I have a problem with Cisco VPN Client to router using Radius auth. This config works, i can login with any group and i'll get the correct info but there are two main problems.
First off. I can't use the access-list on to match incoming traffic on interface outside, since it's only matching udp 4500 traffic that's still encrypted.. is there a way to get the acl to work after it's been decrypted? it's something similair to "sysopt connection permit" on Pix right? can i turn it off? I have it matching outgoing traffic for inside interface now.. but that sucks..
Second; The radius server is an IAS server and uses 3 Active Directory groups, each configured to one client vpn profile. This works fine, and then i send a class OU back that has the same name as the client vpn groups. So user sends auth , router sends to radius, radius matches the user group to his profile and sends back OU=adm.grp; and then the router just ignores that and allows the user in.. so if i add a user to the basic user group, he can login to the admin vpn profile too.. is there some aaa command i'm missing? the Class OU is an accounting aaa command right? i have searched for hours and hours i can't find any config on this, is it even possible?
Router_VPN#sh run Building configuration...
Current configuration : 4123 bytes ! ! Last configuration change at 09:47:36 UTC Fri Aug 17 2007 by ejs ! NVRAM config last updated at 09:47:37 UTC Fri Aug 17 2007 by ejs ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router_VPN ! boot-start-marker boot-end-marker ! logging buffered 16386 debugging enable secret 5 ----- ! aaa new-model ! ! aaa authentication login clientuserauth group radius aaa authorization network clientgroupauth local ! aaa session-id common ! resource policy ! ! ! ip cef ! ! no ip domain lookup ip domain name foo.com ! ! ! username foo privilege 15 password 0 bar ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group bas.usr.grp key foobar dns 192.168.26.106 192.168.26.101 wins 192.168.26.101 domain CLIENT_NET pool bas.usr.pool acl 101 ! crypto isakmp client configuration group adv.usr.grp key foobar dns 192.168.26.106 192.168.26.101 wins 192.168.26.101 domain CLIENT_NET pool adv.usr.pool acl 102 ! crypto isakmp client configuration group adm.grp key foobar dns 192.168.26.106 192.168.26.101 wins 192.168.26.101 domain CLIENT_NET pool adm.pool acl 103 ! ! crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac ! crypto dynamic-map dynmap 10 set transform-set ESP-3DES-MD5 ! ! crypto map VPNMAP client authentication list clientuserauth crypto map VPNMAP isakmp authorization list clientgroupauth crypto map VPNMAP client configuration address respond crypto map VPNMAP 10 ipsec-isakmp dynamic dynmap ! ! ! ! interface FastEthernet0 description Ytranet ip address x.x.x.x 255.255.255.224 ip access-group 110 in duplex auto speed auto crypto map VPNMAP ! interface FastEthernet1 description Innranet ip address 192.168.26.251 255.255.254.0 ip access-group 111 out speed 100 full-duplex ! interface BRI0 no ip address encapsulation hdlc shutdown ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 ! interface FastEthernet5 ! interface FastEthernet6 ! interface FastEthernet7 ! interface FastEthernet8 ! interface FastEthernet9 ! interface Vlan1 no ip address ! ip local pool bas.usr.pool 10.0.1.1 10.0.1.254 ip local pool adv.usr.pool 10.0.2.1 10.0.2.254 ip local pool adm.pool 10.0.3.1 10.0.3.254 ip route 0.0.0.0 0.0.0.0 x.x.x.x ! ! no ip http server no ip http secure-server ! access-list 100 permit ip host x.x.x.x any access-list 100 permit ip host x.x.x.x any access-list 101 permit ip 192.168.0.0 0.0.255.255 any access-list 102 permit ip 192.168.0.0 0.0.255.255 any access-list 103 permit ip 192.168.0.0 0.0.255.255 any access-list 110 permit esp any any access-list 110 permit ahp any any access-list 110 permit udp any any eq isakmp access-list 110 permit udp any any eq non500-isakmp access-list 110 permit ip host x.x.x.x any access-list 110 permit ip host x.x.x.x any access-list 111 remark ##Admin-VPN## access-list 111 permit ip 10.0.3.0 0.0.0.255 any access-list 111 remark ##Basic-User-VPN## access-list 111 permit tcp 10.0.1.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 5900 access-list 111 permit tcp 10.0.1.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 3389 access-list 111 deny ip 10.0.1.0 0.0.0.255 any access-list 111 remark ##Advanced-User-VPN## access-list 111 permit tcp 10.0.2.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 5900 access-list 111 permit tcp 10.0.2.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 3389 access-list 111 permit tcp 10.0.2.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 1352 access-list 111 permit tcp 10.0.2.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 1422 access-list 111 deny ip 10.0.2.0 0.0.0.255 any ! ! ! ! ! radius-server host 192.168.26.110 auth-port 1645 acct-port 1646 key foobar ! control-plane ! ! line con 0 line aux 0 line vty 0 4 password ciscolab transport input ssh ! ntp clock-period 17180161 ntp server 157.157.255.11 ! webvpn context Default_context ssl authenticate verify all ! no inservice ! end