Hi all Sec 4.8 has asked us to configure for Radius authorization of the group. It has been specifically mentioned that IP address should be given from the Xauth user and not from the ipsec attributes.
Either the other ipsec attributes like password, split-tunnel acl can configured in the ezvpn useraccount or in a ACS group and make ezvpn useraccount member of it. I didn't use ACS groups initially and directly put the ipsec attributes REMOTE. And the cciesec has the IP address allocated. This didn't work as the authentication as following. The Server was not able to allocate IP address even if the framed address was present in attributes sent the ACS. 1. REMOTE was authenticated 2. Then cciesec was authenticated 3. Again REMOTE was authenticated So I created a ACS group and put the IPSec attributes in it. Just made REMOTE user as it's member but not cciesec user. The same issue and authentication order again was the same. 1. REMOTE was authenticated 2. Then cciesec was authenticated 3. Again REMOTE was authenticated Next I made both REMOTE and cciesec as the member of the group and it worked. The client got the framed IP address from cciesec. The authentication order was 1. REMOTE was authenticated 2. Then cciesec was authenticated Hence for both case 1 and 2, the ezvpn group is being authenticated again for 2nd time which overwrites cciesec's attributes. For case 3, REMOTE group was not authenticated again and hence cciesec's framed was there in the cache and allocated Any comments ? With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
