Concentrator 3000: Restricting client src using RADIUS...

Unanswered Question
Oct 31st, 2007
User Badges:

I've searched, and come up dry. --Can anyone tell me if it's possible to use Attributes on a RADIUS server, to restrict the valid IP address(es) from which a client may attach to the concentrator?


I'm trying to ensure that VPN clients attach from within certain secure facilities, using secure systems, versus using laptops from McDonalds WiFi.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jsivulka Tue, 11/06/2007 - 12:07
User Badges:
  • Bronze, 100 points or more

You have to define which host

Configuration | Policy Management | Traffic Management | Network Lists


Than you have to define a rule for this certain traffic

Configuration | Policy Management | Traffic Management | Rules


Than you have to define the filter

Configuration | Policy Management | Traffic Management | Filters


Than after you have to apply the filter to certain L2L connection

Configuration | Tunneling and Security | IPSec | LAN-to-LAN |

-- Choose the filter to apply to the traffic that is tunneled through this LAN-to-LAN connection. --


Could you please verify quickly if you did the steps I mentioned above?


If this does not help, could you please specify which connection (src/des

ip address/mask and src/des port) you would like to allow communicate on the Lan2Lan connection?

Could you please also provide me in addition the config of VPN?


Configuring a Central Cisco VPN 3000 Concentrator to Allow Communication Between Spokes :

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2284/products_configuration_example09186a0080094a86.shtml


abatson Tue, 11/06/2007 - 12:37
User Badges:

I've since solved this problem actually. However I'm working on another issue on the same concentrator. I'm attempting to follow the instructions on Cisco Document 13831, "Locking Users into a VPN3000 Concentrator Group Using a RADIUS Server". I followed these directions, but my client is not re-assigned to a different group, based on the Attribute coming from the RADIUS server. I've verified that the authentication-response packet does contain the group name in the proper syntax. I then found other documents that indicated different Attribute Names I was to use. Shall I use the IETF standard, "Class", or the Cisco-proprietary "cVPN3000-IETF-Radius-Class". Another document said a shortened form of this was permissible: "IETF-Radius-Class". I've tried tons of different settings, but nothing works.

Actions

This Discussion