Look at the rejected requests in your ACS server. I think you need to add new service. You would call the service "IKE" and list a protocol of "IPSec". Then you would need to create a user with the name equal to the <group name> and the password set to "cisco". Then set that user to allow IKE and set the tunnel attributes also under the IKE Section. For example:
xauth-banner="Xauth banner text here"
TACACS is specifically buit for exec and command authorization of IOS.
RADIUS open AAA protocol is used to authorization network request.
With TACACS, you need to configure the AVs for services.
TACACS has no inbuilt AVs for IKE and IPSec. Hence, you need to add them as custom services and protocols.
You need navigate to Interface Configuration > New Services.
There under New Services, add IKE and IPSec as Services and Protocol respectively.
The following are mandatory attributes:
group name : test
group key : Cisco123
username : ccie
password : ccie
Enable ike ipsec service on ACS
Add user test and pass Cisco123 on ACS, and enable ike ipsec with attributes
VPN client connect with group test key Cisco123, then login with user ccie pass ccie
test.JPG 81.4 K
I'm also trying to built-up EzVPN with ACS Radius authentication and authorization. However, although the authorization and authetication granted by the ACS the connection from the remote client is getting dropped. When I switch from ACS authorization to local and let the Authentication to go through ACS, the client is able to login without any problem.
Do you any problem with the ACS user config?
acs.JPG 243.2 K