How to properly use authorization list for IPSec remote VPN on IOS router

Unanswered Question
Jan 1st, 2010
User Badges:

Hi folks,

I'm a bit stumped trying to find the proper information or rather guide and understand how to configure authorization for IPSec remote VPN on IOS router.Some Cisco confiruation examples say it should be as follows:

aaa authorization network SOMENAME local

crypto map CLIENTMAP isakmp authorization list SOMENAME

How does it work in the first place if I don't use local database for authentication requests?

There's radius group configured on the router and then users successfully authenticate against the external identity store.

aaa authentication login VPNUSERAUTHEN group radius
aaa authorization exec default local
aaa authorization network VPNGROUPAUTHOR local

crypto map CLIENTMAP client authentication list VPNUSERAUTHEN
crypto map CLIENTMAP isakmp authorization list VPNGROUPAUTHOR
crypto map CLIENTMAP client configuration address respond
crypto map CLIENTMAP 1 ipsec-isakmp dynamic DYNMAP

Why do we have to use local database for authorizations? If I want to use the list associated with radius server what return attributes I will need to configure with the radius profile?

Can someone refer me to the proper documentation elaborating how everything ties up together?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kent Heide Sat, 01/02/2010 - 22:39
User Badges:

Hey Eugene.

Authorization can be used in scenarios like an EzVPN deployment where you use isakmp profiles to deploy client level attributes. In this case the `isakmp authorization list ` command is used as a Network Authorization Server for recieving Phase 1 pre-shared keys and other attribute-value (AV) pairs.

Hope this clears it up for you. Happy new years :-)

zheka_pefti Sun, 01/03/2010 - 00:11
User Badges:

Hi Kent,

I really appreciate your shedding more light on my question.

It does make a little sense to me and I would understand EasyVPN scenario but I use remote IPSec VPN client. And the pre-shared key is configured at the client side. Does it mean that if I use "local" list all possible AV pair would be ACL for example that would define split-tunneling? And if I don't use "local" but configure those AV pairs at the AAA server I can use the same method list pointing to the RADIUS server ?

Any good source to read about it ?


And Happy New Year to you too !!!

Kent Heide Sun, 01/03/2010 - 02:35
User Badges:

Yes, you are correct in stating that instead of using local attributes and a LOCAL list, you can point it to a radius server which contains AV pairs.

You can find most of this stuff on CCO if you search it. Try to search for EzVPN authorization or something like that. Also the command reference guide will shed some light aswell as to what the commands themselves actually accomplish.


This Discussion