MSFC not applying Radius attribute 11 to client VPN connections

Unanswered Question
Jun 28th, 2007

I have an MSFC with 12.2(18)SXF6 and a VPNSM configured for radius authentication and authorization. In the attachment, I can see the filter-id sent, but when I connect, I can still ping addresses other than in 10.1.x.x, which the acl should disallow. TAC has told me to use aaa authorization configuration default, but I wonder if I should use aaa authorization network default instead. Is there any other reason why the MSFC would not apply the filter to a VPN client connection? Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mflanigan Fri, 06/29/2007 - 00:06

One interesting thing I note, is that if I set the filter id to, the connection fails, even though the radius debug indicates an access-accept back from the server. This indicates that the MSFC is doing something with the attribute, but isn't filtering traffic.

BTW, the radius server is RSA, if that matters.


This Discussion