10-31-2007 12:33 PM
I've searched, and come up dry. --Can anyone tell me if it's possible to use Attributes on a RADIUS server, to restrict the valid IP address(es) from which a client may attach to the concentrator?
I'm trying to ensure that VPN clients attach from within certain secure facilities, using secure systems, versus using laptops from McDonalds WiFi.
11-06-2007 12:07 PM
You have to define which host
Configuration | Policy Management | Traffic Management | Network Lists
Than you have to define a rule for this certain traffic
Configuration | Policy Management | Traffic Management | Rules
Than you have to define the filter
Configuration | Policy Management | Traffic Management | Filters
Than after you have to apply the filter to certain L2L connection
Configuration | Tunneling and Security | IPSec | LAN-to-LAN |
-- Choose the filter to apply to the traffic that is tunneled through this LAN-to-LAN connection. --
Could you please verify quickly if you did the steps I mentioned above?
If this does not help, could you please specify which connection (src/des
ip address/mask and src/des port) you would like to allow communicate on the Lan2Lan connection?
Could you please also provide me in addition the config of VPN?
Configuring a Central Cisco VPN 3000 Concentrator to Allow Communication Between Spokes :
11-06-2007 12:37 PM
I've since solved this problem actually. However I'm working on another issue on the same concentrator. I'm attempting to follow the instructions on Cisco Document 13831, "Locking Users into a VPN3000 Concentrator Group Using a RADIUS Server". I followed these directions, but my client is not re-assigned to a different group, based on the Attribute coming from the RADIUS server. I've verified that the authentication-response packet does contain the group name in the proper syntax. I then found other documents that indicated different Attribute Names I was to use. Shall I use the IETF standard, "Class", or the Cisco-proprietary "cVPN3000-IETF-Radius-Class". Another document said a shortened form of this was permissible: "IETF-Radius-Class". I've tried tons of different settings, but nothing works.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: