[c-nsp] differentiating services using radius attributes
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Mon Nov 1 10:27:36 EST 2004
Hi,
> We are using vrf-aware feature on Cisco 7206 to
> terminate IPsec sessions from different access
> methods.
> This means that user can access the 7206 VPN
> concentrator from the Internet or from a wireless AP
> within the campus.
>
> Is there any radius attribute that we can use to
> differentiate the different types of access methods
> (from the Internet or from the wireless LAN)? We need
> to differentiate the services because we want to have
> a different charging scheme for different access
> methods.
Hmm, would the user use the same crypto-map/isakmp-profile, whether
he/she connects via the Internet or the WLAN?
I'm not an expert on this solution, but maybe you could split this up
into two different crypto-maps (based on ACL), and maybe you will see
some ipsec-specific attributes sent within the authentication request
when you configure
radius-server host x.x.x.x .... non-standard
radius-server vsa send authentication
not sure, never tried this.. Maybe you will already get some addtl.
attributes if you enable this without splitting the crypto-maps..
If this fails, you could use different authentication/authorization
method lists (referenced as "client authentication list" and "isakmp
authorization list") in your two isakmp-profiles and different radius
servers, but this is not very "nice" (unless you have an Radius server
which is able to listen on different IP addresses and is able to hand
out different attribute sets based on the dest-IP-address used in the
access-request pkt).
oli
More information about the cisco-nsp
mailing list