is radius authorization for isakmp useful if authentication is working?
I am setting up a 2801 router for Cisco clients to connect to and working on getting it to work with IAS server. I've been looking at lots of configuration examples and see that I can do isakmp authorization to Radius but can't get it to work. I have crypto map xxyy client authentication working to Radius but crypto map xxyy isakmp authorization isn't working - I can only get connections by setting it to local. I've read a bunch of different guides on aaa but I'm not sure what the benefit of the authorization part is. It almost seems like this is backward ex: the shared key authenticates and then if your username is valid and set to accept dial-in in Active Directory then you are "authorized" - what am I missing? and what is being "authorized" if there are no local users on the router but it is doing isakmp authorization to a local list?
Thanks to anyone who can give me some insight on this!
Re: is radius authorization for isakmp useful if authentication
Thanks, I did see a configuration guide (Cisco) that was for Radius authentication but had a link to an almost identical guide that included authorization as well. I'm going to proceed without the authorization because I think you've validated what I already thought but I'd love to understand more about what would be possible using authorization as well. The best I've been able to find are some blogs and I'm not convinced the blog authors are always using the terminology correctly. Thanks again.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...