×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Map IPSec to MPLS using Radius

Unanswered Question
Dec 28th, 2005
User Badges:

Hi all, I have an IPSec to MPLS solution running on our PE router. Currently IPSec is (Cisco VPN client over the internet) connected with a given VRF based on the group name used. This works, but isn't really ideal for me, it would be much more elegant if forwarding to a particular VRF was based on a user's radius profile. I've done quite a bit of reading on cisco, the only thing I can find is here:


http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1839/products_white_paper09186a00801541dd.shtml#wp1158006


And that's what I'm already running. Is my idea achievable? And if so, is it as simple as setting a VSA on a user's radius profile? Any pointers to documentation or configuration examples would be fantastic! Thanks for the help! Jerome


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
johansens Thu, 12/29/2005 - 02:24
User Badges:
  • Silver, 250 points or more

Hi there Jerome,


I have also been looking for a solution to this, and IIRC I found that the most feasible solution would be to convert to digital certificates.


Like this:

- Let the users apply for certificates for each of the VPN's they want to access

- Assign one certificate for each VPN for each user

- Do matching on some value in the certificate to assign the correct group


This way it's possible to revoke a users access to a specific VPN by revoking his/hers certificate on the CA.


Though I remember when I first implemented IPSec to Multi-VRF I had to use a AVpairs like this:


(from freeradius-config):


Cisco-AVPair == "lcp:interface-config=ip vrf forwarding MYVRF\\n ip unnumbered loopback 10\\n peer default ip address pool MYVRF-RA-POOL"


Did it help?

j.dolphin Thu, 12/29/2005 - 18:59
User Badges:

Hi Stig, thanks for the reponse, I'd prefer to stick with the Radius if possible.


I've added those changes to a test radius account. I'm assuming the Loopback interface referred to is in "MYVRF"?


So, the VPN client connects, but a "show ip route vrf MYVRF" on the IPSec to MPLS router doesn't show a route to the vpn client (I am using reverse-route in the dynamic map). However, "show ip route" shows a route to the VPN client address. This indicates to me it's being installed in the global routing table. Wierd.

j.dolphin Thu, 12/29/2005 - 20:11
User Badges:

And, from the VPN client machine, once logged in, I can indeed ping things in the global routing table. (As opposed to the VRF referred to in the AVPair). Any thoughts?

Actions

This Discussion