[cisco-nas] Per-User ACL from Radius

Nemec Ladislav Ladislav.Nemec at anect.com
Thu Jul 26 04:50:03 EDT 2007


Hi Eugene,
Try to use wildcard ACL on radius if You are using normal ACL (or
opposite.)
Best regards,
Ladislav.

-----Original Message-----
From: cisco-nas-bounces at puck.nether.net
[mailto:cisco-nas-bounces at puck.nether.net] On Behalf Of Oliver Boehmer
(oboehmer)
Sent: Friday, July 20, 2007 8:11 AM
To: Eugene Patton; cisco-nas at puck.nether.net
Subject: Re: [cisco-nas] Per-User ACL from Radius

Eugene Patton <> wrote on Friday, July 20, 2007 1:40 AM:

> Hi All,
> 
> Another question from a newbie and forgive me if this has been
> answered 
> previously.  I have an issue and I am not sure if this feature will
> work 
> with my version of IOS.  I have a Cisco 2821 with AIM-VPN/EPII-PLUS
> running version 12.4(12a) Advanced IP Services.  I am trying to
> download per-user ACL from the radius server when the client connects
(VPN) but
> the ACL does not get installed.  From a radius debug I can see the
> ip:inacl#1=permit etc but the ACL does not get applied but if I use
> ipsec:inacl=111 (pre-configured on the router) it works.
> 
> Should this feature work?

no, "ip:inacl=<acl-definition>" is not processed by IPSec (as "debug aaa
per-user" would likely confirm), and the way you've described it is the
only way to apply an ACL to an IPSec tunnel. 

I'm not an IPSec expert, but maybe you can use "IPSec Virtual Tunnel
Interface" configuration? This involves a virtual-template, just like
pptp/l2tp, and you might be able to use more per-user AAA attributes.
Never tried this..

	oli
_______________________________________________
cisco-nas mailing list
cisco-nas at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nas


More information about the cisco-nas mailing list