Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Combining MODECFG attributes from isakmp group and user profile

Hello,

I'm trying to combine the MODECFG attributes from user profile from

radius with the attributes from the isakmp group on the VPN device

(3845 security bundle with IOS 12.4(9)T). Unfortunately it's not

working.

If I put all the attributes in the user profile, the client receives all the attributes.

If I put all the attributes in the "isakmp client configuration group", the client

receives all the attributes.

When I combine both (user profile and "isakmp client configuration group"),

the client receives only the user profile attributes.

An article on the ciscopress indicates that it is possible to combine both :

http://www.ciscopress.com/articles/article.asp?p=421514&seqNum=3&rl=1

> The attributes may also be applied on a per-user basis.

> A user attribute overrides a group attribute value.

> These attributes are retrieved at the time user authentication

> occurs using XAUTH, and are then combined with group

> attributes and applied during Mode-Configuration.

Any idea why it is not working ?

Thanks in advance

Laurence

RADIUS configuration for user user7 :

user7 Password = "passwd"

ipsec:addr-pool=group99

ipsec:default-domain=domain.domain

device configuration :

aaa new-model

!

!

aaa group server radius USERAUTHENGROUPRADIUS

server x.x.x.x auth-port 1812 acct-port 1813

!

aaa authentication login userauthen group USERAUTHENGROUPRADIUS local

aaa authorization network groupauthor local

crypto isakmp client configuration group vpngroup0

key cisco

dns x.x.x.x

domain domain.domain

max-logins 1

acl SPLIT-TUNNEL

crypto ipsec transform-set vpntransformset esp-aes 256 esp-sha-hmac

!

crypto dynamic-map vpndynamicmap 10

set transform-set vpntransformset

reverse-route

!

!

crypto map vpnclientmap client authentication list userauthen

crypto map vpnclientmap isakmp authorization list groupauthor

crypto map vpnclientmap client configuration address respond

crypto map vpnclientmap 10 ipsec-isakmp dynamic vpndynamicmap

161
Views
0
Helpful
0
Replies