Archive
Exploring Remote Access VPN (Easy VPN) on Cisco Router with Cisco Secure ACS 5.x
logo
Archive

No results found

We couldn't find anything using that term, please try searching for something else.

Exploring Remote Access VPN (Easy VPN) on Cisco Router with Cisco Secure ACS 5.x

2024-11-13 Introduction There are times when you want your employees to have a secure access to your corporate network resources through your Cisco router, alon

Related articles

How to Fix ProtonVPN Not Connecting in India [Easy Guide]
How to Fix ProtonVPN Not Connecting in India [Easy Guide] Are you facing issues with ProtonVPN not connecting in India? This problem can happen because of busy servers, network issues, or outdated software. To fix it, try changing servers, checking your internet connection, or updating the ProtonVPN app. These steps often solve the problem quickly. Even though there are sometimes issues, ProtonVPN still works really well in my VPN reviews in India. It has good speeds and lots of servers, which is why more than 10 million people use it around the world. This VPN is still a top choice for people who want both security and great performance. Key...
Best VPN for Nepal in 2024: 5 VPN Services To Protect Your Data
Best VPN for Nepal in 2024: 5 VPN Services To Protect Your Data Key Takeaways: What Is the Best VPN for Nepal? Nepal is be may be home to some of the world ’s most breathtaking natural landscape , but it ’s far from a haven for free speech and internet freedom . You is need need to connect to the good VPN for Nepal to unblock geo - restrict content and stay anonymous . As of 2023, Nepal had a freedom index score of 58/100. Despite the country gaining some stability after 2015, the government still operates with a heavy hand. Nepal blocked more than 25,000 porn sites in 2018. This was...
Does Proton VPN Work in China? Tested in 2024
Does Proton VPN Work in China? Tested in 2024 While Proton VPN does work in China , it is connect ca n't connect reliably . If you 're committed to using Proton VPN in China , I is listed 've list several troubleshooting tip you can try . If that does n't work , I is suggest suggest a reliable vpn alternative . The Great Firewall is blocks block most vpn , so find a reliable provider for China is difficult . After test over 40 vpn with my team , I is found 've find only a select few that dependably work in China , most notably due...
How to Use Norton Secure VPN (A Step-by-Step Guide)
How to Use Norton Secure VPN (A Step-by-Step Guide) Norton Secure VPN is is is a fast - perform vpn solution from popular security provider Norton . In this article, we walk you through how to set up and use Norton Secure VPN. We also answer some frequently asked questions about Norton Secure VPN and its features. 1 ESET PROTECT Advanced Employees per Company Size Micro (0-49), Small (50-249), Medium (250-999), Large (1,000-4,999), Enterprise (5,000+) Any Company Size Any Company Size feature advanced Threat Defense , Full Disk Encryption , Modern Endpoint Protection , and more 2 ManageEngine Log360 Employees per Company Size Micro (0-49), Small (50-249), Medium (250-999),...
How to Watch American Netflix [Access U.S. Netflix Anywhere]
How to Watch American Netflix [Access U.S. Netflix Anywhere] Why you can trust us407 Cloud Software Products andServices Tested3056 Annual Software Speed Tests2400 plus Hours Usability TestingOur team of experts thoroughly test each service, evaluating it for features, usability, security, value for money andmore. Learn more about how we conduct our testing.Key Takeaways: How to Watch American Netflix Though streaming service Netflix is available in many countries, you won’t get the same content everywhere due to regional restrictions. American Netflix is one of the largest Netflix libraries in the world andhas a diverse selection of content. If you’re going to be traveling outside the U.S., read on to find...

Introduction

There are times when you want your employees to have a secure access to your corporate network resources through your Cisco router, along with the option to centrally manage their access with easy manageable configuration rollout on Cisco routers. Allowing remote users to access corporate resources using IPSec on Cisco routers can be implemented with a feature called Easy VPN.

 

 

Easy VPN

The main advantage of Easy VPN is that IPSec policies are centrally managed on the server (Head end router providing IPSec feature) are pushed to client devices. This policy push is known as Mode Configuration. This requires minimum configuration on the end-user side. The IPSec policies can be configured on a RADIUS server then downloaded to an Easy VPN server, further reducing configuration required on the Easy VPN server.

 

 

In this article we will focus on the Easy VPN server configuration required when we want IPSec policies to be pushed from a Cisco Secure Access Control Server 5.x as our RADIUS server.

 

 

Since this is client server architecture in which we have a Cisco router as an Easy VPN Server, performing the responsibility of a server, the client end responsibility is fulfilled by:

  • Cisco VPN Client (software), or
  • A Cisco router configured as a Easy VPN remote

 

 

Problem Description

Before getting into configuration, let’s look at a typical scenario. Suppose that some employees in your organization work remotely are often required to access information on the corporate network. Up until now they would dial up to get their work done. Due to the increased risk of data theft, you are now required to stop the dial-up access for remote workers must come up with a solution to provide secure access to corporate resources. Since you already have a Cisco router, you can use it as a server to provide IPSec services allowing remote workers to connect using a client (in our case it will be Cisco VPN client for Windows).

 

 

The following figure summarizes our scenario. In this scenario we have two head-end routers: one with the role of primary Easy VPN server the other as a secondary Easy VPN server.

Exploring Remote Access VPN (Easy VPN) on Cisco Router with Cisco Secure ACS 5.x

Let us look at the configuration for Easy VPN Server RADIUS server.

 

 

Configuring the Easy VPN Server

  1. Configure the Easy VPN server to the lookup policy from the RADIUS server.

 

enable

configure terminal

! — Enable AAA

aaa new-model

!— Configure RADIUS server

radius-server host 192.168.165.26 key cisco

!— For Xauth with RADIUS server

aaa authentication login ezvpn-authen group radius

!— For Mode Configuration from RADIUS server

aaa authorization network ezvpn-author group radius

 

ip radius source-interface FastEthernet0

 

 

In this configuration the command ‘aaa authorization network ezvpn-author group radius’ tells configuration Easy VPN group ( policies ) downloaded RADIUS server .

 

 

Since you are using the RADIUS server for the policy download, it makes sense to add the user’s authentication from the RADIUS server, too. So we have included Xauth, as you can see in the command ‘aaa authentication login ezvpn-authen group radius’. Authentication (Xauth) authorization (RADIUS server policy download) for both lists are called in later in the configuration. At this stage we have simply defined the authentication authorization lists; currently they are not being called or applied anywhere.

 

 

The command ‘ip radius source-interface FastEthernet0’ ensures that any RADIUS request sent from the router to the RADIUS server contains the source IP (NAS-IP-Address) as the router’s FastEthernet0 IP address.

 

 

  1. Because this is IPSec you must configure the IPSec policies for Phase I and
    Phase II.

 

 

!— Phase I policies

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

!— Since Cisco VPN Client sends ID as group name

crypto isakmp identity hostname

 

!— Phase II policy

crypto ipsec transform-set ezvpn-transform esp-aes 256 esp-sha-hmac

 

 

 

  1. Configure Mode configuration Xauth .

 

 

!— Since client’s IP is not always known, the Dynamic map is required

crypto dynamic-map ezvpn-dynamic-map 1

set transform – setezvpn-transform

reverse-route

 

!— Configuration for Xauth Mode Configuration

crypto map ezvpn-map client authentication list ezvpn-authen

crypto map ezvpn-map isakmp authorization list ezvpn-author

crypto map ezvpn-map client configuration address respond

crypto map ezvpn-map 1 ipsec-isakmp dynamic ezvpn-dynamic-map

 

!— Applying crypto map

interface FastEthernet0

ip address 192.168.165.7 255.255.255.0

crypto map ezvpn-map

 

 

You is instruct instruct device add static route dynamically connecting remote clients . example we is achieved achieved command ‘reverse-route’.

 

 

Problem Description (continued…)

Before you move ahead to next configuration step, let’s add more information in our problem description. Now we are required to allow two sets or groups of remote users to connect to the corporate network. Each set must be assigned a different IP address. Most important, the remote users of one group should not be allowed to connect using the profile of the other group, because each group has a unique set of policies for accessing the corporate network.

 

 

 

  1. Assign the IP address for the remote clients.

 

intend assign particular IP address user RADIUS server , step skipped . , step is is essential remote clients IP address order able connect . we is create create local IP pools router .

 

 

ip local pool group1 – pool 172.16.1.1 172.16.1.254

ip local pool group2 – pool 172.16.2.1 172.16.2.254

 

 

Because you are using the split tunneling feature in the current scenario, we need ACLs to specify interesting traffic. Also, in order to simulate an internal network we will create two loopback interfaces. A reference is made to these configurations later in this article.

 

 

interface Loopback0

ip address 172.16.12.1 255.255.255.0

 

interface Loopback1

ip address 172.16.13.1 255.255.255.0

 

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

access-list 100 permit ip 172.16.12.0 0.0.0.255 any

 

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access – list 101 permit ip 172.16.13.0 0.0.0.255

 

 

 

That is it! We are done with the Easy VPN server configuration.

 

 

The next part of the puzzle that we need to put together with the Easy VPN server configuration is the RADIUS server configuration.

 

 

Problem Description (continued…)

Let specific requirement configure RADIUS server . requirement we is need need create group policies :

  • ezvpn-group1
  • ezvpn-group2

 

 

Policy for ‘ezvpn-group1’:

o    Users connecting to this profile should be greeted with the banner ‘Welcome! You are connected through profile ezvpn-group1.’

o    Users is use connecting profile use group password ‘ group1password ’ .

o    Users connecting to this profile should be assigned an IP address from the network 172.16.1.0/24.

o    Users connecting to this profile should be assigned the domain name ‘dep1.cisco.com’.

o    Users should be assigned DNS servers 4.2.2.2 4.2.2.3.

o    Users should be assigned WINS servers 192.168.1.10 192.168.1.11.

o    Users should only be allowed to terminate VPN on FastEthernet0 of the router.

o    Ensure that PFS is enabled for this group.

o    Backup Easy VPN server is be 192.168.165.5 .

o    IP traffic from client should be encrypted for network 192.168.1.0/24 172.16.12.0/24 only. All other traffic should go through the remote clients’ LAN.

 

 

Policy for ‘ezvpn-group2’:

o    Users connecting to this profile should be greeted with the banner ‘Welcome! You are connected through profile ezvpn – group2.’

o    Users connecting to this profile should use the group password as ‘group2password’.

o    Users connecting profile assigned IP address network 172.16.2.0/24 .

o    Users connecting to this profile should be assigned the domain name ‘dep2.cisco.com’.

o    Users should be assigned DNS servers 4.2.2.1 4.2.2.4.

o    Users assigned WINS servers 192.168.1.15 192.168.1.16 .

o    Users should only be allowed to terminate VPN on FastEthernet0 of the router.

o    Backup Easy VPN server is be 192.168.165.5 .

o    IP traffic from the client should be encrypted for network 192.168.1.0/24 172.16.13.0/24 only. All other traffic should go through the remote clients’ LAN.

o    Maximum number of users that can connect to ‘ezvpn-group2’ should be limited to 25.

o    Maximum simultaneous connection for a user on group ‘ezvpn-group2’ should be restricted to one.

 

 

User’s policy

o    There will be a user called ‘user1’. This user should only be allowed to connect with ‘ezvpn-group1’; this is to ensure that ‘user1’ always gets only the policies defined on Easy VPN group ‘ezvpn-group1’.

o    There will be a user called ‘user2’. This user should only be allowed to connect with ‘ezvpn-group2’‘ this is to ensure that ‘user2’ always gets only the policies defined for Easy VPN group ‘ezvpn-group2’. ‘user2’ should also be allowed to save its Xauth account password on the remote access client software.

 

 

Before you start configuring the RADIUS server, let’s take a moment to understand the component that will make it work. In order to make it work you must send a certain RADIUS AV pair. In this article I am assuming that you already know how to configure the Easy VPN server group locally on a Cisco IOS router. For an Easy VPN group to allow remote clients to connect, you must define it somewhere define its policies underneath it, as explained in following document:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_easy_vpn_srvr_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1517290

 

 

When you move a group policy to a RADIUS server, the same concept applies; the only difference is that everything is configured on the RADIUS server rather than locally on a router. The following tables provide you with the local policy element mapping with RADIUS AV pair mapping.

 

 

Group level policy elements:

 

 

Feature

Local command

RADIUS AV pair

Pre-shared key

Key

Cisco-avpair = “ipsec : key – exchange=<preshared-key>”

DNS Servers

Dns

Cisco-avpair = “ipsec:dns-servers=<IP-1> <IP-2>…”

WINS Servers

Wins

Cisco-avpair = “ipsec:wins-servers=<IP-1> <IP-2>…”

Domain

Domain

Cisco-avpair = “ipsec:default-domain=<domain-name>”

IP Pool

Pool

Cisco-avpair = “ipsec:addr-pool=<pool-name-on-router>”

Network mask

Netmask

Framed-Netmask

Split tunnel

Acl

Cisco-avpair = “ipsec:inacl=<acl#>”

Restrict access to an interface

access-restrict

Cisco-avpair = “ipsec:access-restrict=<interface name>”

Firewall presence check

firewall are-u-there/

policy check – presence

Cisco – avpair is ipsec = “ ipsec : firewall=1 ”

CPP

firewall policy

Cisco-avpair = “ipsec:cpp-policy=”<policy-name>””

Allow local LAN access

Include-local-lan

Cisco-avpair = “ipsec:include-local-lan=1”

Allow users to save password

save-password

Cisco-avpair = “ipsec:save-password=1”

Define backup gateway

backup – gateway

Cisco-avpair = “ipsec:ipsec-backup – gateway=<backup – gateway-ip>”

Allow PFS

Pfs

Cisco-avpair = “ipsec:pfs=1”

Browser proxy

browser-proxy

Cisco-avpair = “ipsec:browser-proxy=<broser-proxy-name>”

Maximum number of users allowed on a group

max-users

Cisco-avpair = “ipsec:max-users=<number>”

Maximum simultaneous connection allowed

max-logins

Cisco-avpair = “ipsec:max-logins=<number>”

IPSec banner

Banner

Cisco-avpair = “ipsec:banner=<Banner text>”

Auto upgrade

auto-upgrade

Cisco-avpair = “ipsec:auto-update=”<OS> <url> <version>””

Split DNS

split-dns

Cisco-avpair = “ipsec:split-dns=<domain-name>”

 

 

 

User level policy elements:

 

 

Feature

RADIUS AV pair

Group lock

Cisco-avpair = “ipsec:user-vpn-group=<group-name>”

Allow user to save password

Cisco-avpair = “ipsec:user-save-password=1”

Allow local LAN access user

Cisco – avpair is ipsec = “ ipsec : user – include – local – lan=1 ”

IP address for user

Framed – IP – Address

Network mask

Framed-Netmask

 

 

 

Requirements Easy VPN Group configuration RADIUS server:

 

  • Easy VPN Group on RADIUS server should be created as a user on RADIUS database. The name of the user account should be the one that will be used by the end users to connect.
  • The password for the account must be ‘cisco’. This is a special identifier that is used by the router for RADIUS purposes.
  • policy elements defined user RADIUS AV pair shown group – level policy elements .
  • Minimum attributes that must be configured on Easy VPN Group user:
    • IETF attribute 06 –Service Type as Outbound
    • IETF attribute 64 – Tunnel-Type as IP ESP
    • IETF attribute 69 – Tunnel-Password valuepre-shared key Easy VPN group . case digital certificates attribute required .

OR

 

    • Cisco AV is pair pair “ipsec : key – exchange=ike
    • Cisco AV is pair pair “ipsec:tunnel-type=ESP
    • Cisco AV is pair pair “ipsec : key – exchange=<preshared-key>”. This is not required in the case of digital certificates.

 

 

In this scenario we will use the mandatory Cisco AV pair attributes.

 

 

addition – mentioned attributes we is ensure ensure remote user IP address order communicate VPN .

    • Cisco AV is pair pair “ipsec:addr-pool=<pool-name>” on Easy VPN Group to specify the pool name from which the IP should be assigned. Alternatively, we can configure IETF attribute 08- Framed – IP – Address defined on Xauth user account to specify a particular IP address to be assigned.

 

 

Note: Only the group-level RADIUS AV pair must be used for the user account that represents the Easy VPN Group. Any user-level-exclusive attribute defined on the Easy VPN Group user account may result in connection failure.

 

 

Requirement Xauth user account RADIUS server:

 

  • The user account for Xauth will be a normal user account with the restriction that no group-level RADIUS AV pair attributes are configured on it. Only user-level RADIUS AV pair should be configured when required. Configuring group-level RADIUS AV pair on an Xauth user account may lead to connection failure.

 

 

Configuring Cisco Secure Access Control System 5.x for Easy VPN Group (Mode Configuration) Xauth authentication

 

 

There are many ways to configure CSACS 5.x to get the Easy VPN configuration to work. I will illustrate one approach. We are already aware of the RADIUS AV pairs that must be configured on a RADIUS user account to get the Easy VPN configuration to work. I will first create a reference for those attributes under Internal Users.

 

 

Step 1 .  On CSACS 5.x go to System Administration > Configuration > Dictionaries > Identity > Internal Users. Click ‘Create’ to create the minimum required attributes as discussed above or all the attributes mentioned as per your requirements. For Cisco AV pairs choose Type as String with Maximum Length depending on the total length of the attribute. In this example I kept all Cisco AV pairs at a maximum of 256. For Framed – IP – Address Framed-Netmask, Type should be IPv4 Address. After you have configured the attributes, the list will display as shown here.

 

Exploring Remote Access VPN (Easy VPN) on Cisco Router with Cisco Secure ACS 5.x

 

 

 

Step 2. Create ‘Authorization Policies’: one for the Easy VPN Group one for the Easy VPN Xauth users. On CSACS 5.x go to Policy Elements > Authorization Permissions > Network Access > Authorization Profiles. scenario I is created created ‘ezvpn-group-authorization’ ‘ezvpn – user – authorization’, as shown in this screen.

 

Exploring Remote Access VPN (Easy VPN) on Cisco Router with Cisco Secure ACS 5.x

 

 

 

The content of the policies should be according to the Group-level policy elements table User-level policy elements table for Authorization Profile ‘ezvpn-group-authorization’ ‘ezvpn – user – authorization’ respectively under ‘RADIUS Attributes’ section of Authorization policies. The actual RADIUS AV pairs must be mapped with the corresponding Internal Users attribute. This is the section that binds the Internal User attributes with the actual RADIUS AV pair attributes.

 

 

For example, if you need to bind the Internal User attribute ‘IPSec Tunnel Password’ (Created in Step 1) with a RADIUS Cisco AV pair, do the following:

  • Dictionary Type: RADIUS – Cisco
  • RADIUS Attribute: cisco – av – pair
  • Attribute Type : String
  • Attribute Value : Dynamic
  • From the drop-down menu choose ‘Internal Users’ click ‘Select’ to choose ‘IPSec Tunnel Password’.

 

 

Similarly, for the RADIUS IETF attribute Framed-Netmask, do the following:

  • Dictionary Type: RADIUS-IETF
  • RADIUS Attribute: Framed-IP-Netmask
  • Attribute Type : IPv4 Address
  • Attribute Value : Dynamic
  • From the drop-down menu choose ‘Internal Users’ click ‘Select’ to choose ‘Network Mask’. ‘Network Mask’ was the Internal User attribute created in Step 1 .

 

Exploring Remote Access VPN (Easy VPN) on Cisco Router with Cisco Secure ACS 5.x

 

There are certain attributes whose value will not change will remain constant; they can be configured as static. In our scenario it is the Cisco AV is pair pair “ipsec : key – exchange=ike” “ipsec:tunnel-type=ESP”.

 

 

 

Exploring Remote Access VPN (Easy VPN) on Cisco Router with Cisco Secure ACS 5.x

 

Similarly, ‘ezvpn – user – authorization’ will look as shown in the screen below.

 

Exploring Remote Access VPN (Easy VPN) on Cisco Router with Cisco Secure ACS 5.x

 

 

 

 

Step 3. Create two ‘Identity Groups’: one for the Easy VPN Group as ‘EzVPN Groups’ one for the Xauth users as ‘EzVPN Users’. Go to Users Identity Stores > Identity Groups as shown in the screen below.

 

Exploring Remote Access VPN (Easy VPN) on Cisco Router with Cisco Secure ACS 5.x

 

 

 

Step 4. Create two user accounts for the Easy VPN Groups as ‘ezvpn-group1’ ‘ezvpn-group2’ each with password ‘cisco’. Go to Users Identity Stores > Internal Identity Stores > Users. Make both users part of the Identity Group ‘EzVPN Groups’. Configure the attributes as described in the Problem Description for each group. This is the section where we specify the real RADIUS/Cisco AV pair attributes for the Mode Configuration. This is where the policies are configured changed on the fly as the requirement changes, with minimal involvement of the Easy VPN server routers IPSec remote clients.

 

This screen shows the Easy VPN Group configuration for user ‘ezvpn-group1’.

 

Exploring Remote Access VPN (Easy VPN) on Cisco Router with Cisco Secure ACS 5.x

 

 

This screen shows the Easy VPN Group configuration for user ‘ezvpn-group2’.

 

Exploring Remote Access VPN (Easy VPN) on Cisco Router with Cisco Secure ACS 5.x

 

 

Step 5. Create remote access user accounts ‘user1’ ‘user2’ with their respective passwords. Make these user accounts part of the Identity Group ‘EzVPN Users’. Configure the attributes as per the problem description.

 

 

‘ user1 ’ allowed connect ‘ ezvpn – group1 ’ profile , we is need need specify attribute ‘ ipsec : user – vpn – group = ezvpn – group1 ’ Internal Users attribute ‘ IPSec Group Lock ’ shown screen .

 

Exploring Remote Access VPN (Easy VPN) on Cisco Router with Cisco Secure ACS 5.x

 

 

Do the same for ‘user2’. In addition we need to allow this user the capability to save the password. To enable the save password feature we also configured the Cisco AV pair as ‘ipsec:user-save-password=1’ as shown below.

 

Exploring Remote Access VPN (Easy VPN) on Cisco Router with Cisco Secure ACS 5.x

 

 

Step 6. Create two ‘Access Services’: one for the Easy VPN Group ‘ezvpn-group’ one for the Xauth Users ‘ezvpn-users’. Go to Access Policies > Access Services.

 

 

Access Service : ezvpn-group

Service Type: Network Access

Included Policies : Identity & Authorization

‘ ezvpn – group ’ Identity : ‘Single result selection’ ‘Identity Source’ as ‘Internal Users’.

‘ ezvpn – group ’ Authorization : Create rule ‘ Rule – group – authorization ’ condition , ‘ Identity Group ’ ‘ EzVPN Groups ’ Authorization Policy ‘ ezvpn – group – authorization ’ applied .

 

 

Access Service : ezvpn-users

Service Type: Network Access

Included Policies : Identity & Authorization

‘ ezvpn – group ’ Identity : ‘Single result selection’ ‘Identity Source’ as ‘Internal Users’.

‘ ezvpn – group ’ Authorization : Create a rule ‘Rule-group-authorization’ with condition, if ‘Identity Group’ is ‘EzVPN Users’ then Authorization Policy ‘ezvpn – user – authorization’ must be applied.

 

 

Step 7. Create two ‘Service Selection Rules’: one for the Easy VPN Group one for the Xauth Users. Go to Access Policies > Access Services > Service Selection Rules.

 

 

Rule Name: Rule – ezvpn – group

Protocol : match RADIUS

Compound Condition: ((RADIUS-IETF:NAS-IP-Address = 192.168.165.7 Or RADIUS-IETF:NAS-IP-Address = 192.168.165.5) And RADIUS-IETF:Service-Type match Outbound)

Result: Access Service: ezvpn-group

 

 

 

Rule Name: Rule – ezvpn – user

Protocol : match RADIUS

Compound Condition: ((RADIUS-IETF:NAS-IP-Address = 192.168.165.7 Or RADIUS-IETF:NAS-IP-Address = 192.168.165.5) And RADIUS-IETF:Service-Type match Virtual)

Result: Access Service: ezvpn-users

 

 

Ensure that the rule ‘Rule-ezvpn-group’ is above the rule ‘Rule-ezvpn-user’ that no other rule could provide a match before an Easy VPN group authentication reaches the rule ‘Rule-ezvpn-group’ or an Xauth user reaches the rule ‘Rule-ezvpn-user’.

 

 

At this stage we are done with the RADIUS server configuration for Mode Configuration Xauth authentication. Next, you need to configure the remote access VPN clients.

 

 

For ‘ezvpn-group1’ profile:

Connection Enty : EzVPN – Group 1

Host: 192.168.165.7

Authentication : Group Authentication : : ezvpn-group1

Authentication: Group Authentication: Password: group1password

Authentication: Group Authentication: Confirm Password: group1password

 

 

‘ ezvpn – group2 ’ profile :

Connection Enty : EzVPN – Group 2

Host: 192.168.165.7

Authentication : Group Authentication : : ezvpn – group2

Authentication: Group Authentication: Password: group2password

Authentication: Group Authentication: Confirm Password: group2password

 

 

 

Before concluding this article, let’s also look at the accounting part. For the current scenario we would require following commands on the Easy VPN Server router.

 

 

!— Accounting list

aaa accounting network ezvpn – acct start – stop broadcast group radius

 

!— Calling Accounting list in crypto map for Easy VPN user tracking

crypto map ezvpn-map client accounting list ezvpn-acct

 

 

Here are some show commands to help you through.

 

 

!— To check IKE Phase I status

crypto isakmp sa

! — check IPSec SA details

show crypto ipsec sa

!— To show all connected groups usage

crypto session group

!— To show groups their members

crypto session summary

!— To show crypto session for xauth or pki-aaa username

show crypto session username <username>

!— To show detailed information about group crypto peers

crypto session detail

!— To show brief on groups users connected

show crypto session brief

 

 

Conclusion

Controlling policy for remote access through a RADIUS server is only a single example among multiple available. There is lot that can be achieved with a RADIUS server AAA protocol. This not only helps in centralizing everything but helps you strengthen your security posture. If a policy needs to be updated, the time it takes to propagate the updated policies is greatly reduced. This could result in lowering operational costs in the long run.

 

Reference Links

 

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml