This document demonstrates how to configure a connection between a Cisco IOS Router and the Cisco VPN Client 4.x using RADIUS for group authorization and user authentication. Cisco IOS® Software Release 12.2(8)T and later support connections from Cisco VPN Client 3.x. The VPN Clients 3.x and 4.x use Diffie Hellman (DH) group 2 policy. The isakmp policy # group 2 command enables the VPN Clients to connect.
Note: IPSec VPN Accounting is now available. Refer to IPSec VPN Accounting for more information and sample configurations.
Ensure that you meet these requirements before you attempt this configuration:
A pool of addresses to be assigned for IPSec
A group called "3000clients" with a pre-shared key of "cisco123"
Group authorization and user authentication on a RADIUS server
Note: RADIUS Accounting is not supported at this time.
The information in this document is based on these software and hardware versions:
A 2611 Router that runs Cisco IOS Software Release 12.2(8)T.
Cisco Secure ACS for Windows (any RADIUS server should work).
Cisco VPN Client for Windows version 4.8 (any VPN Client 4.x should work).
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
This is output from the show version command on the router:
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-JK9O3S-M), Version 12.2(8)T,
RELEASE SOFTWARE (fc2)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Thu 14-Feb-02 16:50 by ccai
Image text-base: 0x80008070, data-base: 0x81816184
ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
vpn2611 uptime is 1 hour, 15 minutes
System returned to ROM by reload
System image file is "flash:c2600-jk9o3s-mz.122-8.T"
cisco 2611 (MPC860) processor (revision 0x203)
with 61440K/4096K bytes of memory.
Processor board ID JAD04370EEG (2285146560)
M860 processor: part number 0, mask 49
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.
2 Ethernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
In this section, you are presented with the information to configure the features described in this document.
This document uses this network setup:
Note: The IP addresses in this example network are not routable in the global Internet because they are private IP addresses in a lab network.
Current configuration : 1884 bytes
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!--- Enable AAA for user authentication and group authorization.
!--- In order to enable extended authentication (Xauth) for user authentication, !--- enable the aaa authentication commands. !--- "Group radius" specifies RADIUS user authentication.
aaa authentication login userauthen group radius
!--- In order to enable group authorization, !--- enable the aaa authorization commands.
aaa authorization network groupauthor group radius
ip audit notify log
ip audit po max-events 100
!--- Create an Internet Security Association and !--- Key Management Protocol (ISAKMP) policy for Phase 1 negotiations.
crypto isakmp policy 3
!--- Create the Phase 2 policy for actual data encryption.
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!--- Create a dynamic map and !--- apply the transform set that was created.
crypto dynamic-map dynmap 10
set transform-set myset
!--- Create the actual crypto map, !--- and apply the AAA lists that were created earlier.
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
fax interface-type fax-mail
mta receive maximum-recipients 0
!--- Apply the crypto map on the outside interface.
ip address 10.1.1.1 255.255.255.0
crypto map clientmap
no ip address
ip address 172.18.124.159 255.255.255.0
!--- Create a pool of addresses to be assigned to the VPN Clients.
ip local pool ippool 10.16.20.1 10.16.20.200
ip route 0.0.0.0 0.0.0.0 10.1.1.2
ip http server
ip pim bidir-enable
!--- Create an access control list (ACL) if you want to do split tunneling. !--- This ACL is referenced in the RADIUS profile.
access-list 108 permit ip 172.18.124.0 0.0.255.255 10.16.20.0 0.0.0.255
!--- Specify the IP address of the RADIUS server, !--- along with the RADIUS shared secret key.
radius-server host 172.18.124.96 auth-port 1645 acct-port 1646 key cisco123
radius-server retransmit 3
mgcp profile default
dial-peer cor custom
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
RADIUS Server Configuration
Configure the RADIUS Server for AAA Clients (router)
Complete these steps:
Click Add Entry to add the router to the RADIUS server database.
Specify the IP address of the router "172.18.124.159" along with the shared secret key "cisco123" and choose RADIUS in the Authenticate Using drop-down box.
Configure the RADIUS Server for Group Authentication and Authorization
Complete these steps:
Click Add/Edit to add a User named 3000client to the RADIUS server.
Prior to Cisco IOS Software Release 15.8.3 and Cisco IOS XE Software Release 16.9.1, this password was a special keyword for Cisco IOS, which indicates a group profile must be referenced. You can map the user to a Cisco Secure group if you prefer. Make sure that No IP address assignment is chosen.
After Cisco IOS Software Release 15.8.3 and Cisco IOS XE Software Release 16.9.1, AAA authorization needs a password and is mandatory. It is recommended to define the password used via the isakmp authorization list aaa_list1 password <secret> command.
The administrator would then configure the <secret> matching password on the RADIUS Server.
Specify the group authorization parameters that will be passed down by this user account back to the VPN Client.
Make sure you have cisco-av-pair enabled with these attributes:
ipsec:inacl=108 (only needed if you use split tunneling on the router)
Also, make sure that you have theseg IETF RADIUS Attributes enabled:
Attribute 6: Service-Type=Outbound
Attribute 64: Tunnel-Type=IP ESP
Attribute 69: Tunnel-Password=cisco123 (this is your group password on the VPN Client)
Once you have finished, click Submit.
Under Vendor Specific Attributes, you can also enable these optional attributes:
Configure the RADIUS Server for User Authentication
Complete these steps:
Click Add/Edit to add the VPN user in the Cisco Secure database.
In this example, the username is cisco.
On the next window, specify the password for the user cisco. The password is also cisco.
You can map the user account to a group. Once you have finished, click Submit.
VPN Client 4.8 Configuration
Complete these steps in order to configure the VPN Client 4.8: