On page, page 449 of the Vol 1 Solutions, it been mentioned that "In our case, we want to assign the IP address to the specific user which is a per-user attribute so have to configure IETF attributes for group"
Can someone explain this. With regards Kings On Tue, Oct 12, 2010 at 3:52 PM, Kingsley Charles < [email protected]> wrote: > Hi all > > Sec 4.8 has asked us to configure for Radius authorization of the group. It > has been specifically mentioned that IP address should be given from the > Xauth user and not from the ipsec attributes. > > Either the other ipsec attributes like password, split-tunnel acl can > configured in the ezvpn useraccount or in a ACS group and make ezvpn > useraccount member of it. > > I didn't use ACS groups initially and directly put the ipsec attributes > REMOTE. And the cciesec has the IP address allocated. > > This didn't work as the authentication as following. The Server was not > able to allocate IP address even if the framed address was present in > attributes sent the ACS. > > > 1. REMOTE was authenticated > 2. Then cciesec was authenticated > 3. Again REMOTE was authenticated > > > So I created a ACS group and put the IPSec attributes in it. Just made > REMOTE user as it's member but not cciesec user. The same issue and > authentication order again was the same. > > > 1. REMOTE was authenticated > 2. Then cciesec was authenticated > 3. Again REMOTE was authenticated > > > Next I made both REMOTE and cciesec as the member of the group and it > worked. The client got the framed IP address from cciesec. The > authentication order was > > > 1. REMOTE was authenticated > 2. Then cciesec was authenticated > > > Hence for both case 1 and 2, the ezvpn group is being authenticated again > for 2nd time which overwrites cciesec's attributes. For case 3, REMOTE group > was not authenticated again and hence cciesec's framed was there in the > cache and allocated > > Any comments ? > > > > With regards > Kings >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
