Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Client 3.5 config with IOS Router--Crypto Map---Question????

I have a little problem in understanding few lines of the configuration when I have configured the Cisco VPN Client ver3.5 on a Win2k PC with a Cisco IOS Router. The confusion is with the following two lines,

!

crypto map myclientmap client authentication list vpnusers

crypto map myclientmap isakmp authorization list vpngroup

!

The function of these two lines is clear to me when I have configured the VPN Client on Router with aaa-new model. When I remove the aaa-new model authentication than still VPN Client is able to connect but when I remove these two lines or even one of these two lines than VPN Client is not able to connect.

My question is why we need these two lines when we are not using any aaa-model for authentication? What is the function of these two lines? I have tried to understand this but found no clue.

Will anybody remove this confusion for me?

Thanks

Arshad

  • Other Security Subjects
1 REPLY
Cisco Employee

Re: VPN Client 3.5 config with IOS Router--Crypto Map---Question

crypto map myclientmap client authentication list vpnusers

This is for user authentication of the vpn connection, ie what we call xauth.

If you don't have aaa configured either pointing to local or a radius server then your method list is basically pointing to none, thus there would be no user authentication, just group authentication.

crypto map myclientmap isakmp authorization list vpngroup

This is for group authentication, and within the group itself you define the parameters in mode config, ie things you push to the client, like ip address, dns, wins and the like. Again if you don't define aaa it defaults to local, so you define it locally, you could also define the group externally.

More info on:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t8/ftunity.htm

72
Views
0
Helpful
1
Replies
This widget could not be displayed.