Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
775
Views
0
Helpful
3
Replies

VPN client and radius or CAR

mike
Level 1
Level 1

‎04-23-2008 06:54 PM - edited ‎03-10-2019 03:48 PM

Hello:

I am trying to setup remote access vpn on IOS router with cisco Radius or CAR.

the vpn client user needs to be authenticated by group id and password, and user id and password.

How should I setup CAR, could someone provides me an example?

I saw this sample, but there is no relationship between user and group.

Any suggestions?

thx

[ //localhost/RADIUS/UserLists/Default/joe-coke ]

Name = joe-coke

Description =

Password = <encrypted>

AllowNullPassword = FALSE

Enabled = TRUE

Group~ =

BaseProfile~ =

AuthenticationScript~ =

AuthorizationScript~ =

UserDefined1 =

[ //localhost/RADIUS/UserLists/Default/group1 ]

Name = group1

Description =

Password = <encrypted> (would be "cisco")

AllowNullPassword = FALSE

Enabled = TRUE

Group~ =

BaseProfile~ = group1profile

AuthenticationScript~ =

AuthorizationScript~ =

UserDefined1 =

Define the group attributes such as pre-shared key, IP address pool name, etc. using Cisco

AV-pairs:

[ //localhost/RADIUS/Profiles/group1profile/Attributes ]

cisco-avpair = ipsec:key-exchange=ike

cisco-avpair = ipsec:tunnel-password=cisco123

cisco-avpair = ipsec:addr-pool=pool1

Service-Type = Outbound

Labels:
0 Helpful
3 Replies 3

jawicks
Cisco Employee
Cisco Employee

‎04-24-2008 03:50 AM

you can define the group locally on the router to define the values which the client will use to build the tunnel (pre-shared key, etc). The client's username/pw can then be defined within AAA server to allow access to the network once the tunnel has been established.

The link below should show how to setup the group config in IOS and you should change the AAA method to point to radius instead of local to authenticate the client at your AAA server.

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml

0 Helpful

mike
Level 1
Level 1
In response to jawicks

‎04-29-2008 04:15 PM

Hi, Jawicks:

Thanks for your reponse, I did group authorization locally on router, that works fine; my questions how to make sure that user in a specific group which setup on Radius side.

I tried to access your URL, but I got page not found, even I logged in.

Thanks,

0 Helpful

falain
Level 1
Level 1
In response to mike

‎05-17-2008 01:45 AM

hi,

I am using this VSA in IOS 12.4:

"ipsec:user-vpn-grou=

in order to lock the user within this group

older IOS vsa was: "ipsec:group-lock=1"

You can follow this link for more details:

http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/hunity.html#wp1045269

best regards

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents