From: Sadiq Yakasai (sadiqtanko@gmail.com)
Date: Fri Feb 13 2009 - 19:34:40 ARST
Hi Guys,
So been troubleshooting some EZVPN here and would like to get a feedback
from you if possible.
My config was fairly basic and strightforward:
R4#sh run | i aaa
aaa new-model
aaa authentication login default none
aaa authentication login XAUTH_LOGIN group radius local
aaa authorization network XAUTH_AUTHZ group radius local
...... <truncated>
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group EZVPN_ON_R4
key CISCO
dns 1.2.3.4
domain ccie.com
pool EZVPN_POOL
acl 100
!
!
crypto ipsec transform-set MY_TRAN_SET esp-3des esp-md5-hmac
!
crypto dynamic-map DYNAMIC 1
set transform-set MY_TRAN_SET
reverse-route
!
!
crypto map MYMAP client authentication list XAUTH_LOGIN
crypto map MYMAP isakmp authorization list XAUTH_AUTHZ
crypto map MYMAP client configuration address respond
crypto map MYMAP 1 ipsec-isakmp dynamic DYNAMIC
1) I set up an IOS router as an EZVPN server, enabling the authentication
and group lookup to be made locally on the router. I defined the user and
group configs, all worked nicely! (well, after a little bit of
troubleshooting there :-)
2) So I thought, come on, lets complicate life a lilttle bit more and have
some fun by enabling the authentication of the user and the group
authorization to be made on ACS, didnt seem abit straightforward :s
- the user authentication seems to happen quite nicely. RADIUS
Access-Request goes up to ACS and a RADIUS Access- Accept come back -
great!
- however, i see another RADIUS Access_request going up to ACS, this time
with the group name as the "username" attribute
[User-Name [1] 13 "EZVPN_ON_R4"]. This obviously gets rejected
on ACS, as I have not defined it as a group. So I thought let me hack this
and see if we can make it work anyhow. I then creted a user on ACS and named
him EZVPN_ON_R4.
- cleared my EZVPN client to try again. This time, I got back 2 RADIUS
Access-Accept messages from ACS. Which is great so far! BUT, as part of the
default authorization attributes from ACS, 2 were sent back in the RADIUS
Access Accept for the group name (EZVPN_ON_R4). This was rejected by my
router, complaining that these attributes are unsuported as far as EZVPN
config on IOS is concerned. The authorization now failed over to the second
configured method (which is local) and all passed successfully.
- I now went back to the user/group on ACS, trying to see if I can actually
remove these atributes so they dont get sent down but to no avail. There is
no option to remove them (they dont even appear on the list of attributes).
My feel is, they are a compulsary.
Question: Does it mean that isakmp policy authorization on ACS (or any other
AAA server) is not supported at all and only have to define the group
locally on IOS???
I could raise this with Cisco, but the fact that its running on 12.3 doesnt
give me much confidence there but maybe I just should.
Thanks,
Sadiq
-- CCIE #19963Debug Radius: R4# *Mar 1 04:51:00.698: RADIUS: Pick NAS IP for u=0x8346F6DC tableid=0 cfg_addr=150.1.4.4 *Mar 1 04:51:00.698: RADIUS: ustruct sharecount=2 *Mar 1 04:51:00.698: Radius: radius_port_info() success=1 radius_nas_port=1 *Mar 1 04:51:00.698: RADIUS(00000000): Send Access-Request to 150.1.121.254:1645 id 21645/44, len 83 *Mar 1 04:51:00.702: RADIUS: authenticator 40 9C D8 1A 1C 31 2A F9 - DB A7 B3 42 49 CE E1 0F *Mar 1 04:51:00.702: RADIUS: NAS-IP-Address [4] 6 150.1.4.4 *Mar 1 04:51:00.702: RADIUS: NAS-Port [5] 6 500 *Mar 1 04:51:00.702: RADIUS: NAS-Port-Type [61] 6 Virtual [5] *Mar 1 04:51:00.702: RADIUS: User-Name [1] 15 "Administrator" *Mar 1 04:51:00.702: RADIUS: Calling-Station-Id [31] 12 "150.1.69.6" *Mar 1 04:51:00.702: RADIUS: User-Password [2] 18 * *Mar 1 04:51:00.738: RADIUS: Received from id 21645/44 150.1.121.254:1645, Access-Accept, l R4#en 62 *Mar 1 04:51:00.738: RADIUS: authenticator D5 BC AB A9 49 89 31 A6 - 78 F5 AB 89 2B 12 62 0A *Mar 1 04:51:00.742: RADIUS: Framed-IP-Address [8] 6 255.255.255.255 *Mar 1 04:51:00.742: RADIUS: Class [25] 36 *Mar 1 04:51:00.742: RADIUS: 43 41 43 53 3A 30 2F 38 37 65 33 2F 39 36 30 31 [CACS:0/87e3/9601] *Mar 1 04:51:00.742: RADIUS: 30 34 30 34 2F 41 64 6D 69 6E 69 73 74 72 61 74 [0404/Administrat] *Mar 1 04:51:00.742: RADIUS: 6F 72 [or] *Mar 1 04:51:00.742: RADIUS: saved authorization data for user 8346F6DC at 834C38BC *Mar 1 04:51:00.794: RADIUS: authenticating to get author data *Mar 1 04:51:00.794: RADIUS: Pick NAS IP for u=0x8339BE94 tableid=0 cfg_addr=150.1.4.4 *Mar 1 04:51:00.794: RADIUS: ustruct sharecount=3 *Mar 1 04:51:00.794: Radius: radius_port_info() success=1 radius_nas_port=1 *Mar 1 04:51:00.794: RADIUS(00000000): Send Access-Request to 150.1.121.254:1645 id 21645/45, len 87 *Mar 1 04:51:00.794: RADIUS: authenticator 32 DD A7 B9 07 76 A4 EC - F1 EF 4A 68 A7 F5 BD EA *Mar 1 04:51:00.794: RADIUS: NAS-IP-Address [4] 6 150.1.4.4 *Mar 1 04:51:00.794: RADIUS: NAS-Port [5] 6 500 *Mar 1 04:51:00.794: RADIUS: NAS-Port-Type [61] 6 Virtual [5] *Mar 1 04:51:00.798: RADIUS: User-Name [1] 13 "EZVPN_ON_R4" *Mar 1 04:51:00.798: RADIUS: Calling-Station-Id [31] 12 "150.1.69.6" *Mar 1 04:51:00.798: RADIUS: User-Password [2] 18 * *Mar 1 04:51:00.798: RADIUS: Service-Type [6] 6 Outbound [5] *Mar 1 04:51:00.830: RADIUS: Received from id 21645/45 150.1.121.254:1645, Access-Accept, len 60 *Mar 1 04:51:00.834: RADIUS: authenticator 90 16 BD 88 28 BA 6F F9 - C6 66 79 7B D6 A6 7C 78 *Mar 1 04:51:00.834: RADIUS: Framed-IP-Address [8] 6 255.255.255.255 *Mar 1 04:51:00.834: RADIUS: Class [25] 34 *Mar 1 04:51:00.834: RADIUS: 43 41 43 53 3A 30 2F 38 37 65 34 2F 39 36 30 31 [CACS:0/87e4/9601] *Mar 1 04:51:00.834: RADIUS: 30 34 30 34 2F 45 5A 56 50 4E 5F 4F 4E 5F 52 34 [0404/EZVPN_ON_R4] *Mar 1 04:51:00.834: RADIUS: saved authorization data for user 8339BE94 at 8368248C *Mar 1 04:51:00.834: RADIUS: Bad attribute (unsupported attribute): type 8 len 6 data 0xFFFFFFFF
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:11 ARST