cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
288
Views
0
Helpful
2
Replies

Concentrator 3000: Restricting client src using RADIUS...

abatson
Level 1
Level 1

I've searched, and come up dry. --Can anyone tell me if it's possible to use Attributes on a RADIUS server, to restrict the valid IP address(es) from which a client may attach to the concentrator?

I'm trying to ensure that VPN clients attach from within certain secure facilities, using secure systems, versus using laptops from McDonalds WiFi.

2 Replies 2

jsivulka
Level 5
Level 5

You have to define which host

Configuration | Policy Management | Traffic Management | Network Lists

Than you have to define a rule for this certain traffic

Configuration | Policy Management | Traffic Management | Rules

Than you have to define the filter

Configuration | Policy Management | Traffic Management | Filters

Than after you have to apply the filter to certain L2L connection

Configuration | Tunneling and Security | IPSec | LAN-to-LAN |

-- Choose the filter to apply to the traffic that is tunneled through this LAN-to-LAN connection. --

Could you please verify quickly if you did the steps I mentioned above?

If this does not help, could you please specify which connection (src/des

ip address/mask and src/des port) you would like to allow communicate on the Lan2Lan connection?

Could you please also provide me in addition the config of VPN?

Configuring a Central Cisco VPN 3000 Concentrator to Allow Communication Between Spokes :

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2284/products_configuration_example09186a0080094a86.shtml

I've since solved this problem actually. However I'm working on another issue on the same concentrator. I'm attempting to follow the instructions on Cisco Document 13831, "Locking Users into a VPN3000 Concentrator Group Using a RADIUS Server". I followed these directions, but my client is not re-assigned to a different group, based on the Attribute coming from the RADIUS server. I've verified that the authentication-response packet does contain the group name in the proper syntax. I then found other documents that indicated different Attribute Names I was to use. Shall I use the IETF standard, "Class", or the Cisco-proprietary "cVPN3000-IETF-Radius-Class". Another document said a shortened form of this was permissible: "IETF-Radius-Class". I've tried tons of different settings, but nothing works.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: