09-25-2006 03:20 AM
Is there anyway to pass the VRF ID from the radius for ipsec client. I require the cisco avpair. I tired ipsec:vrf-id= , ipsec:ip-vrf= and ipsec:vrf= but no success.
Thanks,
Silju
09-25-2006 07:48 AM
I am not aware of the avpair for vrf to be used in ipsec.
Generally we have put in isakamp profiles for our customer in the past.
I hope you must have already tried, isakmp profiles. if not here is a link.
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455b65.html
HTH-Cheers,
Swaroop
09-28-2006 02:03 AM
Hi Silju,
Ideally you would not need to pass on the vrf attributes to the ipsec client in case you are going in for IPSEC remote access integration into mpls .
The arrtibutes to be passed on from the radius to the ipsec client will be as follow:
cisco-avpair "ipsec:key-exchange=ike" "ipsec:key-exchange=preshared-key" "ipsec:addrpool=xyz" "ipsec:tunnel-password=abc" "ipsec:default-domain=xyz.com" "ipsec:dns-servers=x.x.x.x"
the vrf specific paameters are to be configured on you IPSEC PE as follows:
crypto isakmp profile test
vrf test
match identity group test-group
client authentication list test-group
isakmp authorization list test-group
client configuration address initiate
client configuration address respond
accounting test
Hope it helps,
Regards,
Amit.
09-28-2006 10:28 PM
Hi Swaroop/Amit,
Thanks for your inputs...
We configured all these parameters. What we were looking for is to match the group and xuth username and password so that a user is logged in only if both parameters matches. So that a person belonging to only that particular group will be able to log in.
For eg, a user belonging to a group test.com will have AAA username as user1@test.com. Once authenticated by radius it will recheck the authorization parameters and allow him to log into the vrf. To achive this you have to pass ipsec:group-lock=1 parameter from radius in addition to the paramters Amit mentioned.
We cannot pass the vrf info in the ipsec.
Regards,
Silju
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide