On page, page 449 of the Vol 1 Solutions, it been mentioned that "In our
case, we want to assign the IP address to the specific user which is a
per-user attribute so have to configure IETF attributes for group"

Can someone explain this.

With regards
Kings


On Tue, Oct 12, 2010 at 3:52 PM, Kingsley Charles <
[email protected]> wrote:

> Hi all
>
> Sec 4.8 has asked us to configure for Radius authorization of the group. It
> has been specifically mentioned that IP address should be given from the
> Xauth user and not from the ipsec attributes.
>
> Either the other ipsec attributes like password, split-tunnel acl can
> configured in the ezvpn useraccount or in a ACS group and make ezvpn
> useraccount member of it.
>
> I didn't use ACS groups initially and directly put the ipsec attributes
> REMOTE. And the cciesec has the IP address allocated.
>
> This didn't work as the authentication as following. The Server was not
> able to allocate IP address even if the framed address was present in
> attributes sent the ACS.
>
>
>    1. REMOTE was authenticated
>    2. Then cciesec was authenticated
>    3. Again REMOTE was authenticated
>
>
> So I created a ACS group and put the IPSec attributes in it. Just made
> REMOTE user as it's member but not cciesec user. The same issue and
> authentication order again was the same.
>
>
>    1. REMOTE was authenticated
>    2. Then cciesec was authenticated
>    3. Again REMOTE was authenticated
>
>
> Next I made both REMOTE and cciesec as the member of the group and it
> worked. The client got the framed IP address from cciesec. The
> authentication order was
>
>
>    1. REMOTE was authenticated
>    2. Then cciesec was authenticated
>
>
> Hence for both case 1 and 2, the ezvpn group is being authenticated again
> for 2nd time which overwrites cciesec's attributes. For case 3, REMOTE group
> was not authenticated again and hence cciesec's framed was there in the
> cache and allocated
>
> Any comments ?
>
>
>
> With regards
> Kings
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to