01-23-2012 04:50 AM - editado 03-21-2019 06:46 PM
Olá,
Será possível configurar o router ISR 1802 com VPN, em que este equipamento possa autenticar e autorizar os utilizador sem necessitar de um elemento como por exemplo Cisco VPN 3000?
Será possível usar AD (Windows Autthentication) ou RADIUS para autenticar os utilizadores por VPN em vez do Cisco VPN 3000? E neste caso como configurar o router?
Obrigado,
António
Solucionado! Ir para a Solução.
em 02-24-2012 06:24 AM
Usually business class DSL service IP address do not change even though this IP address is assigned dynamically. The ISP register or reserve the given public IP they assign on your DSL connection to your DSL account, so that it is easier accounting for the ISP, therefore you will always receives the same IP address from DSL PPPoE connection with a DSL Service provider even after rebooting the router. This is true in Canada with some of the ISP I have dealt with.
So, you may check with your local ISP, whether this is the case with your business class DSL service on your branch router.
If this is case with your local ISP, then you should change public IP address to reflect your public IP address on the ACL 101 and apply it on the dialer interface as facing "in"
As with Firewall inspection, try avoid inspecting traffic on both direction and stick with only for going outside as "ip inspect FW out" and for the inside traffic coming in, use the ACL 101 instead.
I hope that helps.
Thanks
Rizwan Rafeek
em 09-02-2012 05:48 AM
Olá Antonio
Apenas escolha as respostas que vc considerou como a correta e clique no botão Resposta correta.
Não esqueça de Avaliar as respostas, utilizando as Estrelas
em 01-23-2012 06:29 AM
Can you speak English, so someone can help you here?
Are you looking for VPN Server with Windows Radius authentication on ISR router 1802 ?
em 01-23-2012 06:56 AM
Hi,
I have one ISR 1802 and need to connect VPN through the ISR. The router can performance the VPN with authentication without Cisco VPN 3000 concentrator or another hardware and software? Can I use the authentication of RADIUS instead of Cisco VPN 3000 concentrator?
I read the chapter 6 - Configuring a VPN Using Easy VPN and an IPSec Tunnel, but the question is: can I replace the Cisco VPN 3000 concentrator for RAIUS (w2K8)? If so, the users (clients) what kind of software need to use to connect?
Thanks in advanced,
António
em 01-23-2012 07:09 AM
Yes, the router can send vpn authentication to a Radius Sever and can function as a VPN server without an external concentrator involve.
"can I replace the Cisco VPN 3000 concentrator for RAIUS (w2K8)?"
Sure you can, I do not see a reason why you cannot.
em 01-23-2012 07:14 AM
Can you provide a peace of configuration how to do a router be a VPN server without an external concentrator involve?
If I want to use the RADIUS (w2k8), the clients what kind of software need to use to connect?
Thanks,
em 01-23-2012 07:38 AM
Sure, I can help you with config but you have to give me about an hour, as I am helping someone else for the time being.
your users can use Cisco standard vpn client.
em 01-23-2012 07:52 AM
em 01-23-2012 09:30 AM
Your attached image is not clear at all.
So, please change the IP schema to reflect your network setup.
-------------------------------------------------------------------------------------------------------------------------
aaa authentication login ANTONIO-RADIUS-AUTHENTICATION group radius local
aaa authorization network ANTONIO-router-ADMIN local
ip local pool VPN-POOL 192.168.0.11 192.168.0.254
ip access-list extended SPLIT-TUNNEL
permit ip 10.100.100.0 0.255.255.255 192.168.0.0 0.0.0.255
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp client configuration group ANTONIO-EMPLOYEES
key ANTONIO-PASSWORD
domain ANTONIO.COM
pool VPN-POOL
acl SPLIT-TUNNEL
save-password
!
!
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
!
crypto dynamic-map DYNA-CRYPTO 1
set transform-set ESP-AES-128-SHA
reverse-route
!
