IPSec-Authentication RADIUS AV pair usage

Unanswered Question
Aug 5th, 2008
User Badges:

Dear everybody,

We are using vpn concentrator for RAS vpn and authenticate users by means of X.509 certificates with RADIUS authorization (without XAUTH authentication). We have one vpngroup configured localy on vpn 3005 concentrator and by means of RADIUS AV pairs I change some configuration parameters like split-tunnel configuration. I would like to also force some users to use XAUTH by means of IPSec-Authentication RADIUS av pair. But if I try to send this AV pair during authorization phase it seems that vpn concentrator ignore it. I guess that this is because authorization phase goes after authentication and concentrator is unable to restart XAUTH. So my questions is whether I could use IPSec-Authentication av pair this way or not. Any information would be appreciated.

Thank you very much for you help and excuse my English.

Take care


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marwan ALshawi Tue, 08/05/2008 - 19:19
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

i think better to use it with Xauth then the AV pair will be associated with each user or user group

rottenberg Wed, 08/06/2008 - 23:32
User Badges:

Thank you for your help.

But according to my testing and various documentation reading I have came to conclusion that the IPSec-Authentication AV pair can not be used this way (this AV pair is probably used only with external vpn groups), because authorization goes after authentication. The reason why I would like to use XAUTH is that by means of User-Name AV pair send in Access-Request I can give RADIUS server "hint" which reply AV pairs I want to send back to concentrator. With X.509 certificate authentication we are using, the User-Name AV pair is always the same. Of course I can use combination of X.509 certificate with XAUTH login name and password, but this is not accepted by our IT manager. Because the amount of users who would require different configuration parameters in different situations is very small (actually just one) we decided to issue secondary X.509 certificate for that user which will also solve our problem.



This Discussion