I have a central Easy VPN server with a number of remote sites connecting into it.
At the central site I've got a 2811 with 837's at the remote sites. At the moment I'm authenticating the remote clients on the 2811 - using Xauth with the "save password" facility.
I want to use a central ACS server to manage these clients....using TACACS+. Unfortunatley this does not work. I tried using radius and it works fine - exactly the same aaa setup except replace "Tacacs" with radius....
Something like this: -
aaa authentication login userauthen group radius local
aaa authorization network groupauthor local
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
1) Is TACACS supported with what I want to do? I can't find any configs on Cisco using this method.
2) I've done some testing...if the 2811 looses site of the AAA server then I want it to default to local authentication. This is not working. Is there something else I need to add to the config to enable this??
3) When the AAA server comes back up, and I pull down all the VPNs, the remote site tunnels don't come back up again. The 2811 sits there trying to Xauth the clients. Is there a timeout/retries that need to be configured? So far the only way i've found to fix this is to reboot the routers (central and remote).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...