[cisco-nas] Per-User ACL from Radius
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Fri Jul 20 02:10:55 EDT 2007
Eugene Patton <> wrote on Friday, July 20, 2007 1:40 AM:
> Hi All,
>
> Another question from a newbie and forgive me if this has been
> answered
> previously. I have an issue and I am not sure if this feature will
> work
> with my version of IOS. I have a Cisco 2821 with AIM-VPN/EPII-PLUS
> running version 12.4(12a) Advanced IP Services. I am trying to
> download per-user ACL from the radius server when the client connects
(VPN) but
> the ACL does not get installed. From a radius debug I can see the
> ip:inacl#1=permit etc but the ACL does not get applied but if I use
> ipsec:inacl=111 (pre-configured on the router) it works.
>
> Should this feature work?
no, "ip:inacl=<acl-definition>" is not processed by IPSec (as "debug aaa
per-user" would likely confirm), and the way you've described it is the
only way to apply an ACL to an IPSec tunnel.
I'm not an IPSec expert, but maybe you can use "IPSec Virtual Tunnel
Interface" configuration? This involves a virtual-template, just like
pptp/l2tp, and you might be able to use more per-user AAA attributes.
Never tried this..
oli
More information about the cisco-nas
mailing list