Using AAA to limit access rights

Unanswered Question
Feb 15th, 2008

Hi there.

I have a 2611 router, IOS version 12.3(25), configured as an VPN server. I have already configured the IP Sec parameters, users...and it is all working fine. But my customer needs to limit the access of one user that uses the same group and interface of the others. Is it possible to set up an AAA profile that matches some ACL to permit access to a few IP addresses, without a authentication server? I was thinking a method to set up an ACL and implement it on the interface, but this will affect the traffic of the other users, since their external access addresses are dynamic (one time they are at home, other time they are on the remote office and so on). Any ideas? Thanks in advance.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Jagdeep Gambhir Fri, 02/15/2008 - 06:56

Go for downloadable acl's. Following

requirements must be met:

* The AAA client must use RADIUS for authentication.

* The AAA client must support downloadable IP ACLs.

Examples of Cisco devices that support downloadable IP ACLs are:

* PIX Firewalls.

* VPN 3000-series concentrators.

* Cisco devices running IOS version 12.3(8)T or greater.

Check the following link for your reference:



Do rate helpful posts

fred.mancen Fri, 02/15/2008 - 07:55

Hey, Gambhir!

This link is great! I am reading carefully to make sure that it solves my problem; be sure that I will rate your post. Tks a lot!

Best regards.

fred.mancen Fri, 02/15/2008 - 10:37

Hi Gambhir.

Really, this document is fine, but does not solve my customer does not have a RADIUS server that could be available to run the service. Unfortunately, because it will be the perfect solution. Anyway, thanks a lot.



This Discussion