Hi,

I have one ISR 1802 and need to connect VPN through the ISR. The router can performance the VPN with authentication without Cisco VPN 3000 concentrator or another hardware and software? Can I use the authentication of RADIUS instead of Cisco VPN 3000 concentrator?

I read the chapter 6 - Configuring a VPN Using Easy VPN and an IPSec Tunnel, but the question is: can I replace the Cisco VPN 3000 concentrator for RAIUS (w2K8)? If so, the users (clients) what kind of software need to use to connect?

Thanks in advanced,

António

Yes, the router can send vpn authentication to a Radius Sever and can function as a VPN server without an external concentrator involve.

"can I replace the Cisco VPN 3000 concentrator for RAIUS (w2K8)?"

Sure you can, I do not see a reason why you cannot.

Can you provide a peace of configuration how to do a router be a VPN server without an external concentrator involve?

If I want to use the RADIUS (w2k8), the clients what kind of software need to use to connect?

Thanks,

Sure, I can help you with config but you have to give me about an hour, as I am helping someone else for the time being.

your users can use Cisco standard vpn client.

Thank you.

The foloow figure show, in a easy way what are need.

About the software Cisco standard VPN Client, I think the user can use! How much that it cost?

Thank you.

Your attached image is not clear at all.

So, please change the IP schema to reflect your network setup.

-------------------------------------------------------------------------------------------------------------------------

aaa authentication login ANTONIO-RADIUS-AUTHENTICATION group radius local
aaa authorization network ANTONIO-router-ADMIN local

ip local pool VPN-POOL 192.168.0.11 192.168.0.254

ip access-list extended SPLIT-TUNNEL
permit ip 10.100.100.0 0.255.255.255 192.168.0.0 0.0.0.255

!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2

!
crypto isakmp client configuration group ANTONIO-EMPLOYEES
key ANTONIO-PASSWORD
domain ANTONIO.COM
pool VPN-POOL
acl SPLIT-TUNNEL
save-password
!
!

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
!
crypto dynamic-map DYNA-CRYPTO 1
set transform-set ESP-AES-128-SHA
reverse-route

!
!
crypto map OUTSIDE-CRYTPO client authentication list ANTONIO-RADIUS-AUTHENTICATION
crypto map OUTSIDE-CRYTPO isakmp authorization list ANTONIO-router-ADMIN
crypto map OUTSIDE-CRYTPO client configuration address respond
crypto map OUTSIDE-CRYTPO 1 ipsec-isakmp dynamic DYNA-CRYPTO

interface FastEthernet0/0
description MY OUTSIDE INTERFACE
ip address xxx.xxx.xxx.xxx 255.255.255.224
crypto map OUTSIDE-CRYTPO
ip nat outside

interface FastEthernet0/1
description MY INSIDE INTERFACE
ip address 10.100.100.2 255.255.255.0
ip virtual-reassembly
speed 100
full-duplex
ip nat inside

ip radius source-interface FastEthernet0/1

radius-server host 10.100.100.100 auth-port 1812 acct-port 1812 key ANTONIO-PASSWORD-KEY

ip access-list extended PAT_ACL
deny   ip 10.100.100.0 0.0.255.255 192.168.0.0 0.0.0.255

ip nat inside source list PAT_ACL interface FastEthernet0/0 overload

-------------------------------------------------------------------------------------------------------------------------

Thanks

Rizwan Rafeek

Sorry about the image.

You assume my network was 10.100.100.0/24 (actually it is 192.168.30.0/24).

deny ip 10.100.100.0 0.0.255.255 192.168.0.0 0.0.0.255

Why you have the line?

permit ip 10.100.100.0 0.255.255.255 192.168.0.0 0.0.0.255

What does this line?

Thank you.

When your inside network traffic and vpn-client traffic hit the router, it must go through the crypto engine.

Therefore, you tell the router to not to Pat-over-load this traffic (destine to and from) between these two network segments, so that this traffic will go via the crypto engine instead.

deny ip 10.100.100.0 0.0.0.255 192.168.0.0 0.0.0.255

Thanks

Rizwan Rafeek

Can you tell me where Is define this 2 variable, ANTONIO-RADIUS-AUTHENTICATION and ANTONIO-router-ADMIN?

One of them can be

radius-server host 10.100.100.100 auth-port 1812 acct-port 1812 key ANTONIO-PASSWORD-KEY

Thank you.

all three are globle commands.

Define a method and apply the method on the static crypto.

aaa authentication login ANTONIO-RADIUS-AUTHENTICATION group radius local

now apply it on the static crypto.

crypto map OUTSIDE-CRYTPO client authentication list ANTONIO-RADIUS-AUTHENTICATION

same applied to this as well.
aaa authorization network ANTONIO-router-ADMIN local

" One of them can be

radius-server host 10.100.100.100 auth-port 1812 acct-port 1812 key ANTONIO-PASSWORD-KEY"

In the radius-server host, is where you tell the router, the ip address of the MS Radius Server and key(i.e. password) to communicate the Raduis Server.

Hi,

With line (*) when the RADIUS is not available I cannot access to the router (even I local configure a username and a password).

(*) aaa authentication login ANTONIO-RADIUS-AUTHENTICATION group radius local

If I change for

aaa authentication login default local group rad_admin

with

aaa group server radius rad_admin

server 192.168.30.1 auth-port 1812 acct-port 1813

Can I access to the VPN (with RADIUS available) and access to the router?

Thank you.

For router administration you have set this up for using local account on the router "aaa authorization network ANTONIO-router-ADMIN local"

Even without VPNing you should be able to telnet or ssh to your router with your local account on the router.

"With line (*) when the RADIUS is not available I cannot access to the router (even I local configure a username and a password)."

If your radius is not available, it will fall back onto local user account.

as we have set below.

aaa authentication login ANTONIO-RADIUS-AUTHENTICATION group radius local.

Hi,

I’m sorry to be annoying, but where is the code that represents the variable ANTONIO-RADIUS-AUTHENTICATION and ANTONIO-router-ADMIN?

For example, could be ANTONIO-RADIUS-AUTHENTICATION

aaa group server radius ANTONIO-RADIUS-AUTHENTICATION

server 192.168.30.1 auth-port 1812 acct-port 1813

And ANTONIO-router-ADMIN if is local, how I define it?

Thank you.