04-23-2008 06:54 PM - edited 03-10-2019 03:48 PM
Hello:
I am trying to setup remote access vpn on IOS router with cisco Radius or CAR.
the vpn client user needs to be authenticated by group id and password, and user id and password.
How should I setup CAR, could someone provides me an example?
I saw this sample, but there is no relationship between user and group.
Any suggestions?
thx
[ //localhost/RADIUS/UserLists/Default/joe-coke ]
Name = joe-coke
Description =
Password = <encrypted>
AllowNullPassword = FALSE
Enabled = TRUE
Group~ =
BaseProfile~ =
AuthenticationScript~ =
AuthorizationScript~ =
UserDefined1 =
[ //localhost/RADIUS/UserLists/Default/group1 ]
Name = group1
Description =
Password = <encrypted> (would be "cisco")
AllowNullPassword = FALSE
Enabled = TRUE
Group~ =
BaseProfile~ = group1profile
AuthenticationScript~ =
AuthorizationScript~ =
UserDefined1 =
Define the group attributes such as pre-shared key, IP address pool name, etc. using Cisco
AV-pairs:
[ //localhost/RADIUS/Profiles/group1profile/Attributes ]
cisco-avpair = ipsec:key-exchange=ike
cisco-avpair = ipsec:tunnel-password=cisco123
cisco-avpair = ipsec:addr-pool=pool1
Service-Type = Outbound
04-24-2008 03:50 AM
you can define the group locally on the router to define the values which the client will use to build the tunnel (pre-shared key, etc). The client's username/pw can then be defined within AAA server to allow access to the network once the tunnel has been established.
The link below should show how to setup the group config in IOS and you should change the AAA method to point to radius instead of local to authenticate the client at your AAA server.
04-29-2008 04:15 PM
Hi, Jawicks:
Thanks for your reponse, I did group authorization locally on router, that works fine; my questions how to make sure that user in a specific group which setup on Radius side.
I tried to access your URL, but I got page not found, even I logged in.
Thanks,
05-17-2008 01:45 AM
hi,
I am using this VSA in IOS 12.4:
"ipsec:user-vpn-grou=
in order to lock the user within this group
older IOS vsa was: "ipsec:group-lock=1"
You can follow this link for more details:
http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/hunity.html#wp1045269
best regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: