Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Router remote access using cisco acs configuration

can anyone help me?

i have set up a test network for practice setting up a remote access
connection between a cisco vpn client and a cisco router using a cisco
secure acs (version 3.3) for authentication and authorization instead
of the local database, but i can't get it to work when i try to connect
using the vpn client i don't even get a username/password prompt, i belive
i have setup the acs server correctly and have added a user (see attachments)
but i have no idea if there is any further configuration that needs to be
done as a search of several books and the net has proved fruitless.

any help on this will be greatly appreciated


Melvyn Brown

i tried to use the radius protocol for authentication and authorization
but that did not work either.

Router config

access-list 101 permit ip

access-list 102 deny ip
access-list 102 permit ip any

ip local pool test-pool

crypto ipsec transform-set BOSTON esp-3des esp-md5-hmac

crypto isakmp client configuration group London
key cisco
pool test-pool
acl 101

aaa new-model

tacacs-server host
tacacs-server key secret1

aaa group server tacacs+ TACACS1

aaa authentication login userauthen group TACACS1
aaa authorization network groupauthor group TACACS1

crypto isakmp enable
crypto isakmp identity address

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

crypto dynamic-map dynmap 10
set transform-set BOSTON

crypto map client1 client authentication list userauthen
crypto map client1 isakmp authorization list groupauthor

crypto map client1 client configuration address respond
crypto map client1 20 ipsec-isakmp dynamic dynmap

interface FastEthernet0/0
ip address
ip nat outside
crypto map client1
no shut

interface FastEthernet0/1
ip address
ip nat inside
no shut

route-map nonat permit 10
match ip address 102

ip nat inside source route-map nonat interface FastEthernet0/0 overload

ip route