Hi
I have a central Easy VPN server with a number of remote sites connecting into it.
At the central site I've got a 2811 with 837's at the remote sites. At the moment I'm authenticating the remote clients on the 2811 - using Xauth with the "save password" facility.
I want to use a central ACS server to manage these clients....using TACACS+. Unfortunatley this does not work. I tried using radius and it works fine - exactly the same aaa setup except replace "Tacacs" with radius....
Something like this: -
aaa authentication login userauthen group radius local
aaa authorization network groupauthor local
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
radius-server host 192.168.1.30 auth-port 1645 acct-port 1646 key XXXXXX
I've got 3 questions: -
1) Is TACACS supported with what I want to do? I can't find any configs on Cisco using this method.
2) I've done some testing...if the 2811 looses site of the AAA server then I want it to default to local authentication. This is not working. Is there something else I need to add to the config to enable this??
3) When the AAA server comes back up, and I pull down all the VPNs, the remote site tunnels don't come back up again. The 2811 sits there trying to Xauth the clients. Is there a timeout/retries that need to be configured? So far the only way i've found to fix this is to reboot the routers (central and remote).
Thanks
Simon