10-03-2019 02:35 AM
Hi Team,
We upgraded ASR to new IOS-XE 16.9.4 Fuji and faced with new syntax of the command "isakmp authorization list <name> password <password>" under "crypto isakmp profile <name>"
In previous version, there was command "isakmp authorization list <name>" without password but in new version there is new attribute in this command: "password".
There is no documentation about new syntax, cisco hasn't updated guides about ISAKMP section in 16.9.4 version.
So could someone explain me what is the "password" and what I have to enter there?
01-14-2020 06:56 AM
01-15-2020 02:16 AM
I have resolved the issue. You can put any pass if you are using local database, it is only related if you are using external RADIUS.
01-15-2020 02:57 AM
It is a tunnel attribute if you are using Radius vpn group and added an password.
01-19-2020 07:40 AM
We just upgraded our 4331 IOS Router to IOS-XE 16.9.4 and now have the same issue. We setup a password and this fixed our Site2Site VPNs (non-RADIUS) but our Cisco VPN Clients use RADIUS via Microsoft NPS\AD and these login connections are still failing. Any suggestions?
01-19-2020 07:46 AM
Hello,
Please post your radius configuration from the router and also please state what radius software are you using.
01-19-2020 09:27 AM
01-19-2020 09:33 PM
Hi isterryb,
Thanks for sharing. Do we have to put this password anywhere else or only in a router's config?
01-20-2020 06:57 AM
I'm not sure what the isakmp authorization list password is for exactly. I did set it the same as our RADIUS server - not sure if it mattered.
09-14-2020 06:16 AM
This change in behavior is due to a CSCsv83824, which is actually enhancement request. AFAIK, this behavior is introduced in 15.8/16.9 versions.
Basically, if you used previously authorization of VPN sessions against AAA server, you had to create a group user on AAA server with hardcoded password of 'cisco'. This change in behavior now permits you to change this hardcoded password to whatever you want, as long as it is identical on AAA server.
If you previously used command 'isakmp authorization list authorlist', and you used authorization against AAA server, you should re-add this command as 'isakmp authorization list authorlist password 0 cisco' after reboot, as your original command was not complete, as per new version, and will be omitted. If you used authorization against local datababase, you can put whatever value you want, as it wont take effect anyway (as password is applicable only for RADIUS authentication, local authorization doesn't use password).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide