We are using vpn concentrator for RAS vpn and authenticate users by means of X.509 certificates with RADIUS authorization (without XAUTH authentication). We have one vpngroup configured localy on vpn 3005 concentrator and by means of RADIUS AV pairs I change some configuration parameters like split-tunnel configuration. I would like to also force some users to use XAUTH by means of IPSec-Authentication RADIUS av pair. But if I try to send this AV pair during authorization phase it seems that vpn concentrator ignore it. I guess that this is because authorization phase goes after authentication and concentrator is unable to restart XAUTH. So my questions is whether I could use IPSec-Authentication av pair this way or not. Any information would be appreciated.
Thank you very much for you help and excuse my English.
But according to my testing and various documentation reading I have came to conclusion that the IPSec-Authentication AV pair can not be used this way (this AV pair is probably used only with external vpn groups), because authorization goes after authentication. The reason why I would like to use XAUTH is that by means of User-Name AV pair send in Access-Request I can give RADIUS server "hint" which reply AV pairs I want to send back to concentrator. With X.509 certificate authentication we are using, the User-Name AV pair is always the same. Of course I can use combination of X.509 certificate with XAUTH login name and password, but this is not accepted by our IT manager. Because the amount of users who would require different configuration parameters in different situations is very small (actually just one) we decided to issue secondary X.509 certificate for that user which will also solve our problem.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :