MSFC not applying Radius attribute 11 to client VPN connections
I have an MSFC with 12.2(18)SXF6 and a VPNSM configured for radius authentication and authorization. In the attachment, I can see the filter-id sent, but when I connect, I can still ping addresses other than in 10.1.x.x, which the acl should disallow. TAC has told me to use aaa authorization configuration default, but I wonder if I should use aaa authorization network default instead. Is there any other reason why the MSFC would not apply the filter to a VPN client connection? Thanks
Re: MSFC not applying Radius attribute 11 to client VPN connecti
One interesting thing I note, is that if I set the filter id to clientacl.in, the connection fails, even though the radius debug indicates an access-accept back from the server. This indicates that the MSFC is doing something with the attribute, but isn't filtering traffic.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...