From: Edouard Zorrilla (ezorrilla@tsf.com.pe)
Date: Sat Feb 14 2009 - 13:03:20 ARST
Sadiq,
Did you check out this :
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ftunity.html,
?
It is already done there.
Regards
----- Original Message -----
From: "Sadiq Yakasai" <sadiqtanko@gmail.com>
To: "Cisco certification" <security@groupstudy.com>; "Cisco certification"
<ccielab@groupstudy.com>
Sent: Friday, February 13, 2009 4:34 PM
Subject: EZVPN authentication using ACS
> Hi Guys,
>
> So been troubleshooting some EZVPN here and would like to get a feedback
> from you if possible.
>
> My config was fairly basic and strightforward:
>
> R4#sh run | i aaa
> aaa new-model
> aaa authentication login default none
> aaa authentication login XAUTH_LOGIN group radius local
> aaa authorization network XAUTH_AUTHZ group radius local
>
> ..... <truncated>
>
> crypto isakmp policy 1
> encr 3des
> hash md5
> authentication pre-share
> group 2
> !
> crypto isakmp client configuration group EZVPN_ON_R4
> key CISCO
> dns 1.2.3.4
> domain ccie.com
> pool EZVPN_POOL
> acl 100
> !
> !
> crypto ipsec transform-set MY_TRAN_SET esp-3des esp-md5-hmac
> !
> crypto dynamic-map DYNAMIC 1
> set transform-set MY_TRAN_SET
> reverse-route
> !
> !
> crypto map MYMAP client authentication list XAUTH_LOGIN
> crypto map MYMAP isakmp authorization list XAUTH_AUTHZ
> crypto map MYMAP client configuration address respond
> crypto map MYMAP 1 ipsec-isakmp dynamic DYNAMIC
>
> 1) I set up an IOS router as an EZVPN server, enabling the authentication
> and group lookup to be made locally on the router. I defined the user and
> group configs, all worked nicely! (well, after a little bit of
> troubleshooting there :-)
>
> 2) So I thought, come on, lets complicate life a lilttle bit more and have
> some fun by enabling the authentication of the user and the group
> authorization to be made on ACS, didnt seem abit straightforward :s
>
> - the user authentication seems to happen quite nicely. RADIUS
> Access-Request goes up to ACS and a RADIUS Access- Accept come back -
> great!
>
> - however, i see another RADIUS Access_request going up to ACS, this time
> with the group name as the "username" attribute
> [User-Name [1] 13 "EZVPN_ON_R4"]. This obviously gets
> rejected
> on ACS, as I have not defined it as a group. So I thought let me hack this
> and see if we can make it work anyhow. I then creted a user on ACS and
> named
> him EZVPN_ON_R4.
>
> - cleared my EZVPN client to try again. This time, I got back 2 RADIUS
> Access-Accept messages from ACS. Which is great so far! BUT, as part of
> the
> default authorization attributes from ACS, 2 were sent back in the RADIUS
> Access Accept for the group name (EZVPN_ON_R4). This was rejected by my
> router, complaining that these attributes are unsuported as far as EZVPN
> config on IOS is concerned. The authorization now failed over to the
> second
> configured method (which is local) and all passed successfully.
>
> - I now went back to the user/group on ACS, trying to see if I can
> actually
> remove these atributes so they dont get sent down but to no avail. There
> is
> no option to remove them (they dont even appear on the list of
> attributes).
> My feel is, they are a compulsary.
>
> Question: Does it mean that isakmp policy authorization on ACS (or any
> other
> AAA server) is not supported at all and only have to define the group
> locally on IOS???
>
> I could raise this with Cisco, but the fact that its running on 12.3
> doesnt
> give me much confidence there but maybe I just should.
>
> Thanks,
> Sadiq
> --
> CCIE #19963
>
>
>
>
> Debug Radius:
> R4#
> *Mar 1 04:51:00.698: RADIUS: Pick NAS IP for u=0x8346F6DC tableid=0
> cfg_addr=150.1.4.4
> *Mar 1 04:51:00.698: RADIUS: ustruct sharecount=2
> *Mar 1 04:51:00.698: Radius: radius_port_info() success=1
> radius_nas_port=1
> *Mar 1 04:51:00.698: RADIUS(00000000): Send Access-Request to
> 150.1.121.254:1645 id 21645/44, len 83
> *Mar 1 04:51:00.702: RADIUS: authenticator 40 9C D8 1A 1C 31 2A F9 - DB
> A7
> B3 42 49 CE E1 0F
> *Mar 1 04:51:00.702: RADIUS: NAS-IP-Address [4] 6
> 150.1.4.4
> *Mar 1 04:51:00.702: RADIUS: NAS-Port [5] 6
> 500
> *Mar 1 04:51:00.702: RADIUS: NAS-Port-Type [61] 6
> Virtual [5]
> *Mar 1 04:51:00.702: RADIUS: User-Name [1] 15
> "Administrator"
> *Mar 1 04:51:00.702: RADIUS: Calling-Station-Id [31] 12 "150.1.69.6"
> *Mar 1 04:51:00.702: RADIUS: User-Password [2] 18 *
> *Mar 1 04:51:00.738: RADIUS: Received from id 21645/44
> 150.1.121.254:1645,
> Access-Accept, l
> R4#en 62
> *Mar 1 04:51:00.738: RADIUS: authenticator D5 BC AB A9 49 89 31 A6 - 78
> F5
> AB 89 2B 12 62 0A
> *Mar 1 04:51:00.742: RADIUS: Framed-IP-Address [8] 6
> 255.255.255.255
> *Mar 1 04:51:00.742: RADIUS: Class [25] 36
> *Mar 1 04:51:00.742: RADIUS: 43 41 43 53 3A 30 2F 38 37 65 33 2F 39 36
> 30
> 31 [CACS:0/87e3/9601]
> *Mar 1 04:51:00.742: RADIUS: 30 34 30 34 2F 41 64 6D 69 6E 69 73 74 72
> 61
> 74 [0404/Administrat]
> *Mar 1 04:51:00.742: RADIUS: 6F
> 72 [or]
> *Mar 1 04:51:00.742: RADIUS: saved authorization data for user 8346F6DC
> at
> 834C38BC
> *Mar 1 04:51:00.794: RADIUS: authenticating to get author data
> *Mar 1 04:51:00.794: RADIUS: Pick NAS IP for u=0x8339BE94 tableid=0
> cfg_addr=150.1.4.4
> *Mar 1 04:51:00.794: RADIUS: ustruct sharecount=3
> *Mar 1 04:51:00.794: Radius: radius_port_info() success=1
> radius_nas_port=1
> *Mar 1 04:51:00.794: RADIUS(00000000): Send Access-Request to
> 150.1.121.254:1645 id 21645/45, len 87
> *Mar 1 04:51:00.794: RADIUS: authenticator 32 DD A7 B9 07 76 A4 EC - F1
> EF
> 4A 68 A7 F5 BD EA
> *Mar 1 04:51:00.794: RADIUS: NAS-IP-Address [4] 6
> 150.1.4.4
> *Mar 1 04:51:00.794: RADIUS: NAS-Port [5] 6
> 500
> *Mar 1 04:51:00.794: RADIUS: NAS-Port-Type [61] 6
> Virtual [5]
> *Mar 1 04:51:00.798: RADIUS: User-Name [1] 13 "EZVPN_ON_R4"
> *Mar 1 04:51:00.798: RADIUS: Calling-Station-Id [31] 12 "150.1.69.6"
> *Mar 1 04:51:00.798: RADIUS: User-Password [2] 18 *
> *Mar 1 04:51:00.798: RADIUS: Service-Type [6] 6
> Outbound [5]
> *Mar 1 04:51:00.830: RADIUS: Received from id 21645/45
> 150.1.121.254:1645,
> Access-Accept, len 60
> *Mar 1 04:51:00.834: RADIUS: authenticator 90 16 BD 88 28 BA 6F F9 - C6
> 66
> 79 7B D6 A6 7C 78
> *Mar 1 04:51:00.834: RADIUS: Framed-IP-Address [8] 6
> 255.255.255.255
> *Mar 1 04:51:00.834: RADIUS: Class [25] 34
> *Mar 1 04:51:00.834: RADIUS: 43 41 43 53 3A 30 2F 38 37 65 34 2F 39 36
> 30
> 31 [CACS:0/87e4/9601]
> *Mar 1 04:51:00.834: RADIUS: 30 34 30 34 2F 45 5A 56 50 4E 5F 4F 4E 5F
> 52
> 34 [0404/EZVPN_ON_R4]
> *Mar 1 04:51:00.834: RADIUS: saved authorization data for user 8339BE94
> at
> 8368248C
> *Mar 1 04:51:00.834: RADIUS: Bad attribute (unsupported attribute): type
> 8
> len 6 data 0xFFFFFFFF
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:11 ARST