remote access vpn radius authorization IOS

Unanswered Question
Oct 2nd, 2010

I was trying different authorization combination in my lab. I came to find that if I did radius group authorrization like this for example:

vpn group on client: cisco

on vpn router, i configurered this under isakmp profile for the client:

crypto isakmp profile fadi
   self-identity address
   match identity group ccie
   client authentication list radius
   isakmp authorization list radius

on ACS, i configured the ccie group and assigned user with password cisco to it and configured the necessary tunnel key and type. in addition, i added this to the group:




acl and pool values are on the router.

then I configured an xauth user called cisco with pass cisco

I came to realize that if you configure any user ipsec attribute, the IOS does not combine those attributed with the group attributes. For example, the user "cisco" radius av-pair configured in this scenario:



upon doing that, i see the user and the group authenticate correctly to radius server but the router ignores the group attributes for ccie group with the address pool and dns server etc...:

:deleting SA reason "Fail to allocate ip address" state (R) CONF_ADDR     (peer

I can resolve this by adding the split tunnel, dns server, and pool av attributes to the user as well or remove the ipsec:inacl attribute from the xauth user account. Now the question is: all docs point to the fact the user attributes take precedece over group attribute, and the group attributes fill the gaps missed in the user attributes. This is not the case here if any attribute is configured for the user except for use-vpn-group attribute. If anyone can shed some light on this, I would really appreciated it! thank you and sorry for the lengthy description

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
fadlouni Thu, 10/14/2010 - 09:10

ACS group attributes fill the gaps for user attributes, if they are different attributes.


group has attribute # 1, 2, 3,4 defined.

user has attribute 3 defined.

then we use attribute 3 from user profile, then 1,2,4 from group profile.

with ipsec attributes, they are all sent as part of the same VSA  ( 009\001 cisco-av-pair 009\001)attribute (so all of them in the same VSA). since the vsa is one attribute, then you have the same attribute defined on group and user level, and like explained above when you have same attribute on user and group level, radius server sends over user attribute.

some ipsec attributes can be defined outside of the cisco vsa like tunnel-type attribute #64. so this is an example attribute which can be *filled-in-the-gap* if defined on group but not user level.

Hope this helps.


This Discussion