Chapter 4 Remote Access VPN Services

Adding AAA Server Devices to Your Repository

Note Before creating an ISC security policy or service request, it is necessary to populate the ISC repository with the target devices in your network, collect the initial device configuration files, designate customers and customer sites, and define each device as a CPE.

CPE devices are the devices at each end of the VPN tunnel. Creating CPE devices includes assigning each target device to a specific customer and customer site and marking the device interfaces. Specifically for security management, you must define at least one public and one private interface on each device.

For how-to information on populating your ISC repository and setting up CPE devices, refer to the Cisco IP Solution Center Integrated VPN Management Suite Infrastructure Guide, 3.2.

In the Remote Access VPN policy, the network administrator performs the following tasks:

Configures the encryption policy (which contains IKE and IPsec proposal parameters) that defines the network layer encryption and authentication control.

Specifies the IKE XAuth parameters for user authentication.

Sets the Mode Configuration parameters for policy push and features such as dynamically assigned client IP addresses.

Defines the remote access user group. (Because each remote access policy defines a user group, you can use multiple remote access policies in the same service request. This enables you to configure multiple user groups on the same CPE device.)

Defines remote access parameters.

The group policy information is stored in a profile that can be used locally in the VPN device configuration. When the user or group information is stored on AAA servers, you must also configure access to the AAA servers and allow the VPN device to send requests to the AAA servers.

Once created, the remote access policies can also be applied to multiple service requests.

To define an remote access VPN service, use the following sections:

Adding AAA Server Devices to Your Repository, page 4-2

Creating Encryption Policies, page 4-5

Creating Remote Access VPN Policies, page 4-5

Creating Remote Access VPN Service Requests, page 4-25

Adding AAA Server Devices to Your Repository

A AAA server (pronounced “Triple A” server) is required when the user authentication method is external or the group policy information is stored on an external AAA server. If user profiles or group attributes are to be obtained from a AAA Server (as opposed to having them stored on the CPE device itself), then a AAA Server entry must be created and added to your ISC repository.

To create a AAA server entry in ISC, perform the following steps:

Step 1 Click Home > Service Inventory > Inventory and Connection Manager > AAA Servers. The AAA Servers page appears as shown in Figure 4-2.

Cisco IP Solution Center Integrated VPN Management Suite Security User Guide, 3.2

4-2

OL-5532-02

 

 

Page 1 Page 3
Page 2
Image 2
Cisco Systems OL-5532-02 manual Adding AAA Server Devices to Your Repository
Page 1 Page 3
Top Page Image Contents