Kingsley, thank you, but if it is not difficult, read once again my 1st message
Best regards, Andrey On Sun, Apr 10, 2011 at 11:13 AM, Kingsley Charles < [email protected]> wrote: > If you use group-lock, radius is not mandatory. > > Snippet from > http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_easy_vpn_srvr_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1517104 > > > Group-Lock > > If you are using preshared keys (no certificates or other RSA signature > authentication mechanisms) with RADIUS or local AAA, you can continue to use > the Group-Lock attribute. If you are using preshared keys (no certificates > or other RSA signature authentication mechanisms) with RADIUS only, you can > either continue to use the Group-Lock attribute or you can use the new > User-VPN-Group <#12f3dd415d49d754_wp1517094> attribute. > > User-VPN-Group > > The User-VPN-Group attribute is a replacement for the > Group-Lock<http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_easy_vpn_srvr_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1517104>attribute. > It allows support for both preshared key and RSA signature > authentication mechanisms such as certificates. > > If you need to check that the group a user is attempting to connect to is > indeed the group the user belongs to, use the User-VPN-Group attribute. The > administrator sets this attribute to a string, which is the group that the > user belongs to. The group the user belongs to is matched against the VPN > group as defined by group name (ID_KEY_ID) for preshared keys or by the OU > field of a certificate. If the groups do not match, the client connection is > terminated. > > This feature works only with AAA RADIUS. Local Xauth authentication must > still use the Group-Lock attribute. > > The following is an output example of a RADIUS AV pair for the > Use-VPN-Group attribute: > > With regards > Kings > > On Sat, Apr 9, 2011 at 10:28 PM, Andrey <[email protected]> wrote: > >> Configure the group with the following parameters: >> ....... >> Group name: EZGROUP >> Group password: ezpass >> User: EZUSER - this user should be able to log in to the EZGROUP group >> only >> Password: ipexpert >> Use VTI as part of your solution >> ....... >> >> Hi, >> today i did this lab and after reading the task, started making it using >> local aaa, >> but when i got to create username, realized that my solution does not >> comply with the task, because using group-lock format of username is >> username@group, etc. >> Then i decided that it is necessary to configure radius and the av pair >> user-vpn-group=EZGROUP. So i did. >> But later looked the solution by Tyson Scott on walk through videos vol2 >> in which he uses a variant with local aaa and EZUSER@EZGROUP >> Hence my question is what solution you think is correct or more correct, >> It would be nice if Tyson commented too. >> >> Best regards, >> Andrey >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