!
crypto map OUTSIDE-CRYTPO client authentication list ANTONIO-RADIUS-AUTHENTICATION
crypto map OUTSIDE-CRYTPO isakmp authorization list ANTONIO-router-ADMIN
crypto map OUTSIDE-CRYTPO client configuration address respond
crypto map OUTSIDE-CRYTPO 1 ipsec-isakmp dynamic DYNA-CRYPTO
interface FastEthernet0/0
description MY OUTSIDE INTERFACE
ip address xxx.xxx.xxx.xxx 255.255.255.224
crypto map OUTSIDE-CRYTPO
ip nat outside
interface FastEthernet0/1
description MY INSIDE INTERFACE
ip address 10.100.100.2 255.255.255.0
ip virtual-reassembly
speed 100
full-duplex
ip nat inside
ip radius source-interface FastEthernet0/1
radius-server host 10.100.100.100 auth-port 1812 acct-port 1812 key ANTONIO-PASSWORD-KEY
ip access-list extended PAT_ACL
deny ip 10.100.100.0 0.0.255.255 192.168.0.0 0.0.0.255
ip nat inside source list PAT_ACL interface FastEthernet0/0 overload
-------------------------------------------------------------------------------------------------------------------------
Thanks
Rizwan Rafeek
em 01-23-2012 09:44 AM
em 01-23-2012 09:58 AM
When your inside network traffic and vpn-client traffic hit the router, it must go through the crypto engine.
Therefore, you tell the router to not to Pat-over-load this traffic (destine to and from) between these two network segments, so that this traffic will go via the crypto engine instead.
deny ip 10.100.100.0 0.0.0.255 192.168.0.0 0.0.0.255
Thanks
Rizwan Rafeek
em 01-23-2012 12:33 PM
Can you tell me where Is define this 2 variable, ANTONIO-RADIUS-AUTHENTICATION and ANTONIO-router-ADMIN?
One of them can be
radius-server host 10.100.100.100 auth-port 1812 acct-port 1812 key ANTONIO-PASSWORD-KEY
Thank you.
em 01-23-2012 12:43 PM
all three are globle commands.
Define a method and apply the method on the static crypto.
aaa authentication login ANTONIO-RADIUS-AUTHENTICATION group radius local
now apply it on the static crypto.
crypto map OUTSIDE-CRYTPO client authentication list ANTONIO-RADIUS-AUTHENTICATION
same applied to this as well.
aaa authorization network ANTONIO-router-ADMIN local
" One of them can be
radius-server host 10.100.100.100 auth-port 1812 acct-port 1812 key ANTONIO-PASSWORD-KEY"
In the radius-server host, is where you tell the router, the ip address of the MS Radius Server and key(i.e. password) to communicate the Raduis Server.
em 01-23-2012 02:42 PM
Hi,
With line (*) when the RADIUS is not available I cannot access to the router (even I local configure a username and a password).
(*) aaa authentication login ANTONIO-RADIUS-AUTHENTICATION group radius local
If I change for
aaa authentication login default local group rad_admin
with
aaa group server radius rad_admin
server 192.168.30.1 auth-port 1812 acct-port 1813
Can I access to the VPN (with RADIUS available) and access to the router?
Thank you.
em 01-23-2012 07:36 PM
For router administration you have set this up for using local account on the router "aaa authorization network ANTONIO-router-ADMIN local"
Even without VPNing you should be able to telnet or ssh to your router with your local account on the router.
"With line (*) when the RADIUS is not available I cannot access to the router (even I local configure a username and a password)."
If your radius is not available, it will fall back onto local user account.
as we have set below.
aaa authentication login ANTONIO-RADIUS-AUTHENTICATION group radius local.
em 01-24-2012 03:17 AM
Hi,
I’m sorry to be annoying, but where is the code that represents the variable ANTONIO-RADIUS-AUTHENTICATION and ANTONIO-router-ADMIN?
For example, could be ANTONIO-RADIUS-AUTHENTICATION
aaa group server radius ANTONIO-RADIUS-AUTHENTICATION
server 192.168.30.1 auth-port 1812 acct-port 1813
And ANTONIO-router-ADMIN if is local, how I define it?
Thank you.
Descubra e salve suas ideias favoritas. Volte para ver respostas de especialistas, passo a passo, tópicos recentes e muito mais.
Novo por aqui? Comece com estas dicas. Como usar a Comunidade Guia do novo membro
Navegue pelos links rápidos da Comunidade e usufrua de um conteúdo personalizado e em seu idioma nativo: