cc/td/doc/product/vpn/solution/aswan15
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table Of Contents

Configuring AAA Servers for Remote Clients

AAA Servers Overview

Managed AAA Configuration

Proxy AAA Configuration

Per-VRF AAA

IPSec VPN Accounting

Preprovisioning to Support Unity Client

AAA Server Preprovisioning

IPSec Aggregator Preprovisioning

Cisco Unity Client Preprovisioning

Cisco Unity Client Operation

User Authentication

AAA Authorization

IPSec Accounting

Using RADIUS for Network-Based IPSec

RADIUS Configuration Sample


Configuring AAA Servers for Remote Clients

AAA Servers Overview

The AAA servers are RADIUS servers that are service provider-managed or customer-managed. The RADIUS servers may be Cisco ACS or Cisco Access Registrar or a customer's RADIUS server.

RADIUS provides user authentication (XAUTH) and authorization in the Unity protocol to the client and to the IPSec aggregator to enable a successfully authenticated client to use the service authorized. Using the RADIUS server also limits the amount of pre-provisioning and re-provisioning that is necessary on each client and on each IPSEC Aggregator.

For information on configuring RADIUS, see: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsecsp/scfrad.htm

Managed AAA Configuration

In a managed AAA configuration, you (the service provider) administer a RADIUS system for customer-specific user information. The customer must provide you with the names of one or more administrators who are responsible for user administration, as well as their initial user-id/passwords. After you configure the administrators, the customer can add, delete, modify, and view users without your (service provider) intervention.

Proxy AAA Configuration

In a proxy AAA configuration, the service provider performs authorization while the customer controls user authentication. Proxy AAA is the only configuration that supports two-factor authentication (token card). When a customer manages an AAA system, one or more IP addresses must be associated with the customer AAA system. In addition to IP addresses, it is necessary to configure a shared secret on both ends of the proxy (service provider and customer). The shared secret should be a well-formed password and it must be communicated.

For information on configuring shared secrets, see http://www.cisco.com/en/US/products/sw/iosswrel/ps1834/products_feature_guide09186a008007fec3.html.

Per-VRF AAA

Using the Per VRF AAA feature, Internet Service Providers (ISPs) can partition authentication, authorization, and accounting (AAA) services based on Virtual Route Forwarding (VRF). This feature permits the IPSec aggregator to communicate directly with the customer's RADIUS server, which is associated with the customer's Virtual Private Network (VPN), without having to go through a RADIUS proxy. Thus, ISPs can scale their VPN offerings more efficiently because they no longer need to proxy AAA to provide their customers with the flexibility they demand.

For information on configuring per-VRF AAA, see http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftvrfaaa.htm#1015329.

IPSec VPN Accounting

The IPSec VPN Accounting feature allows for a session to be accounted for by indicating the times that the session starts and stops. Additionally, session-identifying information and session-usage information are passed to the Remote Authentication Dial-In User Service (RADIUS) server using RADIUS attributes and vendor-specific attributes (VSAs).

For information on configuring IPSec VPN accounting, see http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/
122t15/ft_evpna.htm.

Preprovisioning to Support Unity Client

This section deals with pre-provisioning on the IPSEC Aggregator and AAA server for Unity client support as well as the provisioning needed on the client.

Note Unlike the site-to-site model, much of the information configured at the head-end is VPN-specific, not tunnel endpoint-specific.

To support Unity clients, you must obtain information on IP address pools, DNS, WINS, and other policy when signing up customers for VPN service for remote access clients. You can store this information locally on the IPSec Aggregator or in your AAA server. You can store user-specific information (for example, username and passwords) as well as any user-specific policy information (for example, session time-outs) in your AAA server; however, for scaling reasons it may make more sense to store this information in the customer's AAA server.

Note In the absence of per-group AAA support, the service provider AAA server may proxy a request to the customer AAA server.

AAA Server Preprovisioning

An ISAKMP client configuration group (or VPN group) is a group of Unity clients that share the same authentication and configuration information. The shared group information consists of the following:

Password (if preshared keys are used)

IP address or name of IP address pool on IPSec aggregator from which an IP address is to be assigned to client

IP addresses of primary and secondary DNS servers

IP addresses of primary and secondary WINS servers

Default domain name

Name of access control list (ACL) to be applied at client when enabling split tunneling

IPSec Aggregator Preprovisioning

On the IPSec Aggregator, you need to pre-provision the following (assuming aggressive mode and pre-shared keys):

How to reach SP-managed AAA server (global or management VPN) and customer-managed AAA servers (per customer VPN), if any.

Indicate whether VPN group information is local or stored in a AAA server.

If local, the above client group information is configured on the IPSEC aggregator.

If remote, the name of the SP-managed AAA server to be used to fetch group configuration.

Define the (overlapping) address pools referred to in the VPN group information, if any. Address range is provided by customer and assigned by SP.

Define the ACLs referred to in the VPN group information which are used to enforce split tunneling at the Unity client is enabled.

Define ISAKMP profile per VPN including:

Matching client configuration group.

VRF ID.

If XAUTH used, the name of the SP-managed or customer-managed AAA server to be used for user authentication.

Define IPSec tunnel mode crypto policies per VPN.

Define dynamic crypto map per VPN (same crypto map name, different policies) including ISAKMP profile, IPSEC policy.

Crypto map applied to Internet-facing interfaces.

Cisco Unity Client Preprovisioning

We assume client has been assigned a global IP address from local ISP and sufficient configuration for Internet Access. We assume Unity client is pre-provisioned with:

Public IP address or hostname of IPSEC aggregator

Pre-shared group key with IPSEC aggregator

XAUTH (username password or token)

IKE authentication and encryption policy

IPSEC authentication and encryption policy

Cisco Unity Client Operation

The Unity protocol operates based on the notion of a client group. A Unity client must identify and authenticate itself by group first, and if XAUTH enabled, by user later.

The Unity protocol supports either:

Aggressive mode and pre-shared keys

Main mode and certificates

In terms of AAA support, you can use RADIUS servers to store client group configuration information (including the pre-shared group password in case of aggressive mode and mode-config information) as well as to authenticate users (XAUTH). RADIUS servers can only be defined globally.

Assuming use of aggressive mode and pre-shared keys, as well as use of RADIUS servers for storing client group configuration information and for user authentication, the Unity protocol operates as follows:

1. If the IKE SA negotiates use of XAUTH, the client waits for a challenge and responds.

2. The server authenticates the user, typically using the customer's AAA server via a service provider AAA proxy. Any user-specific configuration information may be downloaded at this time or downloaded separately later.

3. The client requests mode-config parameters from the server. These include IP address, IP addresses of DNS and WINS servers, default domain name and ACLs to be applied if split tunneling is enabled.

4. If configured to do so, the server fetches the mode-config parameters from the your (service provider) AAA server based on group name. The server may also need to fetch user-specific information based on user name (for example, static IP address).

5. If configured to do so, the IPsec Aggregator allocates an IP address from the pre-defined IP address pool and sets up a route to the client in the appropriate routing table (global or VRF). The server returns the above information to the client.

For more information on Unity, see http://www.cisco.com/en/US/products/sw/voicesw/ps2237/.

For more information, see the Sequence of Operations for Remote Access, see "IPSec to MPLS Service Models" in the Cisco Network-Based IPSec VPN Solution Release 1.5 Implementation Guide.

User Authentication

Authentication verifies users before they are allowed access to the network and network services. See http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/
fsecur_c/fsaaa/scfathen.htm.

The Unity protocol operates based on the notion of a client group. A Unity client must identify and authenticate itself by group first, and if XAUTH enabled, by user later.

Note VPN clients should be authenticated by XAUTH to deny unauthorized access.

VPN group information consists of the following:

Password if pre-shared keys are used

Interface that VPN group allowed to come in on (from 12.2(9.4)T only)

Name of IP address pool from which an IP address is to be assigned to client

IP addresses of primary and secondary DNS servers

IP addresses of primary and secondary WINS servers

Default domain name

Name of access control list to be applied at client when split tunneling enabled

AAA Authorization

AAA authorization enables you to limit the services available to a user. When AAA authorization is enabled, the network access server uses information retrieved from the user's profile, which is located either in the local user database or on the service provider AAA server, to configure the user's session. When this is done, the user is granted access to a requested service only if the information in the user profile allows it. See: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/scfathor.htm

The following IPSEC-related configuration information is available upon authorization:

Pre-shared key per Unity group or per IPSec peer

Unity group configuration per VPN (mode-config)

IP address

IP address pool

ACL for split tunneling

ISAKMP profile

Virtual interface profiles for virtual IPSEC interfaces (if any)

IPSec Accounting

If IPSec accounting is configured for the session an accounting start record is generated after the IKE phases are complete.

Note New accounting records are not generated during a re-key.

The accounting start record contains the following information:

Group name

User name

Assigned IP address

Interface for the connection

Accounting list

VRF ID

AAA unique id

ISAKMP Phase 1 ID information

Status

ACCT_REQUIRED

START_REQUEST

STARTED

STOPPED

NOT_REQUIRED

Below is an account start record generated on the router that goes to the defined AAA server.

*Aug 23 04:06:20.131: RADIUS(00000002): sending
*Aug 23 04:06:20.131: RADIUS(00000002): Send Accounting-Request to 100.1.1.4:1646 id 4, len 220
*Aug 23 04:06:20.131: RADIUS: authenticator 38 F5 EB 46 4D BE 4A 6F - 45 EB EF 7D B7 19 FB 3F
*Aug 23 04:06:20.135: RADIUS: Acct-Session-Id [44] 10 "00000001"
*Aug 23 04:06:20.135: RADIUS: Vendor, Cisco [26] 31
*Aug 23 04:06:20.135: RADIUS: Cisco AVpair [1] 25 "isakmp-group-id=cclient"
*Aug 23 04:06:20.135: RADIUS: Framed-IP-Address [8] 6 10.13.13.1
*Aug 23 04:06:20.135: RADIUS: Vendor, Cisco [26] 20
*Aug 23 04:06:20.135: RADIUS: Cisco AVpair [1] 14 "vrf-id=cisco"
*Aug 23 04:06:20.135: RADIUS: Vendor, Cisco [26] 35
*Aug 23 04:06:20.135: RADIUS: Cisco AVpair [1] 29 "isakmp-initator-ip=11.1.2.2"
*Aug 23 04:06:20.135: RADIUS: Vendor, Cisco [26] 36
*Aug 23 04:06:20.135: RADIUS: Cisco AVpair [1] 30 "connect-progress=No Progress"
*Aug 23 04:06:20.135: RADIUS: User-Name [1] 13 "joe@cclient"
*Aug 23 04:06:20.135: RADIUS: Acct-Status-Type [40] 6 Start [1]
*Aug 23 04:06:20.135: RADIUS: Vendor, Cisco [26] 25
*Aug 23 04:06:20.135: RADIUS: cisco-nas-port [2] 19 "FastEthernet0/0.1"
*Aug 23 04:06:20.135: RADIUS: NAS-Port [5] 6 0
*Aug 23 04:06:20.135: RADIUS: NAS-IP-Address [4] 6 100.1.1.147
*Aug 23 04:06:20.135: RADIUS: Acct-Delay-Time [41] 6 0
*Aug 23 04:06:20.139: RADIUS: Received from id 21645/4 100.1.1.4:1646, Accounting-response, len 20
*Aug 23 04:06:20.139: RADIUS: authenticator B7 E3 D0 F5 61 9A 89 D8 - 99 A6 8A 8A 98 79 9D 5D

Accounting Stop

An accounting stop packet is generated when there are no flows (IPSec SA pairs) being protected to an IPSec Peer.

Accounting stop records contain the following information

Packets out

Packets in

Octets out

Octets in

Gigawords in

Gigawords out

Below is an account start record generated on the router that is sent to the defined AAA server.


