Cisco VPN Client(4.8.01.0300) + Router(C1812) + Radius Auth(MS IAS)

Discussion in 'Cisco' started by ahab.captain@gmail.com, Aug 17, 2007.

  1. Guest

    I have a problem with Cisco VPN Client to router using Radius auth.
    This config works, i can login with any group and i'll get the correct
    info but there are two main problems.

    First off. I can't use the access-list on to match incoming traffic on
    interface outside, since it's only matching udp 4500 traffic that's
    still encrypted.. is there a way to get the acl to work after it's
    been decrypted? it's something similair to "sysopt connection permit"
    on Pix right? can i turn it off? I have it matching outgoing traffic
    for inside interface now.. but that sucks..

    Second; The radius server is an IAS server and uses 3 Active Directory
    groups, each configured to one client vpn profile. This works fine,
    and then i send a class OU back that has the same name as the client
    vpn groups. So user sends auth , router sends to radius, radius
    matches the user group to his profile and sends back OU=adm.grp; and
    then the router just ignores that and allows the user in.. so if i add
    a user to the basic user group, he can login to the admin vpn profile
    too.. is there some aaa command i'm missing? the Class OU is an
    accounting aaa command right? i have searched for hours and hours i
    can't find any config on this, is it even possible?




    Router_VPN#sh run
    Building configuration...

    Current configuration : 4123 bytes
    !
    ! Last configuration change at 09:47:36 UTC Fri Aug 17 2007 by ejs
    ! NVRAM config last updated at 09:47:37 UTC Fri Aug 17 2007 by ejs
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname Router_VPN
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 16386 debugging
    enable secret 5 -----
    !
    aaa new-model
    !
    !
    aaa authentication login clientuserauth group radius
    aaa authorization network clientgroupauth local
    !
    aaa session-id common
    !
    resource policy
    !
    !
    !
    ip cef
    !
    !
    no ip domain lookup
    ip domain name foo.com
    !
    !
    !
    username foo privilege 15 password 0 bar
    !
    !
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp client configuration group bas.usr.grp
    key foobar
    dns 192.168.26.106 192.168.26.101
    wins 192.168.26.101
    domain CLIENT_NET
    pool bas.usr.pool
    acl 101
    !
    crypto isakmp client configuration group adv.usr.grp
    key foobar
    dns 192.168.26.106 192.168.26.101
    wins 192.168.26.101
    domain CLIENT_NET
    pool adv.usr.pool
    acl 102
    !
    crypto isakmp client configuration group adm.grp
    key foobar
    dns 192.168.26.106 192.168.26.101
    wins 192.168.26.101
    domain CLIENT_NET
    pool adm.pool
    acl 103
    !
    !
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    !
    crypto dynamic-map dynmap 10
    set transform-set ESP-3DES-MD5
    !
    !
    crypto map VPNMAP client authentication list clientuserauth
    crypto map VPNMAP isakmp authorization list clientgroupauth
    crypto map VPNMAP client configuration address respond
    crypto map VPNMAP 10 ipsec-isakmp dynamic dynmap
    !
    !
    !
    !
    interface FastEthernet0
    description Ytranet
    ip address x.x.x.x 255.255.255.224
    ip access-group 110 in
    duplex auto
    speed auto
    crypto map VPNMAP
    !
    interface FastEthernet1
    description Innranet
    ip address 192.168.26.251 255.255.254.0
    ip access-group 111 out
    speed 100
    full-duplex
    !
    interface BRI0
    no ip address
    encapsulation hdlc
    shutdown
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface FastEthernet4
    !
    interface FastEthernet5
    !
    interface FastEthernet6
    !
    interface FastEthernet7
    !
    interface FastEthernet8
    !
    interface FastEthernet9
    !
    interface Vlan1
    no ip address
    !
    ip local pool bas.usr.pool 10.0.1.1 10.0.1.254
    ip local pool adv.usr.pool 10.0.2.1 10.0.2.254
    ip local pool adm.pool 10.0.3.1 10.0.3.254
    ip route 0.0.0.0 0.0.0.0 x.x.x.x
    !
    !
    no ip http server
    no ip http secure-server
    !
    access-list 100 permit ip host x.x.x.x any
    access-list 100 permit ip host x.x.x.x any
    access-list 101 permit ip 192.168.0.0 0.0.255.255 any
    access-list 102 permit ip 192.168.0.0 0.0.255.255 any
    access-list 103 permit ip 192.168.0.0 0.0.255.255 any
    access-list 110 permit esp any any
    access-list 110 permit ahp any any
    access-list 110 permit udp any any eq isakmp
    access-list 110 permit udp any any eq non500-isakmp
    access-list 110 permit ip host x.x.x.x any
    access-list 110 permit ip host x.x.x.x any
    access-list 111 remark ##Admin-VPN##
    access-list 111 permit ip 10.0.3.0 0.0.0.255 any
    access-list 111 remark ##Basic-User-VPN##
    access-list 111 permit tcp 10.0.1.0 0.0.0.255 192.168.0.0 0.0.255.255
    eq 5900
    access-list 111 permit tcp 10.0.1.0 0.0.0.255 192.168.0.0 0.0.255.255
    eq 3389
    access-list 111 deny ip 10.0.1.0 0.0.0.255 any
    access-list 111 remark ##Advanced-User-VPN##
    access-list 111 permit tcp 10.0.2.0 0.0.0.255 192.168.0.0 0.0.255.255
    eq 5900
    access-list 111 permit tcp 10.0.2.0 0.0.0.255 192.168.0.0 0.0.255.255
    eq 3389
    access-list 111 permit tcp 10.0.2.0 0.0.0.255 192.168.0.0 0.0.255.255
    eq 1352
    access-list 111 permit tcp 10.0.2.0 0.0.0.255 192.168.0.0 0.0.255.255
    eq 1422
    access-list 111 deny ip 10.0.2.0 0.0.0.255 any
    !
    !
    !
    !
    !
    radius-server host 192.168.26.110 auth-port 1645 acct-port 1646 key
    foobar
    !
    control-plane
    !
    !
    line con 0
    line aux 0
    line vty 0 4
    password ciscolab
    transport input ssh
    !
    ntp clock-period 17180161
    ntp server 157.157.255.11
    !
    webvpn context Default_context
    ssl authenticate verify all
    !
    no inservice
    !
    end
    , Aug 17, 2007
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Richard Field

    Cisco Router/NAS and Windows IAS RADIUS

    Richard Field, Jan 22, 2004, in forum: Cisco
    Replies:
    2
    Views:
    5,779
    Sam Salhi [MSFT]
    Jan 23, 2004
  2. soldara
    Replies:
    1
    Views:
    4,649
    soldara
    Sep 13, 2004
  3. Christian Hewitt
    Replies:
    0
    Views:
    2,962
    Christian Hewitt
    Apr 24, 2005
  4. astrosky

    VPN and RADIUS auth

    astrosky, Dec 11, 2008, in forum: Hardware
    Replies:
    0
    Views:
    3,454
    astrosky
    Dec 11, 2008
  5. data_noid
    Replies:
    0
    Views:
    3,131
    data_noid
    Nov 27, 2009
Loading...

Share This Page