cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
963
Views
0
Helpful
3
Replies

Pass VRF id form Radius

siljugpillai
Level 1
Level 1

Is there anyway to pass the VRF ID from the radius for ipsec client. I require the cisco avpair. I tired ipsec:vrf-id= , ipsec:ip-vrf= and ipsec:vrf= but no success.

Thanks,

Silju

3 Replies 3

swaroop.potdar
Level 7
Level 7

I am not aware of the avpair for vrf to be used in ipsec.

Generally we have put in isakamp profiles for our customer in the past.

I hope you must have already tried, isakmp profiles. if not here is a link.

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455b65.html

HTH-Cheers,

Swaroop

amitdash
Level 1
Level 1

Hi Silju,

Ideally you would not need to pass on the vrf attributes to the ipsec client in case you are going in for IPSEC remote access integration into mpls .

The arrtibutes to be passed on from the radius to the ipsec client will be as follow:

cisco-avpair "ipsec:key-exchange=ike" "ipsec:key-exchange=preshared-key" "ipsec:addrpool=xyz" "ipsec:tunnel-password=abc" "ipsec:default-domain=xyz.com" "ipsec:dns-servers=x.x.x.x"

the vrf specific paameters are to be configured on you IPSEC PE as follows:

crypto isakmp profile test

vrf test

match identity group test-group

client authentication list test-group

isakmp authorization list test-group

client configuration address initiate

client configuration address respond

accounting test

Hope it helps,

Regards,

Amit.

Hi Swaroop/Amit,

Thanks for your inputs...

We configured all these parameters. What we were looking for is to match the group and xuth username and password so that a user is logged in only if both parameters matches. So that a person belonging to only that particular group will be able to log in.

For eg, a user belonging to a group test.com will have AAA username as user1@test.com. Once authenticated by radius it will recheck the authorization parameters and allow him to log into the vrf. To achive this you have to pass ipsec:group-lock=1 parameter from radius in addition to the paramters Amit mentioned.

We cannot pass the vrf info in the ipsec.

Regards,

Silju