Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

RADIUS policies with IPSec and Web VPN on 3005

I am using MS version of RADIUS (IAS) to authenticate users to my Cisco 3005 VPN concentrator. I have one policy for all employees so they can use the Web VPN and another policy for a select group of employees so they can connect via IPSec client. The Web VPN policy is first in IAS and thae IPSec policy is second. A user that has been removed from the IPSec policy group can still get authorized to connect via IPSec because they are in the Web VPN group. If I change the order of the policies the user will be denied access to connect via IPSec but is also denied access to Web VPN as well. The authentication process seems to stop when the first "deny" is hit in policy. Is there a way to allow web users while denying them the ability to connect via IPSec? TIA


Re: RADIUS policies with IPSec and Web VPN on 3005

The exact way to prevent this action is to configure permit ip any any at the end of the configuration because the access list will by default deny all the traffic so configure Permit ip any any at the end of access list configuration.

New Member

Re: RADIUS policies with IPSec and Web VPN on 3005

Thanks for your reply. I'm not sure what you're saying applies so perhaps I need to restate what I'm trying to accomplish. I have two policies in MS Internet Authentication Service, each of which authenticates against Active Directory. One policy authenticates against a group of All Employees and the other against another AD Group. The 2nd Group is a smaller subset of All Employees. I want to allow the All Employee Group to have access to a Web VPN. I want the smaller group to have access to the Web VPN and an IPSec VPN. Both policies are set to Grant Access, not deny.

If I put the Web VPN policy first then the concentrator will allow All Employees to connect via IPSec and via Web VPN. So I put the IPSec policy first. The idea is that if a Web VPN user tries to authenticate it will be denied access to the IPSec protocol but will check the next policy and be granted access to the Web VPN protocol but that's not how it's working out. If an employee that is not a member of the smaller group tries to access the Web VPN while the IPSec IAS policy is first, that user is denied access to all protocols. It hits the IPSec policy, sees that the user doesn't match that profile and is denied access completely. I want it to check the next policy and then grant access to a Web VPN but it won't do that. It stops checking for authentication priviliges after denying access based on the first policy.

I'm trying to permit access to a protocol based on which IAS policy the user is configured to use but it seems that as long as a user authenticates to any policy, they have access to any protocol. I'm not sure if what I'm trying is possible or if I'm improperly configured but it's sure frustrating. Thanks for any help.

CreatePlease to create content