Here is the situation. I have a 2811 ISR running (C2800NM-ADVSECURITYK9-M), Version 12.4(2)T3. I previously configured the router to accept ipsec VPN clients and authenticate against active directory using IAS. This all works as expected but any VPN client has access to anything on the LAN. The VPN server is configured to provide split-tunneling.
What I'm trying to do today is lock down remote access to the corporate LAN and set up multiple VPN policies with the end result of delivering per-user ACLs to the router. Most of the docs I've read assume one is using Cisco ACS but I saw the Cisco doc referring to configuring any RADIUS server. The searching I've done has led me to think that the best way to go in my scenario is to:
1) create AD groups for each level of access I wish to provide
2) add users to the appropriate AD groups
3) create Remote Access Policies under IAS for each level of access I wish to grant.
3) set the conditions for the policy to require port-type VPN and user membership in the appropriate group.
4) add to the policy Cisco-avpair attribute strings in the form of:
ip:inacl#1=permit tcp SOURCEIP SOURCEMASK DESTIP DESTMASK
ip:inacl#2=deny tcp any any
As far as I can tell that's all I should have to do and it should work. What happens when I test is that I see that the client is authenticated via the correct IAS remote access policy. I see in the IAS log that it transmits the ACL-related strings to the router.
I logged in to the router and ran a debug aaa attr and I see that it is receiving the attributes, yet when I do a show access-lists I don't see the user ACL. The vpn client still has full access like the default policy.
Any suggestions on what to look at next? Does this router/IOS even support this feature?