CISCO IPSEC ×××+CLIENT远程访问×××+Radius认证配置
 
网络拓扑:
75577cf024e2fa9da50f5233.jpg
PC0上安装CISCO ××× CLIENT,配置GroupName为***group ,密码12345678,主机地址201.1.1.1
Server0上创建用户user1,密码123456,允许拨入
Server0安装IAS,新建客户端,名称***,客户端地址10.1.1.1.254,radius standard,预共享密钥12345678
Server0的IAS,新建远程访问策略***0,访问方式×××,其他随便;编辑该配置文件,设置身份验证方式中选中PAP。-------------(为啥?看访问的日志记录。)

R1配置:
interface FastEthernet0/0
ip address 192.168.1.254 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 201.1.1.2 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
!
---------------------------------------------------------------------------------------------
R2配置
!
aaa new-model
!
!
aaa authentication login userauth group radius local
aaa authorization network groupauth local
!
username jxs password 0 jxs
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp fragmentation
!
crypto isakmp client configuration group ***group
key 12345678
dns 61.153.177.196
domain test.com
pool ×××DHCP
!
crypto ipsec transform-set ***-tfs esp-3des esp-md5-hmac
!
crypto dynamic-map dy*** 10
set transform-set ***-tfs
reverse-route
!
crypto map ***12 client authentication list userauth
crypto map ***12 isakmp authorization list groupauth
crypto map ***12 client configuration address respond
crypto map ***12 10 ipsec-isakmp dynamic dy***
!
!
!
interface FastEthernet0/0
ip address 10.1.1.254 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 201.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map ***12
!
ip local pool ×××DHCP 192.168.2.10 192.168.2.20
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
!
!
no ip http server
no ip http secure-server
!
radius-server attribute 6 on-for-login-auth
radius-server host 10.1.1.1 auth-port 1645 acct-port 1646 key 12345678