cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
578
Views
0
Helpful
3
Replies

VPN client and radius or CAR

mike
Beginner
Beginner

Hello:

I am trying to setup remote access vpn on IOS router with cisco Radius or CAR.

the vpn client user needs to be authenticated by group id and password, and user id and password.

How should I setup CAR, could someone provides me an example?

I saw this sample, but there is no relationship between user and group.

Any suggestions?

thx

[ //localhost/RADIUS/UserLists/Default/joe-coke ]

Name = joe-coke

Description =

Password = <encrypted>

AllowNullPassword = FALSE

Enabled = TRUE

Group~ =

BaseProfile~ =

AuthenticationScript~ =

AuthorizationScript~ =

UserDefined1 =

[ //localhost/RADIUS/UserLists/Default/group1 ]

Name = group1

Description =

Password = <encrypted> (would be "cisco")

AllowNullPassword = FALSE

Enabled = TRUE

Group~ =

BaseProfile~ = group1profile

AuthenticationScript~ =

AuthorizationScript~ =

UserDefined1 =

Define the group attributes such as pre-shared key, IP address pool name, etc. using Cisco

AV-pairs:

[ //localhost/RADIUS/Profiles/group1profile/Attributes ]

cisco-avpair = ipsec:key-exchange=ike

cisco-avpair = ipsec:tunnel-password=cisco123

cisco-avpair = ipsec:addr-pool=pool1

Service-Type = Outbound

3 Replies 3

jawicks
Cisco Employee
Cisco Employee

you can define the group locally on the router to define the values which the client will use to build the tunnel (pre-shared key, etc). The client's username/pw can then be defined within AAA server to allow access to the network once the tunnel has been established.

The link below should show how to setup the group config in IOS and you should change the AAA method to point to radius instead of local to authenticate the client at your AAA server.

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml

Hi, Jawicks:

Thanks for your reponse, I did group authorization locally on router, that works fine; my questions how to make sure that user in a specific group which setup on Radius side.

I tried to access your URL, but I got page not found, even I logged in.

Thanks,

hi,

I am using this VSA in IOS 12.4:

"ipsec:user-vpn-grou=

in order to lock the user within this group

older IOS vsa was: "ipsec:group-lock=1"

You can follow this link for more details:

http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/hunity.html#wp1045269

best regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: