Using per-user ACLs for VPN clients on 2811 ISR

Unanswered Question
May 13th, 2008

Here is the situation. I have a 2811 ISR running (C2800NM-ADVSECURITYK9-M), Version 12.4(2)T3. I previously configured the router to accept ipsec VPN clients and authenticate against active directory using IAS. This all works as expected but any VPN client has access to anything on the LAN. The VPN server is configured to provide split-tunneling.

What I'm trying to do today is lock down remote access to the corporate LAN and set up multiple VPN policies with the end result of delivering per-user ACLs to the router. Most of the docs I've read assume one is using Cisco ACS but I saw the Cisco doc referring to configuring any RADIUS server. The searching I've done has led me to think that the best way to go in my scenario is to:

1) create AD groups for each level of access I wish to provide

2) add users to the appropriate AD groups

3) create Remote Access Policies under IAS for each level of access I wish to grant.

3) set the conditions for the policy to require port-type VPN and user membership in the appropriate group.

4) add to the policy Cisco-avpair attribute strings in the form of:


ip:inacl#2=deny tcp any any

5) ???

As far as I can tell that's all I should have to do and it should work. What happens when I test is that I see that the client is authenticated via the correct IAS remote access policy. I see in the IAS log that it transmits the ACL-related strings to the router.

I logged in to the router and ran a debug aaa attr and I see that it is receiving the attributes, yet when I do a show access-lists I don't see the user ACL. The vpn client still has full access like the default policy.

Any suggestions on what to look at next? Does this router/IOS even support this feature?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
cclarkacs Tue, 05/20/2008 - 12:49

Thanks for your reply. I read through those docs but I don't really see what it is that is supposed to help me.

The first link you posted is in reference to configuring ACS for Windows, not Windows Server IAS (Radius server).

I already have IAS authenticating users. My problem is that despite configuring ip:inacl strings for the cisco-avpair, the router still doesn't apply these settings to the VPN clients.

Your second link refers to the Cisco 3000VPN concentrator. I'm using a 2811 ISR running IOS as my VPN server, and its already configured for AAA.

A little more help please!


This Discussion