Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
681
Views
0
Helpful
3
Replies

Pass VRF id form Radius

siljugpillai
Level 1
Level 1

‎09-25-2006 03:20 AM

Is there anyway to pass the VRF ID from the radius for ipsec client. I require the cisco avpair. I tired ipsec:vrf-id= , ipsec:ip-vrf= and ipsec:vrf= but no success.

Thanks,

Silju

Labels:
0 Helpful
3 Replies 3

swaroop.potdar
Level 7
Level 7

‎09-25-2006 07:48 AM

I am not aware of the avpair for vrf to be used in ipsec.

Generally we have put in isakamp profiles for our customer in the past.

I hope you must have already tried, isakmp profiles. if not here is a link.

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455b65.html

HTH-Cheers,

Swaroop

0 Helpful

amitdash
Level 1
Level 1

‎09-28-2006 02:03 AM

Hi Silju,

Ideally you would not need to pass on the vrf attributes to the ipsec client in case you are going in for IPSEC remote access integration into mpls .

The arrtibutes to be passed on from the radius to the ipsec client will be as follow:

cisco-avpair "ipsec:key-exchange=ike" "ipsec:key-exchange=preshared-key" "ipsec:addrpool=xyz" "ipsec:tunnel-password=abc" "ipsec:default-domain=xyz.com" "ipsec:dns-servers=x.x.x.x"

the vrf specific paameters are to be configured on you IPSEC PE as follows:

crypto isakmp profile test

vrf test

match identity group test-group

client authentication list test-group

isakmp authorization list test-group

client configuration address initiate

client configuration address respond

accounting test

Hope it helps,

Regards,

Amit.

0 Helpful

siljugpillai
Level 1
Level 1
In response to amitdash

‎09-28-2006 10:28 PM

Hi Swaroop/Amit,

Thanks for your inputs...

We configured all these parameters. What we were looking for is to match the group and xuth username and password so that a user is logged in only if both parameters matches. So that a person belonging to only that particular group will be able to log in.

For eg, a user belonging to a group test.com will have AAA username as user1@test.com. Once authenticated by radius it will recheck the authorization parameters and allow him to log into the vrf. To achive this you have to pass ipsec:group-lock=1 parameter from radius in addition to the paramters Amit mentioned.

We cannot pass the vrf info in the ipsec.

Regards,

Silju

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents