Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cisco VPN Client(4.8.01.0300) + Router(C1812) + Radius Auth(MS IAS)

Reply
Thread Tools

Cisco VPN Client(4.8.01.0300) + Router(C1812) + Radius Auth(MS IAS)

 
 
ahab.captain@gmail.com
Guest
Posts: n/a
 
      08-17-2007
I have a problem with Cisco VPN Client to router using Radius auth.
This config works, i can login with any group and i'll get the correct
info but there are two main problems.

First off. I can't use the access-list on to match incoming traffic on
interface outside, since it's only matching udp 4500 traffic that's
still encrypted.. is there a way to get the acl to work after it's
been decrypted? it's something similair to "sysopt connection permit"
on Pix right? can i turn it off? I have it matching outgoing traffic
for inside interface now.. but that sucks..

Second; The radius server is an IAS server and uses 3 Active Directory
groups, each configured to one client vpn profile. This works fine,
and then i send a class OU back that has the same name as the client
vpn groups. So user sends auth , router sends to radius, radius
matches the user group to his profile and sends back OU=adm.grp; and
then the router just ignores that and allows the user in.. so if i add
a user to the basic user group, he can login to the admin vpn profile
too.. is there some aaa command i'm missing? the Class OU is an
accounting aaa command right? i have searched for hours and hours i
can't find any config on this, is it even possible?




Router_VPN#sh run
Building configuration...

Current configuration : 4123 bytes
!
! Last configuration change at 09:47:36 UTC Fri Aug 17 2007 by ejs
! NVRAM config last updated at 09:47:37 UTC Fri Aug 17 2007 by ejs
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router_VPN
!
boot-start-marker
boot-end-marker
!
logging buffered 16386 debugging
enable secret 5 -----
!
aaa new-model
!
!
aaa authentication login clientuserauth group radius
aaa authorization network clientgroupauth local
!
aaa session-id common
!
resource policy
!
!
!
ip cef
!
!
no ip domain lookup
ip domain name foo.com
!
!
!
username foo privilege 15 password 0 bar
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group bas.usr.grp
key foobar
dns 192.168.26.106 192.168.26.101
wins 192.168.26.101
domain CLIENT_NET
pool bas.usr.pool
acl 101
!
crypto isakmp client configuration group adv.usr.grp
key foobar
dns 192.168.26.106 192.168.26.101
wins 192.168.26.101
domain CLIENT_NET
pool adv.usr.pool
acl 102
!
crypto isakmp client configuration group adm.grp
key foobar
dns 192.168.26.106 192.168.26.101
wins 192.168.26.101
domain CLIENT_NET
pool adm.pool
acl 103
!
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set ESP-3DES-MD5
!
!
crypto map VPNMAP client authentication list clientuserauth
crypto map VPNMAP isakmp authorization list clientgroupauth
crypto map VPNMAP client configuration address respond
crypto map VPNMAP 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface FastEthernet0
description Ytranet
ip address x.x.x.x 255.255.255.224
ip access-group 110 in
duplex auto
speed auto
crypto map VPNMAP
!
interface FastEthernet1
description Innranet
ip address 192.168.26.251 255.255.254.0
ip access-group 111 out
speed 100
full-duplex
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
no ip address
!
ip local pool bas.usr.pool 10.0.1.1 10.0.1.254
ip local pool adv.usr.pool 10.0.2.1 10.0.2.254
ip local pool adm.pool 10.0.3.1 10.0.3.254
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
!
no ip http server
no ip http secure-server
!
access-list 100 permit ip host x.x.x.x any
access-list 100 permit ip host x.x.x.x any
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 102 permit ip 192.168.0.0 0.0.255.255 any
access-list 103 permit ip 192.168.0.0 0.0.255.255 any
access-list 110 permit esp any any
access-list 110 permit ahp any any
access-list 110 permit udp any any eq isakmp
access-list 110 permit udp any any eq non500-isakmp
access-list 110 permit ip host x.x.x.x any
access-list 110 permit ip host x.x.x.x any
access-list 111 remark ##Admin-VPN##
access-list 111 permit ip 10.0.3.0 0.0.0.255 any
access-list 111 remark ##Basic-User-VPN##
access-list 111 permit tcp 10.0.1.0 0.0.0.255 192.168.0.0 0.0.255.255
eq 5900
access-list 111 permit tcp 10.0.1.0 0.0.0.255 192.168.0.0 0.0.255.255
eq 3389
access-list 111 deny ip 10.0.1.0 0.0.0.255 any
access-list 111 remark ##Advanced-User-VPN##
access-list 111 permit tcp 10.0.2.0 0.0.0.255 192.168.0.0 0.0.255.255
eq 5900
access-list 111 permit tcp 10.0.2.0 0.0.0.255 192.168.0.0 0.0.255.255
eq 3389
access-list 111 permit tcp 10.0.2.0 0.0.0.255 192.168.0.0 0.0.255.255
eq 1352
access-list 111 permit tcp 10.0.2.0 0.0.0.255 192.168.0.0 0.0.255.255
eq 1422
access-list 111 deny ip 10.0.2.0 0.0.0.255 any
!
!
!
!
!
radius-server host 192.168.26.110 auth-port 1645 acct-port 1646 key
foobar
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password ciscolab
transport input ssh
!
ntp clock-period 17180161
ntp server 157.157.255.11
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Changing Windows Passwords - VPN with a PIX, Cisco VPN Client and RADIUS Authentication DCS Cisco 2 03-26-2009 08:45 PM
Cisco vpn server enabled / VPN and no-VPN connections mix Elise Cisco 6 05-22-2004 07:55 AM
problem with 2 VPN-Client groups and Radius authentication on Cisco PIX 515E Spoettel Otmar Cisco 0 05-12-2004 12:54 PM
Authentication for Cisco VPN client on PIX (RADIUS vs. local PIX database) tejlor Cisco 2 11-25-2003 08:07 AM
Cisco radius attributes with Funk Steel-Belted Radius Server David Cisco 0 11-06-2003 09:54 PM



Advertisments