CISCO IPSEC ×××+CLIENT远程访问×××+Radius认证配置
|
网络拓扑:
 PC0上安装CISCO ××× CLIENT,配置GroupName为vpngroup ,密码12345678,主机地址201.1.1.1
Server0上创建用户user1,密码123456,允许拨入
Server0安装IAS,新建客户端,名称vpn,客户端地址10.1.1.1.254,radius standard,预共享密钥12345678
Server0的IAS,新建远程访问策略vpn0,访问方式×××,其他随便;编辑该配置文件,设置身份验证方式中选中PAP。-------------(为啥?看访问的日志记录。)
R1配置: interface FastEthernet0/0
ip address 192.168.1.254 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 201.1.1.2 255.255.255.0 duplex auto speed auto ! ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
! ---------------------------------------------------------------------------------------------
R2配置 !
aaa new-model ! ! aaa authentication login userauth group radius local aaa authorization network groupauth local ! username jxs password 0 jxs ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp fragmentation ! crypto isakmp client configuration group vpngroup key 12345678 dns 61.153.177.196 domain test.com pool ×××DHCP ! crypto ipsec transform-set vpn-tfs esp-3des esp-md5-hmac ! crypto dynamic-map dyvpn 10 set transform-set vpn-tfs reverse-route ! crypto map vpn12 client authentication list userauth crypto map vpn12 isakmp authorization list groupauth crypto map vpn12 client configuration address respond crypto map vpn12 10 ipsec-isakmp dynamic dyvpn ! ! ! interface FastEthernet0/0 ip address 10.1.1.254 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 201.1.1.1 255.255.255.0 duplex auto speed auto crypto map vpn12 ! ip local pool ×××DHCP 192.168.2.10 192.168.2.20 ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 ! ! no ip http server no ip http secure-server ! radius-server attribute 6 on-for-login-auth radius-server host 10.1.1.1 auth-port 1645 acct-port 1646 key 12345678 |
