Here is the situation. I have a 2811 ISR running (C2800NM-ADVSECURITYK9-M), Version 12.4(2)T3. I previously configured the router to accept ipsec VPN clients and authenticate against active directory using IAS. This all works as expected but any VPN client has access to anything on the LAN. The VPN server is configured to provide split-tunneling.
What I'm trying to do today is lock down remote access to the corporate LAN and set up multiple VPN policies with the end result of delivering per-user ACLs to the router. Most of the docs I've read assume one is using Cisco ACS but I saw the Cisco doc referring to configuring any RADIUS server. The searching I've done has led me to think that the best way to go in my scenario is to:
1) create AD groups for each level of access I wish to provide
2) add users to the appropriate AD groups
3) create Remote Access Policies under IAS for each level of access I wish to grant.
3) set the conditions for the policy to require port-type VPN and user membership in the appropriate group.
4) add to the policy Cisco-avpair attribute strings in the form of:
As far as I can tell that's all I should have to do and it should work. What happens when I test is that I see that the client is authenticated via the correct IAS remote access policy. I see in the IAS log that it transmits the ACL-related strings to the router.
I logged in to the router and ran a debug aaa attr and I see that it is receiving the attributes, yet when I do a show access-lists I don't see the user ACL. The vpn client still has full access like the default policy.
Any suggestions on what to look at next? Does this router/IOS even support this feature?
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...