08-04-2009 08:23 AM - edited 02-21-2020 04:18 PM
Using a 3825 router to set up incoming VPN connection using the Cisco VPN client. I would like group auth to be done on the router, and user auth using radius, in this case an IAS server.
The problem is that the router is sending groupauth to the IAS server, which of course denies it. So, communication between the router and IAS server is fine, it's just what is being sent.
Our group name is remote, and it sends domain\remote as the username to the IAS server. Key exchange needs to be handled by the router, and then when the user enters their domain user/pass, it's sent to the IAS server.
Below is the relvant config. I feel like I am close, but am missing something obvious. Thanks in advance for taking a look and/or referring me to relevant config references.
aaa new-model
aaa group server radius VPNAccess
server 1.2.3.4 auth-port 1645 acct-port 1646
aaa authentication login default local
aaa authorization network groupauthor group VPNAccess
crypto isakmp policy 10
encr 3des
hash sha
authentication pre-share
group 2
crypto isakmp client configuration group remote
key ******
dns 5.6.7.8 9.10.11.12
pool remote-pool
acl 1234
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto dynamic-map dyna 10
set transform-set strong
crypto map MYMAP isakmp authorization list groupauthor
crypto map MYMAP client configuration address respond
crypto map MYMAP 10 ipsec-isakmp dynamic dyna
08-04-2009 08:24 AM
Looks like your authentication and authorization are backwards-
aaa authentication login default local
aaa authorization network groupauthor group VPNAccess
aaa authentication login VPNAccess local
aaa authorization network groupauthor local
08-04-2009 08:28 AM
Will that allow login to the router itself to still be handled through local? I would prefer not to have to use radius to auth me when I SSH to the router.
08-04-2009 08:33 AM
After attempting these changes, VPN login is allowed without any interaction with the radius server at all.
08-04-2009 09:06 AM
OK, figured it out.
For the record, here is the correct config:
aaa authentication login userauthen group radius local
aaa authorization network groupauthor local
crypto isakmp policy 10
encr 3des
hash sha
authentication pre-share
group 2
crypto isakmp client configuration group remote
key ******
dns 5.6.7.8 9.10.11.12
pool remote-pool
acl 1234
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto dynamic-map dyna 10
set transform-set strong
crypto map MYMAP client authentication list userauthen
crypto map MYMAP isakmp authorization list groupauthor
crypto map MYMAP client configuration address respond
crypto map MYMAP 10 ipsec-isakmp dynamic dyna
08-04-2009 11:59 AM
Thanks for posting the corrected config.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide