It seems, adding ipsec attributes to the ACS groups is a good practice.

Snippet from
http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_easy_vpn_srvr_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1516834
RADIUS Support for User Profiles

Attributes may also be applied on a per-user basis. If you apply attributes
on a per-user basis, you can override a group attribute value with an
individual user attribute. The attributes are retrieved at the time that
user authentication via Xauth occurs. The attributes are then combined with
group attributes and applied during Mode Configuration.

User-based attributes are available only if RADIUS is being used for user
authentication.

To define user policy attributes for RADIUS, you must do the following task
on your RADIUS server:

•Define a user or add attributes to the existing profile of a user in your
RADIUS database. The password for the user will be used during Xauth user
authentication, or you may proxy to a third-party server, such as a token
card server.

Figure 3 <#wp1516884> shows how CiscoSecure ACS may be used for user
authentication and for the assignment of a Framed-IP-Address attribute that
may be pushed to the client. The presence of this attribute means that the
local address pool defined for the group to which that user belongs will be
overridden.


With regards
Kings

On Tue, Oct 12, 2010 at 3:52 PM, Kingsley Charles <
[email protected]> wrote:

> Hi all
>
> Sec 4.8 has asked us to configure for Radius authorization of the group. It
> has been specifically mentioned that IP address should be given from the
> Xauth user and not from the ipsec attributes.
>
> Either the other ipsec attributes like password, split-tunnel acl can
> configured in the ezvpn useraccount or in a ACS group and make ezvpn
> useraccount member of it.
>
> I didn't use ACS groups initially and directly put the ipsec attributes
> REMOTE. And the cciesec has the IP address allocated.
>
> This didn't work as the authentication as following. The Server was not
> able to allocate IP address even if the framed address was present in
> attributes sent the ACS.
>
>
>    1. REMOTE was authenticated
>    2. Then cciesec was authenticated
>    3. Again REMOTE was authenticated
>
>
> So I created a ACS group and put the IPSec attributes in it. Just made
> REMOTE user as it's member but not cciesec user. The same issue and
> authentication order again was the same.
>
>
>    1. REMOTE was authenticated
>    2. Then cciesec was authenticated
>    3. Again REMOTE was authenticated
>
>
> Next I made both REMOTE and cciesec as the member of the group and it
> worked. The client got the framed IP address from cciesec. The
> authentication order was
>
>
>    1. REMOTE was authenticated
>    2. Then cciesec was authenticated
>
>
> Hence for both case 1 and 2, the ezvpn group is being authenticated again
> for 2nd time which overwrites cciesec's attributes. For case 3, REMOTE group
> was not authenticated again and hence cciesec's framed was there in the
> cache and allocated
>
> Any comments ?
>
>
>
> With regards
> Kings
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to