Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Cisco>
  3. NAS
Per-User ACL from Radius
Eugene.Patton at gen-i
Jul 19, 2007, 4:40 PM
Post #1 of 3 (7918 views)
Permalink
Hi All,

Another question from a newbie and forgive me if this has been answered
previously. I have an issue and I am not sure if this feature will work
with my version of IOS. I have a Cisco 2821 with AIM-VPN/EPII-PLUS
running version 12.4(12a) Advanced IP Services. I am trying to download
per-user ACL from the radius server when the client connects (VPN) but
the ACL does not get installed. From a radius debug I can see the
ip:inacl#1=permit etc but the ACL does not get applied but if I use
ipsec:inacl=111 (pre-configured on the router) it works.

Should this feature work?

Thanks
Eugene Patton


This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.

_______________________________________________
cisco-nas mailing list
cisco-nas@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nas
Re: Per-User ACL from Radius [ In reply to ]
oboehmer at cisco
Jul 19, 2007, 11:10 PM
Post #2 of 3 (7668 views)
Permalink
Eugene Patton <> wrote on Friday, July 20, 2007 1:40 AM:

> Hi All,
>
> Another question from a newbie and forgive me if this has been
> answered
> previously. I have an issue and I am not sure if this feature will
> work
> with my version of IOS. I have a Cisco 2821 with AIM-VPN/EPII-PLUS
> running version 12.4(12a) Advanced IP Services. I am trying to
> download per-user ACL from the radius server when the client connects
(VPN) but
> the ACL does not get installed. From a radius debug I can see the
> ip:inacl#1=permit etc but the ACL does not get applied but if I use
> ipsec:inacl=111 (pre-configured on the router) it works.
>
> Should this feature work?

no, "ip:inacl=<acl-definition>" is not processed by IPSec (as "debug aaa
per-user" would likely confirm), and the way you've described it is the
only way to apply an ACL to an IPSec tunnel.

I'm not an IPSec expert, but maybe you can use "IPSec Virtual Tunnel
Interface" configuration? This involves a virtual-template, just like
pptp/l2tp, and you might be able to use more per-user AAA attributes.
Never tried this..

oli
_______________________________________________
cisco-nas mailing list
cisco-nas@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nas
Re: Per-User ACL from Radius [ In reply to ]
Ladislav.Nemec at anect
Jul 26, 2007, 1:50 AM
Post #3 of 3 (7657 views)
Permalink
Hi Eugene,
Try to use wildcard ACL on radius if You are using normal ACL (or
opposite.)
Best regards,
Ladislav.

-----Original Message-----
From: cisco-nas-bounces@puck.nether.net
[mailto:cisco-nas-bounces@puck.nether.net] On Behalf Of Oliver Boehmer
(oboehmer)
Sent: Friday, July 20, 2007 8:11 AM
To: Eugene Patton; cisco-nas@puck.nether.net
Subject: Re: [cisco-nas] Per-User ACL from Radius

Eugene Patton <> wrote on Friday, July 20, 2007 1:40 AM:

> Hi All,
>
> Another question from a newbie and forgive me if this has been
> answered
> previously. I have an issue and I am not sure if this feature will
> work
> with my version of IOS. I have a Cisco 2821 with AIM-VPN/EPII-PLUS
> running version 12.4(12a) Advanced IP Services. I am trying to
> download per-user ACL from the radius server when the client connects
(VPN) but
> the ACL does not get installed. From a radius debug I can see the
> ip:inacl#1=permit etc but the ACL does not get applied but if I use
> ipsec:inacl=111 (pre-configured on the router) it works.
>
> Should this feature work?

no, "ip:inacl=<acl-definition>" is not processed by IPSec (as "debug aaa
per-user" would likely confirm), and the way you've described it is the
only way to apply an ACL to an IPSec tunnel.

I'm not an IPSec expert, but maybe you can use "IPSec Virtual Tunnel
Interface" configuration? This involves a virtual-template, just like
pptp/l2tp, and you might be able to use more per-user AAA attributes.
Never tried this..

oli
_______________________________________________
cisco-nas mailing list
cisco-nas@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nas
_______________________________________________
cisco-nas mailing list
cisco-nas@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nas

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal