Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Pass VRF id form Radius

Is there anyway to pass the VRF ID from the radius for ipsec client. I require the cisco avpair. I tired ipsec:vrf-id= , ipsec:ip-vrf= and ipsec:vrf= but no success.

Thanks,

Silju

3 REPLIES

Re: Pass VRF id form Radius

I am not aware of the avpair for vrf to be used in ipsec.

Generally we have put in isakamp profiles for our customer in the past.

I hope you must have already tried, isakmp profiles. if not here is a link.

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455b65.html

HTH-Cheers,

Swaroop

New Member

Re: Pass VRF id form Radius

Hi Silju,

Ideally you would not need to pass on the vrf attributes to the ipsec client in case you are going in for IPSEC remote access integration into mpls .

The arrtibutes to be passed on from the radius to the ipsec client will be as follow:

cisco-avpair "ipsec:key-exchange=ike" "ipsec:key-exchange=preshared-key" "ipsec:addrpool=xyz" "ipsec:tunnel-password=abc" "ipsec:default-domain=xyz.com" "ipsec:dns-servers=x.x.x.x"

the vrf specific paameters are to be configured on you IPSEC PE as follows:

crypto isakmp profile test

vrf test

match identity group test-group

client authentication list test-group

isakmp authorization list test-group

client configuration address initiate

client configuration address respond

accounting test

Hope it helps,

Regards,

Amit.

New Member

Re: Pass VRF id form Radius

Hi Swaroop/Amit,

Thanks for your inputs...

We configured all these parameters. What we were looking for is to match the group and xuth username and password so that a user is logged in only if both parameters matches. So that a person belonging to only that particular group will be able to log in.

For eg, a user belonging to a group test.com will have AAA username as user1@test.com. Once authenticated by radius it will recheck the authorization parameters and allow him to log into the vrf. To achive this you have to pass ipsec:group-lock=1 parameter from radius in addition to the paramters Amit mentioned.

We cannot pass the vrf info in the ipsec.

Regards,

Silju

347
Views
0
Helpful
3
Replies
CreatePlease to create content