Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

which aaa directives for what?

Hi out there

I am trying to get a AAA Radius server (freeradius 2.0.10 with MySql)  up and run which I need to use for authentication and authorazition of EZVPN clients from remote routers running in network extension mode.

I have tried many of the samples presented by cisco but I am a bit in doubt what aaa directive influence on this and that - so - are there some which can help?

When my ezvpn clients - a remote cisco router running 15.x ios is loggin in on my central vpn router i have to get it authenticated. I am using a virtual template tunnel interface which I want to clone for each router connecting in.

this I expect is done by :

                    aaa authentication login vpnlist group RadiusServers local

This forces the centralrouter to ask for authentication and seems to work

But - I have several AVPairs I want to push out there and as far as I can see i get them returned by the radiusserver but not applied?

Where do I force these settings to be applied to the incoming clients interface - is this done by the crypto-isakmp profile or the virtual template? - I can push a static set of values through the virtual template - but I want to specify them from the AVPairs defined either from the group or user settings

here is the output from my radius server in debug mode when my remote client logs in:

++[exec] returns noop

Sending Access-Accept of id 163 to port 1645

        Service-Type = Outbound-User

        Tunnel-Type:0 = ESP

        Tunnel-Password:0 = "cisco"

        Cisco-AVPair += "ipsec:key-exchange=ike"

        Cisco-AVPair += "ipsec:key-exchange=preshared-key"

        Cisco-AVPair += "ipsec:user-save-password=1"

        Cisco-AVPair += "ipsec:user-vpn-group=adpex-ezvpn"

        Cisco-AVPair += "ip:interface-config=ip vrf forwarding dk-ae-01

How do I define this?

best regards /ti

Everyone's tags (3)
CreatePlease login to create content