Router remote access using cisco acs configuration

Unanswered Question
Jun 14th, 2010
User Badges:

can anyone help me?


i have set up a test network for practice setting up a remote access
connection between a cisco vpn client and a cisco router using a cisco
secure acs (version 3.3) for authentication and authorization instead
of the local database, but i can't get it to work when i try to connect
using the vpn client i don't even get a username/password prompt, i belive
i have setup the acs server correctly and have added a user (see attachments)
but i have no idea if there is any further configuration that needs to be
done as a search of several books and the net has proved fruitless.

any help on this will be greatly appreciated


regards

Melvyn Brown


i tried to use the radius protocol for authentication and authorization
but that did not work either.


Router config


access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any

ip local pool test-pool 192.168.4.1 192.168.4.254

crypto ipsec transform-set BOSTON esp-3des esp-md5-hmac

crypto isakmp client configuration group London
key cisco
domain cisco.com
pool test-pool
netmask 255.255.255.0
acl 101

aaa new-model

tacacs-server host 192.168.1.10
tacacs-server key secret1

aaa group server tacacs+ TACACS1
server 192.168.1.10

aaa authentication login userauthen group TACACS1
aaa authorization network groupauthor group TACACS1

crypto isakmp enable
crypto isakmp identity address

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

crypto dynamic-map dynmap 10
set transform-set BOSTON
reverse-route

crypto map client1 client authentication list userauthen
crypto map client1 isakmp authorization list groupauthor

crypto map client1 client configuration address respond
crypto map client1 20 ipsec-isakmp dynamic dynmap

interface FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
ip nat outside
crypto map client1
no shut

interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
no shut

route-map nonat permit 10
match ip address 102

ip nat inside source route-map nonat interface FastEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 192.168.2.2

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion