa but I'm not sure what the benefit of the authorization part is. It almost seems like this is backward ex: the shared key authenticates and then if your username is valid and set to accept dial-in in Active Directory then you are "authorized" - what am I missing? and what is being "authorized" if there are no local users on the router but it is doing isakmp authorization to a local list?

Thanks to anyone who can give me some insight on this!

Richard Burts · ‎02-15-2008

Dan

I do not believe that I have seen aaa authorization to Radius for VPN sessions. I do not see any useful reason to do this.

HTH

Rick

HTH

Rick

dan.tesch · ‎02-15-2008

Thanks, I did see a configuration guide (Cisco) that was for Radius authentication but had a link to an almost identical guide that included authorization as well. I'm going to proceed without the authorization because I think you've validated what I already thought but I'd love to understand more about what would be possible using authorization as well. The best I've been able to find are some blogs and I'm not convinced the blog authors are always using the terminology correctly. Thanks again.