01-01-2010 09:37 PM - edited 02-21-2020 04:26 PM
Hi folks,
I'm a bit stumped trying to find the proper information or rather guide and understand how to configure authorization for IPSec remote VPN on IOS router.Some Cisco confiruation examples say it should be as follows:
aaa authorization network SOMENAME local
crypto map CLIENTMAP isakmp authorization list SOMENAME
How does it work in the first place if I don't use local database for authentication requests?
There's radius group configured on the router and then users successfully authenticate against the external identity store.
aaa authentication login VPNUSERAUTHEN group radius
aaa authorization exec default local
aaa authorization network VPNGROUPAUTHOR local
crypto map CLIENTMAP client authentication list VPNUSERAUTHEN
crypto map CLIENTMAP isakmp authorization list VPNGROUPAUTHOR
crypto map CLIENTMAP client configuration address respond
crypto map CLIENTMAP 1 ipsec-isakmp dynamic DYNMAP
Why do we have to use local database for authorizations? If I want to use the list associated with radius server what return attributes I will need to configure with the radius profile?
Can someone refer me to the proper documentation elaborating how everything ties up together?
Eugene
01-02-2010 10:39 PM
Hey Eugene.
Authorization can be used in scenarios like an EzVPN deployment where you use isakmp profiles to deploy client level attributes. In this case the `isakmp authorization list ` command is used as a Network Authorization Server for recieving Phase 1 pre-shared keys and other attribute-value (AV) pairs.
Hope this clears it up for you. Happy new years :-)
01-03-2010 12:11 AM
Hi Kent,
I really appreciate your shedding more light on my question.
It does make a little sense to me and I would understand EasyVPN scenario but I use remote IPSec VPN client. And the pre-shared key is configured at the client side. Does it mean that if I use "local" list all possible AV pair would be ACL for example that would define split-tunneling? And if I don't use "local" but configure those AV pairs at the AAA server I can use the same method list pointing to the RADIUS server ?
Any good source to read about it ?
Eugene
And Happy New Year to you too !!!
01-03-2010 02:35 AM
Yes, you are correct in stating that instead of using local attributes and a LOCAL list, you can point it to a radius server which contains AV pairs.
You can find most of this stuff on CCO if you search it. Try to search for EzVPN authorization or something like that. Also the command reference guide will shed some light aswell as to what the commands themselves actually accomplish.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide