Solved: VPN-filter attribute for Radius server

sjhloco · ‎07-04-2012

Hi,

We have been assigning VPN attributes on ASAs via RADIUS and can get them to work fine using the Vendor specific attribute numbers as listed in the link.

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ref_extserver.html#wp1661512

My question is if anyones knows if you can set the VPN-filter ACL value using these attributes? I can see their is one for IPv6-VPN-Filter (219) but that doesn’t work, and I did try Access-List-Inbound (86), and Access-List-Outbound (87) incase but they aren’t the ones.

So I am left wondering whether Cisco missed it out of the documentation by mistake or it isn’t possible. I cant see why it wouldn’t be possible if you can set all other types of VPN attributes.

Thanks

Jennifer Halim · ‎07-05-2012

Yes, they are [011] Filter-Id where you specify the name of the vpn-filter ACL configured on the ASA.

Or alternatively you can use either Cisco AV-Pairs or DACL.

Cisco AV-Pairs:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_extserver.html#wp1763743

DACL:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_guide_chapter09186a00801fd914.html#wp391257

View solution in original post

Jennifer Halim · ‎07-05-2012

Yes, they are [011] Filter-Id where you specify the name of the vpn-filter ACL configured on the ASA.

Or alternatively you can use either Cisco AV-Pairs or DACL.

Cisco AV-Pairs:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_extserver.html#wp1763743

DACL:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_guide_chapter09186a00801fd914.html#wp391257

sjhloco · ‎07-05-2012

Thanks for the update, unfortunaltely we cant use DACLs since using Windows RADIUS server.

I have already tried the [011] Filter-Id and it blocked all traffic. The VPN intiailized but it failed the Xauth authentication becasue it couldnt contact the RADIUS server. I tried making the filer ACL as a permit any and it was the same. I think I forgot to mention that we are using IPSEC VPN client not L2L tunnel. When I read into the [011] Filter-Id more it says it "This applies only to full tunnel IPsec and SSL VPN clients", which after testing read as meaning it wont work with IPsec VPN client, ontl a L2L tunnel.

The Cisco AV-Pairs attribute also seems to suggest the same thing. I will give it a go and see what happens. Have you used this to apply a vpn-filter ACL to a IPSEC VPN account and got it to work?

Jennifer Halim · ‎07-05-2012

Full tunnel means it does not apply to clientless vpn, not Lan-to-Lan tunnel.

It should work with IPsec VPN Client. It is strange that it even blocks the Xauth because the attribute should be applied after authentication, not before, and to confirm, it does not allow it too even after you configure permit IP any. Strange...

sjhloco · ‎07-08-2012

I tried it using the AV-Pairs and it worked fine, so went back to trying to use the [011] Filter-Id. Miraculously that also works fine now. I am not sure why it wasnt working before, as I am using the same ACL, so I guess it must be somehting on the RADIUS server. I can see your point that it should only be applied after authentication, so shouldnt stop authentication. Anyway its working now, thanks for all your help.

Jennifer Halim · ‎07-08-2012

Great that it's working now. Thanks for the update.