Re: isakmp authorization list <name> password <password>

alyautdinov · ‎10-03-2019

Hi Team,

We upgraded ASR to new IOS-XE 16.9.4 Fuji and faced with new syntax of the command "isakmp authorization list <name> password <password>" under "crypto isakmp profile <name>"

In previous version, there was command "isakmp authorization list <name>" without password but in new version there is new attribute in this command: "password".

There is no documentation about new syntax, cisco hasn't updated guides about ISAKMP section in 16.9.4 version.

So could someone explain me what is the "password" and what I have to enter there?

novak.petrovic · ‎01-14-2020

Hi,

I'm facing the same issue. Did anyone resolve this?

Regards

novak.petrovic · ‎01-15-2020

I have resolved the issue. You can put any pass if you are using local database, it is only related if you are using external RADIUS.

curdubanbogdan · ‎01-15-2020

It is a tunnel attribute if you are using Radius vpn group and added an password.

isterryb243 · ‎01-19-2020

We just upgraded our 4331 IOS Router to IOS-XE 16.9.4 and now have the same issue. We setup a password and this fixed our Site2Site VPNs (non-RADIUS) but our Cisco VPN Clients use RADIUS via Microsoft NPS\AD and these login connections are still failing. Any suggestions?

curdubanbogdan · ‎01-19-2020

Hello,

Please post your radius configuration from the router and also please state what radius software are you using.

isterryb243 · ‎01-19-2020

We got it figured out. In addition to adding a password to the isakmp authorization list, we had to change the aaa new-model section and add a group statement for authorization network pointing to the RADIUS server declaration. We already had this in the authentication statement for RADIUS.
This was not required pre 16.09.04 - authorization was set to local only.

aaa group server radius RADIUS-Server-Group
server-private 192.168. ....

aaa authentication login ciscocp_vpn_xauth_ml_1 local group RADIUS-Server-Group
aaa authorization network ciscocp_vpn_group_ml_1 local group RADIUS-Server-Group
!
...
crypto isakmp profile ciscocp-ike-profile-1
...
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1 password 6 NEW_Password

We are using Microsoft Network Policy Server for RADIUS. We did not have to make any changes on NPS.

Thanks for your quick response.

alyautdinov · ‎01-19-2020

Hi isterryb,

Thanks for sharing. Do we have to put this password anywhere else or only in a router's config?

isterryb243 · ‎01-20-2020

I'm not sure what the isakmp authorization list password is for exactly. I did set it the same as our RADIUS server - not sure if it mattered.

Milos_Jovanovic · ‎09-14-2020

This change in behavior is due to a CSCsv83824, which is actually enhancement request. AFAIK, this behavior is introduced in 15.8/16.9 versions.

Basically, if you used previously authorization of VPN sessions against AAA server, you had to create a group user on AAA server with hardcoded password of 'cisco'. This change in behavior now permits you to change this hardcoded password to whatever you want, as long as it is identical on AAA server.

If you previously used command 'isakmp authorization list authorlist', and you used authorization against AAA server, you should re-add this command as 'isakmp authorization list authorlist password 0 cisco' after reboot, as your original command was not complete, as per new version, and will be omitted. If you used authorization against local datababase, you can put whatever value you want, as it wont take effect anyway (as password is applicable only for RADIUS authentication, local authorization doesn't use password).