*Aug 23 04:20:16.519: RADIUS(00000003): Using existing nas_port 0
*Aug 23 04:20:16.519: RADIUS(00000003): Config NAS IP: 100.1.1.147
*Aug 23 04:20:16.519: RADIUS(00000003): sending
*Aug 23 04:20:16.519: RADIUS(00000003): Send Accounting-Request to 100.1.1.4:1646 id 19, len 238
*Aug 23 04:20:16.519: RADIUS: authenticator 82 65 5B 42 F0 3F 17 C3 - 23 F3 4C 35 A2 8A 3E E6
*Aug 23 04:20:16.519: RADIUS: Acct-Session-Id [44] 10 "00000002"
*Aug 23 04:20:16.519: RADIUS: Vendor, Cisco [26] 20
*Aug 23 04:20:16.519: RADIUS: Cisco AVpair [1] 14 "vrf-id=cisco"
*Aug 23 04:20:16.519: RADIUS: Vendor, Cisco [26] 35
*Aug 23 04:20:16.519: RADIUS: Cisco AVpair [1] 29 "isakmp-initator-ip=11.1.1.2"
*Aug 23 04:20:16.519: RADIUS: Vendor, Cisco [26] 36
*Aug 23 04:20:16.519: RADIUS: Cisco AVpair [1] 30 "connect-progress=No Progress"
*Aug 23 04:20:16.519: RADIUS: Acct-Session-Time [46] 6 709
*Aug 23 04:20:16.519: RADIUS: Acct-Input-Octets [42] 6 152608
*Aug 23 04:20:16.519: RADIUS: Acct-Output-Octets [43] 6 152608
*Aug 23 04:20:16.519: RADIUS: Acct-Input-Packets [47] 6 1004
*Aug 23 04:20:16.519: RADIUS: Acct-Output-Packets [48] 6 1004
*Apr 23 04:20:16.519: RADIUS: Acct-Input-Giga-Word[52] 6 0
*Apr 23 04:20:16.519: RADIUS: Acct-Output-Giga-Wor[53] 6 0
*Aug 23 04:20:16.519: RADIUS: Acct-Terminate-Cause[49] 6 none [0]
*Aug 23 04:20:16.519: RADIUS: Vendor, Cisco [26] 32
*Aug 23 04:20:16.519: RADIUS: Cisco AVpair [1] 26 "disc-cause-ext=No Reason"
*Aug 23 04:20:16.519: RADIUS: Acct-Status-Type [40] 6 Stop [2]
*Aug 23 04:20:16.519: RADIUS: Vendor, Cisco [26] 25
*Aug 23 04:20:16.519: RADIUS: cisco-nas-port [2] 19 "FastEthernet0/0.1"
*Aug 23 04:20:16.519: RADIUS: NAS-Port [5] 6 0
*Aug 23 04:20:16.519: RADIUS: NAS-IP-Address [4] 6 100.1.1.147
*Aug 23 04:20:16.519: RADIUS: Acct-Delay-Time [41] 6 0
*Aug 23 04:20:16.523: RADIUS: Received from id 21645/19 100.1.1.4:1646, Accounting-response, len 20
*Aug 23 04:20:16.523: RADIUS: authenticator F1 CA C1 28 CE A0 26 C9 - 3E 22 C9 DA EA B8 22 A0

Accounting Updates

You can enable periodic interim accounting records to be sent to the accounting server s using the aaa accounting update command. For more information on this command, see http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122tcr/122tsr/faaacr/sftacct.htm#1041103.

Below is a sample accounting update record:

