Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN-filter attribute for Radius server

Hi,

We have been assigning VPN attributes on ASAs via RADIUS and can get them to work fine using the Vendor specific attribute numbers as listed in the link.

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ref_extserver.html#wp1661512

My question is if anyones knows if you can set the VPN-filter ACL value using these attributes? I can see their is one for  IPv6-VPN-Filter (219) but that doesn’t work, and I did try Access-List-Inbound (86), and Access-List-Outbound (87) incase but they aren’t the ones.

So I am left wondering whether Cisco missed it out of the documentation by mistake or it isn’t possible. I cant see why it wouldn’t be possible if you can set all other types of VPN attributes.

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

VPN-filter attribute for Radius server

Yes, they are [011] Filter-Id where you specify the name of the vpn-filter ACL configured on the ASA.

Or alternatively you can use either Cisco AV-Pairs or DACL.

Cisco AV-Pairs:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_extserver.html#wp1763743

DACL:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_guide_chapter09186a00801fd914.html#wp391257

5 REPLIES
Cisco Employee

VPN-filter attribute for Radius server

Yes, they are [011] Filter-Id where you specify the name of the vpn-filter ACL configured on the ASA.

Or alternatively you can use either Cisco AV-Pairs or DACL.

Cisco AV-Pairs:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_extserver.html#wp1763743

DACL:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_guide_chapter09186a00801fd914.html#wp391257

New Member

VPN-filter attribute for Radius server

Thanks for the update, unfortunaltely we cant use DACLs since using Windows RADIUS server.

I have already tried the [011] Filter-Id and it  blocked all traffic. The VPN intiailized but it failed the Xauth authentication becasue it couldnt contact the RADIUS server. I tried making the filer ACL as a permit any and it was the same. I think I forgot to mention that we are using IPSEC VPN client not L2L tunnel. When I read into the  [011] Filter-Id more it says it "This applies only to full tunnel IPsec and SSL VPN clients", which after testing read as meaning it wont work with IPsec VPN client, ontl a L2L tunnel.

The Cisco AV-Pairs attribute also seems to suggest the same thing. I will give it a go and see what happens. Have you used this to apply a vpn-filter ACL to a IPSEC VPN account and got it to work?

Cisco Employee

VPN-filter attribute for Radius server

Full tunnel means it does not apply to clientless vpn, not Lan-to-Lan tunnel.

It should work with IPsec VPN Client. It is strange that it even blocks the Xauth because the attribute should be applied after authentication, not before, and to confirm, it does not allow it too even after you configure permit IP any. Strange...

New Member

VPN-filter attribute for Radius server

I tried it using the AV-Pairs and it worked fine, so went back to trying to use the [011] Filter-Id. Miraculously that also works fine now. I am not sure why it wasnt working before, as I am using the same ACL, so I guess it must be somehting on the RADIUS server. I can see your point that it should only be applied after authentication, so shouldnt stop authentication. Anyway its working now, thanks for all your help.

Cisco Employee

VPN-filter attribute for Radius server

Great that it's working now. Thanks for the update.

2297
Views
0
Helpful
5
Replies
CreatePlease to create content