Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Cisco VPN 3000 & Radius Groups

Unanswered Question
Oct 24th, 2000
User Badges:

We currently have a VPN solution in place which uses a VPN 3000 Concentrator, and CiscoSecure 2.4 Radius authentication. We have "internal" groups defined in the Concentrator with access-controls also defined for those groups. We have authentication pointing to the Radius server which is working fine. We are looking to find a way to setup the Concentrator & CiscoSecure group classes, so that when a user is dragged into a CiscoSecure group the user also is bound to that group on the Concentrator. I'm under the assumption that this has to be done with "External" groups on the Concentrator. If I use "External" groups, are the Concentrator Group Access-Controls still in affect? If not, I need a way so that all access-controls can be done on the Concentrator, which are already configured, and all group designations are done by the CiscoSecure Radius server. Is this possible?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
estjohn Thu, 10/26/2000 - 05:55
User Badges:

Figured it out. You have to have a filter defined on each of your groups inside of the concentrator. You create groups with equal names in the concentrator and CiscoSecure. Then you go into CiscoSecure's Radius configuration and you tell it to pass variable 25 (Class or Group), in format "OU=CLASSNAME;" (without quotes) to the concentrator. Regardless of the group you login as, the concentrator will determine the group you belong to in CiscoSecure and force you into the proper group, and filters.


This Discussion