7200-UUT#
*Aug 23 21:46:05.263: RADIUS(00000004): Using existing nas_port 0
*Aug 23 21:46:05.263: RADIUS(00000004): Config NAS IP: 100.1.1.147
*Aug 23 21:46:05.263: RADIUS(00000004): sending
*Aug 23 21:46:05.263: RADIUS(00000004): Send Accounting-Request to 100.1.1.4:1646 id 22, len 200
*Aug 23 21:46:05.263: RADIUS: authenticator 30 FA 48 86 8E 43 8E 4B - F9 09 71 04 4A F1 52 25
*Aug 23 21:46:05.263: RADIUS: Acct-Session-Id [44] 10 "00000003"
*Aug 23 21:46:05.263: RADIUS: Vendor, Cisco [26] 20
*Aug 23 21:46:05.263: RADIUS: Cisco AVpair [1] 14 "vrf-id=cisco"
*Aug 23 21:46:05.263: RADIUS: Vendor, Cisco [26] 35
*Aug 23 21:46:05.263: RADIUS: Cisco AVpair [1] 29 "isakmp-initator-ip=11.1.1.2"
*Aug 23 21:46:05.263: RADIUS: Vendor, Cisco [26] 36
*Aug 23 21:46:05.263: RADIUS: Cisco AVpair [1] 30 "connect-progress=No Progress"
*Aug 23 21:46:05.263: RADIUS: Acct-Session-Time [46] 6 109
*Aug 23 21:46:05.263: RADIUS: Acct-Input-Octets [42] 6 608
*Aug 23 21:46:05.263: RADIUS: Acct-Output-Octets [43] 6 608
*Aug 23 21:46:05.263: RADIUS: Acct-Input-Packets [47] 6 4
*Aug 23 21:46:05.263: RADIUS: Acct-Output-Packets [48] 6 4
*Aug 23 21:46:05.263: RADIUS: Acct-Status-Type [40] 6 Watchdog [3]
*Aug 23 21:46:05.263: RADIUS: Vendor, Cisco [26] 25
*Aug 23 21:46:05.263: RADIUS: cisco-nas-port [2] 19 "FastEthernet0/0.1"
*Aug 23 21:46:05.263: RADIUS: NAS-Port [5] 6 0
*Aug 23 21:46:05.263: RADIUS: NAS-IP-Address [4] 6 100.1.1.147
*Aug 23 21:46:05.263: RADIUS: Acct-Delay-Time [41] 6 0
*Aug 23 21:46:05.267: RADIUS: Received from id 21645/22 100.1.1.4:1646, Accounting-response, len 20
*Aug 23 21:46:05.267: RADIUS: authenticator 51 6B BB 27 A4 F5 D7 61 - A7 03 73 D3 0A AC 1C

Sample Accounting Configuration:

aaa new-model
!
!
aaa authentication login cisco-client group RADIUS
aaa authorization network cisco-client group RADIUS
aaa accounting network acc start-stop broadcast group RADIUS
aaa session-id common

crypto isakmp profile cisco
vrf cisco
match identity group cclient
client authentication list cisco-client
isakmp authorization list cisco-client
client configuration address respond
accounting acc
!
crypto dynamic-map dynamic 1
set transform-set aswan
set isakmp-profile cisco
reverse-route
!
RADIUS-server host 100.1.1.4 auth-port 1645 acct-port 1646
RADIUS-server key nsite

Using RADIUS for Network-Based IPSec

The Cisco network-based IPSec VPN solution release 1.5 supports RADIUS-based authentication and authorization for remote access clients.

During authorization of a remote access client, the following attributes can be downloaded from RADIUS:

cisco-avpair = "ipsec:key-exchange=ike"
cisco-avpair = "ipsec:tunnel-password=cisco123"
cisco-avpair = "ipsec:addr-pool=mypool"
cisco-avpair = "ipsec:default-domain=cisco.com"
cisco-avpair = "ipsec:dns-servers=1.1.1.9"
cisco-avpair = "ipsec:wins-servers=3.3.3.9"
cisco-avpair = "ipsec:access-restrict=ATM5/0.101"

RADIUS Configuration Sample

The following is a sample user and group configuration for remote VPN clients from Cisco Access Registrar.

User configuration (no attributes):

[ //localhost/RADIUS/UserLists/Default/joe-coke ]
Name = joe-coke
Description =
Password = <encrypted>
AllowNullPassword = FALSE
Enabled = TRUE
Group~ =
BaseProfile~ =
AuthenticationScript~ =
AuthorizationScript~ =
UserDefined1 =

[ //localhost/RADIUS/UserLists/Default/group1 ]
Name = group1
Description =
Password = <encrypted> (would be "cisco")
AllowNullPassword = FALSE
Enabled = TRUE
Group~ =
BaseProfile~ = group1profile
AuthenticationScript~ =
AuthorizationScript~ =
UserDefined1 =
Define the group attributes such as pre-shared key, IP address pool name, etc. using Cisco AV-pairs:
[ //localhost/RADIUS/Profiles/group1profile/Attributes ]
cisco-avpair = ipsec:key-exchange=ike
cisco-avpair = ipsec:tunnel-password=cisco123
cisco-avpair = ipsec:addr-pool=pool1
Service-Type = Outbound

hometocprevnextglossaryfeedbacksearchhelp

Posted: Wed Jan 12 10:17:17 PST 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.