cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
762
Views
0
Helpful
8
Replies
Highlighted
Beginner

isakmp authorization list <name> password <password>

Hi Team,

 

We upgraded ASR to new IOS-XE 16.9.4 Fuji and faced with new syntax of the command "isakmp authorization list <name> password <password>" under "crypto isakmp profile <name>"

In previous version, there was command "isakmp authorization list <name>" without password but in new version there is new attribute in this command: "password".

There is no documentation about new syntax, cisco hasn't updated guides about ISAKMP section in 16.9.4 version.

 

So could someone explain me what is the "password" and what I have to enter there?

 

 

8 REPLIES 8
Highlighted
Beginner

Re: isakmp authorization list <name> password <password>

Hi,

I'm facing the same issue. Did anyone resolve this?

Regards
Highlighted
Beginner

Re: isakmp authorization list <name> password <password>

I have resolved the issue. You can put any pass if you are using local database, it is only related if you are using external RADIUS.

Highlighted
Beginner

Re: isakmp authorization list <name> password <password>

It is a tunnel attribute if you are using Radius vpn group and added an password.

Highlighted
Beginner

Re: isakmp authorization list <name> password <password>

We just upgraded our 4331 IOS Router to IOS-XE 16.9.4 and now have the same issue. We setup a password and this fixed our Site2Site VPNs (non-RADIUS) but our Cisco VPN Clients use RADIUS via Microsoft NPS\AD and these login connections are still failing. Any suggestions?

Highlighted
Beginner

Re: isakmp authorization list <name> password <password>

Hello, 

Please post your radius configuration from the router and also please state what radius software are you using.

Highlighted
Beginner

Re: isakmp authorization list <name> password <password>

We got it figured out. In addition to adding a password to the isakmp authorization list, we had to change the aaa new-model section and add a group statement for authorization network pointing to the RADIUS server declaration. We already had this in the authentication statement for RADIUS.
This was not required pre 16.09.04 - authorization was set to local only.

aaa group server radius RADIUS-Server-Group
server-private 192.168. ....

aaa authentication login ciscocp_vpn_xauth_ml_1 local group RADIUS-Server-Group
aaa authorization network ciscocp_vpn_group_ml_1 local group RADIUS-Server-Group
!
...
crypto isakmp profile ciscocp-ike-profile-1
...
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1 password 6 NEW_Password

We are using Microsoft Network Policy Server for RADIUS. We did not have to make any changes on NPS.

Thanks for your quick response.




Highlighted
Beginner

Re: isakmp authorization list <name> password <password>

Hi isterryb,

Thanks for sharing. Do we have to put this password anywhere else or only in a router's config?

Highlighted
Beginner

Re: isakmp authorization list <name> password <password>

I'm not sure what the isakmp authorization list password is for exactly. I did set it the same as our RADIUS server - not sure if it mattered.