Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN3K access restriction based on attribute 66 Tunnel-Client-Endpoint

We have a VPN 3000 concentrator where users connect from the internet and extranet too.

We want to restrict some users to certain IP sources, this is in radius attribute 66 Tunnel-Client-Endpoint.

Is this restriction possible with CS ACS 3.1? Could not find a way to do it.

THANKS,

Martin

2 REPLIES
Silver

Re: VPN3K access restriction based on attribute 66 Tunnel-Client

Hi Martin,

You can do it. The steps involved in detail are given in the link:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs31/acsuser/g.htm#327.

Hope this helps.

New Member

Re: VPN3K access restriction based on attribute 66 Tunnel-Client

Unfortunately I can't.

Please give a more detailed way how to do it!

The CSACS docu says " If you are using RADIUS IETF—The calling-station-id (attribute 31) and called-station-id (attribute 30) fields are used."

The VPN3K does not send anything in attributes 30 and 31, I want to restrict access on attrib 66, see the radius decode:

Request from host 192.168.0.6:1646 code=4, id=102, length=119 on port 1031

[001] User-Name value: mihalyfim

[005] NAS-Port value: 1115

[006] Service-Type value: 2

[007] Framed-Protocol value: 1

[008] Framed-IP-Address value: 192.168.18.1

[025] Class value: SYN_VPN

[040] Acct-Status-Type value: 1

[044] Acct-Session-Id value: DDF00036

[066] Tunnel-Client-Endpoint value: [T1] a.b.c.d

[045] Acct-Authentic value: 1

[041] Acct-Delay-Time value: 0

[004] NAS-IP-Address value: 192.168.0.6

[061] NAS-Port-Type value: 5

Thanks,

Marton

95
Views
0
Helpful
2
Replies
CreatePlease to create content