Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2294
Views
0
Helpful
3
Replies

How to properly use authorization list for IPSec remote VPN on IOS router

zheka_pefti
Level 2
Level 2

‎01-01-2010 09:37 PM - edited ‎02-21-2020 04:26 PM

Hi folks,

I'm a bit stumped trying to find the proper information or rather guide and understand how to configure authorization for IPSec remote VPN on IOS router.Some Cisco confiruation examples say it should be as follows:

aaa authorization network SOMENAME local

crypto map CLIENTMAP isakmp authorization list SOMENAME

How does it work in the first place if I don't use local database for authentication requests?

There's radius group configured on the router and then users successfully authenticate against the external identity store.

aaa authentication login VPNUSERAUTHEN group radius
aaa authorization exec default local
aaa authorization network VPNGROUPAUTHOR local

crypto map CLIENTMAP client authentication list VPNUSERAUTHEN
crypto map CLIENTMAP isakmp authorization list VPNGROUPAUTHOR
crypto map CLIENTMAP client configuration address respond
crypto map CLIENTMAP 1 ipsec-isakmp dynamic DYNMAP

Why do we have to use local database for authorizations? If I want to use the list associated with radius server what return attributes I will need to configure with the radius profile?

Can someone refer me to the proper documentation elaborating how everything ties up together?

Eugene

Labels:
0 Helpful
3 Replies 3

Kent Heide
Level 1
Level 1

‎01-02-2010 10:39 PM

Hey Eugene.

Authorization can be used in scenarios like an EzVPN deployment where you use isakmp profiles to deploy client level attributes. In this case the `isakmp authorization list ` command is used as a Network Authorization Server for recieving Phase 1 pre-shared keys and other attribute-value (AV) pairs.

Hope this clears it up for you. Happy new years :-)

0 Helpful

zheka_pefti
Level 2
Level 2
In response to Kent Heide

‎01-03-2010 12:11 AM

Hi Kent,

I really appreciate your shedding more light on my question.

It does make a little sense to me and I would understand EasyVPN scenario but I use remote IPSec VPN client. And the pre-shared key is configured at the client side. Does it mean that if I use "local" list all possible AV pair would be ACL for example that would define split-tunneling? And if I don't use "local" but configure those AV pairs at the AAA server I can use the same method list pointing to the RADIUS server ?

Any good source to read about it ?

Eugene

And Happy New Year to you too !!!

0 Helpful

Kent Heide
Level 1
Level 1
In response to zheka_pefti

‎01-03-2010 02:35 AM

Yes, you are correct in stating that instead of using local attributes and a LOCAL list, you can point it to a radius server which contains AV pairs.

You can find most of this stuff on CCO if you search it. Try to search for EzVPN authorization or something like that. Also the command reference guide will shed some light aswell as to what the commands themselves actually accomplish.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents