Hi all

Sec 4.8 has asked us to configure for Radius authorization of the group. It
has been specifically mentioned that IP address should be given from the
Xauth user and not from the ipsec attributes.

Either the other ipsec attributes like password, split-tunnel acl can
configured in the ezvpn useraccount or in a ACS group and make ezvpn
useraccount member of it.

I didn't use ACS groups initially and directly put the ipsec attributes
REMOTE. And the cciesec has the IP address allocated.

This didn't work as the authentication as following. The Server was not able
to allocate IP address even if the framed address was present in attributes
sent the ACS.


   1. REMOTE was authenticated
   2. Then cciesec was authenticated
   3. Again REMOTE was authenticated


So I created a ACS group and put the IPSec attributes in it. Just made
REMOTE user as it's member but not cciesec user. The same issue and
authentication order again was the same.


   1. REMOTE was authenticated
   2. Then cciesec was authenticated
   3. Again REMOTE was authenticated


Next I made both REMOTE and cciesec as the member of the group and it
worked. The client got the framed IP address from cciesec. The
authentication order was


   1. REMOTE was authenticated
   2. Then cciesec was authenticated


Hence for both case 1 and 2, the ezvpn group is being authenticated again
for 2nd time which overwrites cciesec's attributes. For case 3, REMOTE group
was not authenticated again and hence cciesec's framed was there in the
cache and allocated

Any comments ?



With regards
Kings
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to