Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
415
Views
0
Helpful
3
Replies

Map IPSec to MPLS using Radius

j.dolphin
Level 1
Level 1

‎12-28-2005 09:07 PM

Hi all, I have an IPSec to MPLS solution running on our PE router. Currently IPSec is (Cisco VPN client over the internet) connected with a given VRF based on the group name used. This works, but isn't really ideal for me, it would be much more elegant if forwarding to a particular VRF was based on a user's radius profile. I've done quite a bit of reading on cisco, the only thing I can find is here:

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1839/products_white_paper09186a00801541dd.shtml#wp1158006

And that's what I'm already running. Is my idea achievable? And if so, is it as simple as setting a VSA on a user's radius profile? Any pointers to documentation or configuration examples would be fantastic! Thanks for the help! Jerome

Labels:
0 Helpful
3 Replies 3

johansens
Level 4
Level 4

‎12-29-2005 02:24 AM

Hi there Jerome,

I have also been looking for a solution to this, and IIRC I found that the most feasible solution would be to convert to digital certificates.

Like this:

- Let the users apply for certificates for each of the VPN's they want to access

- Assign one certificate for each VPN for each user

- Do matching on some value in the certificate to assign the correct group

This way it's possible to revoke a users access to a specific VPN by revoking his/hers certificate on the CA.

Though I remember when I first implemented IPSec to Multi-VRF I had to use a AVpairs like this:

(from freeradius-config):

Cisco-AVPair == "lcp:interface-config=ip vrf forwarding MYVRF\\n ip unnumbered loopback 10\\n peer default ip address pool MYVRF-RA-POOL"

Did it help?

0 Helpful

j.dolphin
Level 1
Level 1
In response to johansens

‎12-29-2005 06:59 PM

Hi Stig, thanks for the reponse, I'd prefer to stick with the Radius if possible.

I've added those changes to a test radius account. I'm assuming the Loopback interface referred to is in "MYVRF"?

So, the VPN client connects, but a "show ip route vrf MYVRF" on the IPSec to MPLS router doesn't show a route to the vpn client (I am using reverse-route in the dynamic map). However, "show ip route" shows a route to the VPN client address. This indicates to me it's being installed in the global routing table. Wierd.

0 Helpful

j.dolphin
Level 1
Level 1
In response to j.dolphin

‎12-29-2005 08:11 PM

And, from the VPN client machine, once logged in, I can indeed ping things in the global routing table. (As opposed to the VRF referred to in the AVPair). Any thoughts?

0 Helpful
Customers Also Viewed These Support Documents