I would appreciate some help with configuring dynamic filters in ACS 3.1 for use with VPN 3005. I've read the documentation, but had no success. I want to configure the filters on a per user basis. So if there is anyone out there who has been successful, I would appreciate the tips.
Should help you out. If this is the "documentation" you mentioned that you've already read and it still doesn't work, please send us some details about the filters you defined on the 30xx, and the Radius user setup. If you can add the AUTH/AUTHDBG Event Classes at Severity to Log of 1-13 on the concentrator and then send us that info that would be great too.
If you want to define the entire filter on the ACS server (which is more scalable), you have to be running VPN Concentrator code 4.x, it won't work in 3.x.
On ACS you can define the filters in two ways, either as a "Downloadable PIX ACL (which I think changed to just "Downloadable ACL" in ACS v3.2), or as a Cisco AV pair specifically.
Downloadable PIX ACL
In ACS < v3.1 define the VPN3000 NAS as a PIX, ACS >= v3.1 define it as a VPN3000. Under Shared Profile Components - Downloadable ACL, add a new ACL and it'll have the form:
permit ip any host 10.1.1.100
permit tcp any host 10.1.1.200 eq 80
permit icmp any any
There's an implicit "deny everything" at the end of this, but this'll allow all access to 10.1.1.100 and web access to 10.1.1.200 and all pings, nothing else. The source is always "any", but when it gets applied it's implied that the source is the VPN client.
Assign this downloadable ACL to the user/group within ACS and you should be good to go.
Cisco AV pair
In all ACS versions define the VPN3000 NAS as an IOS router, otherwise you won't see this option.
Under the group/user setup in ACS, go to the Cisco IOS/PIX RADIUS attributes section (this appears because you've defined the NAS as an IOS router, even though it's actually a VPN3000). Check the box to return the attribute, and in the bigger box define the ACL as follows:
ip:inacl#1=permit ip any host 10.1.1.100
ip:inacl#2=permit tcp any host 10.1.1.200 eq 80
ip:inacl#3=permit icmp any any
Again there's an implicit "deny all" at the end, and this'll set up the same permissions as the Downloadable ACL above.
Sorry for intruding but I also am trying to get the dynamic filtering to work using a radius server. The problem is, it is not Cisco Secure but another vendor. I was wondering if anybody who has made this work, cut an example of what it looks like inside the Radius users file and post it. This, I am sure, would solve my problem. Thanx in advance.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :