Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

MSFC not applying Radius attribute 11 to client VPN connections

I have an MSFC with 12.2(18)SXF6 and a VPNSM configured for radius authentication and authorization. In the attachment, I can see the filter-id sent, but when I connect, I can still ping addresses other than in 10.1.x.x, which the acl should disallow. TAC has told me to use aaa authorization configuration default, but I wonder if I should use aaa authorization network default instead. Is there any other reason why the MSFC would not apply the filter to a VPN client connection? Thanks

New Member

Re: MSFC not applying Radius attribute 11 to client VPN connecti

One interesting thing I note, is that if I set the filter id to, the connection fails, even though the radius debug indicates an access-accept back from the server. This indicates that the MSFC is doing something with the attribute, but isn't filtering traffic.

BTW, the radius server is RSA, if that matters.