[c-nsp] Remote Access to MPLS based VPN

BoXeR piestaga at aster.pl
Mon Feb 14 09:17:54 EST 2005 

Hi,


I just expirenced the following problem, and would like to ask whether such 
behaviour is correct or not.

My test environment assumes that there are 2 separate VRFs configured on PE 
router (that PE also runs as IPSec aggregator).

    aaa authentication login userauthentication group radius
    aaa authorization network group group radius if-authenticated

    ip vrf vpnA
      rd 123:1
    !
    ip vrf vpnB
      rd 123:2

There is a single isakmp policy that says:

    crypto isakmp policy 111
      encr 3des
      authentication pre-share
      group 2
    crypto isakmp keepalive 10

And there are 2 separate ISAKMP profiles dedicated for each VRF:

    crypto isakmp profile vpnA-isakmp-profile
       vrf vpnA
       match identity group group1
       client authentication list userauthentication
       isakmp authorization list group
       client configuration address respond
       keepalive 10 retry 3
    crypto isakmp profile vpnB-isakmp-profile
       vrf vpnB
       match identity group group2
       client authentication list userauthentication
       isakmp authorization list group
       client configuration address respond
       keepalive 10 retry 3

And of course dynamic crypto map definition:

    crypto ipsec transform-set dynamic-set esp-3des esp-md5-hmac
    !
    crypto dynamic-map dynamic-map 100
      set transform-set dynamic-set
      set isakmp-profile vpnA-isakmp-profile
      reverse-route
    crypto dynamic-map dynamic-map 200
      set transform-set dynamic-set
      set isakmp-profile vpnB-isakmp-profile
      reverse-route
!
crypto map primary-map 10 ipsec-isakmp dynamic dynamic-map


Created map is assigned to one of the interfaces.

For both identity groups I have assigned a single user:
user1 for group1
and
user2 for group2

both users are configured on external radius and they have ip addreses 
assigned from 2 separate pools during the process of authentication.

Ther process of user1 or user2 login looks perfect, except one thing.
If user1 or user2 wants to establish the IPSec session using (in my case) 
Cisco VPN Client, s/he just enters the Aggregator IP address, group name and 
group passwd.
If only radius confirms that attributes to Aggregator, agregator accepts 
them and user is requested to authenticate him/her-self.

And here is teh problem, the user1 that is dedicated to group1 if only know 
the group2 name and password can login to that group with user1 name and 
password.
And vice-versa, user2 with its name and password can login to group1 
profile.

Do yo know the method, how to limit the possibility to allow the user1 and 
user2 login only to its group.

Unfortunately both isakmp groups and users are created on the same radius 
serwer, and that radius is indicated with command:
    client authentication list userauthentication
and
    isakmp authorization list group

For me, there is lack of functionality(or there is, but I don;t know about 
that), that will tell the radius authentication process of user1 and user2, 
that they can be logged in only using particular isakmp group and within 
predefined VRF instance.

Any ideas, what I did incorrectly, because I don't think so this is Cisco 
intentional problem  :-))

Regards and thanks for any help
Sebastian

More information about the cisco-nsp mailing list