It seems, adding ipsec attributes to the ACS groups is a good practice.
Snippet from http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_easy_vpn_srvr_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1516834 RADIUS Support for User Profiles Attributes may also be applied on a per-user basis. If you apply attributes on a per-user basis, you can override a group attribute value with an individual user attribute. The attributes are retrieved at the time that user authentication via Xauth occurs. The attributes are then combined with group attributes and applied during Mode Configuration. User-based attributes are available only if RADIUS is being used for user authentication. To define user policy attributes for RADIUS, you must do the following task on your RADIUS server: •Define a user or add attributes to the existing profile of a user in your RADIUS database. The password for the user will be used during Xauth user authentication, or you may proxy to a third-party server, such as a token card server. Figure 3 <#wp1516884> shows how CiscoSecure ACS may be used for user authentication and for the assignment of a Framed-IP-Address attribute that may be pushed to the client. The presence of this attribute means that the local address pool defined for the group to which that user belongs will be overridden. With regards Kings On Tue, Oct 12, 2010 at 3:52 PM, Kingsley Charles < [email protected]> wrote: > Hi all > > Sec 4.8 has asked us to configure for Radius authorization of the group. It > has been specifically mentioned that IP address should be given from the > Xauth user and not from the ipsec attributes. > > Either the other ipsec attributes like password, split-tunnel acl can > configured in the ezvpn useraccount or in a ACS group and make ezvpn > useraccount member of it. > > I didn't use ACS groups initially and directly put the ipsec attributes > REMOTE. And the cciesec has the IP address allocated. > > This didn't work as the authentication as following. The Server was not > able to allocate IP address even if the framed address was present in > attributes sent the ACS. > > > 1. REMOTE was authenticated > 2. Then cciesec was authenticated > 3. Again REMOTE was authenticated > > > So I created a ACS group and put the IPSec attributes in it. Just made > REMOTE user as it's member but not cciesec user. The same issue and > authentication order again was the same. > > > 1. REMOTE was authenticated > 2. Then cciesec was authenticated > 3. Again REMOTE was authenticated > > > Next I made both REMOTE and cciesec as the member of the group and it > worked. The client got the framed IP address from cciesec. The > authentication order was > > > 1. REMOTE was authenticated > 2. Then cciesec was authenticated > > > Hence for both case 1 and 2, the ezvpn group is being authenticated again > for 2nd time which overwrites cciesec's attributes. For case 3, REMOTE group > was not authenticated again and hence cciesec's framed was there in the > cache and allocated > > Any comments ? > > > > With regards > Kings >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
