can anyone help me?
i have set up a test network for practice setting up a remote access
connection between a cisco vpn client and a cisco router using a cisco
secure acs (version 3.3) for authentication and authorization instead
of the local database, but i can't get it to work when i try to connect
using the vpn client i don't even get a username/password prompt, i belive
i have setup the acs server correctly and have added a user (see attachments)
but i have no idea if there is any further configuration that needs to be
done as a search of several books and the net has proved fruitless.
any help on this will be greatly appreciated
regards
Melvyn Brown
i tried to use the radius protocol for authentication and authorization
but that did not work either.
Router config
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
ip local pool test-pool 192.168.4.1 192.168.4.254
crypto ipsec transform-set BOSTON esp-3des esp-md5-hmac
crypto isakmp client configuration group London
key cisco
domain cisco.com
pool test-pool
netmask 255.255.255.0
acl 101
aaa new-model
tacacs-server host 192.168.1.10
tacacs-server key secret1
aaa group server tacacs+ TACACS1
server 192.168.1.10
aaa authentication login userauthen group TACACS1
aaa authorization network groupauthor group TACACS1
crypto isakmp enable
crypto isakmp identity address
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto dynamic-map dynmap 10
set transform-set BOSTON
reverse-route
crypto map client1 client authentication list userauthen
crypto map client1 isakmp authorization list groupauthor
crypto map client1 client configuration address respond
crypto map client1 20 ipsec-isakmp dynamic dynmap
interface FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
ip nat outside
crypto map client1
no shut
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
no shut
route-map nonat permit 10
match ip address 102
ip nat inside source route-map nonat interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 192.168.2.2