As long as you meet the requirements. That is what matters. Regards,
Tyson Scott CCIE # 13513 (R&S, Security, SP) Managing Partner/Technical Instructor - IPexpert Inc. [email protected] ----- Reply message ----- From: "Kingsley Charles" <[email protected]> Date: Sun, Apr 10, 2011 1:43 am Subject: [OSL | CCIE_Security] Vol 2 Lab 18 task 4.2 EZVPN To: "Andrey" <[email protected]> Cc: "[email protected]" <[email protected]> If you use group-lock, radius is not mandatory. Snippet from http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_easy_vpn_srvr_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1517104 Group-Lock If you are using preshared keys (no certificates or other RSA signature authentication mechanisms) with RADIUS or local AAA, you can continue to use the Group-Lock attribute. If you are using preshared keys (no certificates or other RSA signature authentication mechanisms) with RADIUS only, you can either continue to use the Group-Lock attribute or you can use the new User-VPN-Group <#wp1517094> attribute. User-VPN-Group The User-VPN-Group attribute is a replacement for the Group-Lock<http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_easy_vpn_srvr_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1517104>attribute. It allows support for both preshared key and RSA signature authentication mechanisms such as certificates. If you need to check that the group a user is attempting to connect to is indeed the group the user belongs to, use the User-VPN-Group attribute. The administrator sets this attribute to a string, which is the group that the user belongs to. The group the user belongs to is matched against the VPN group as defined by group name (ID_KEY_ID) for preshared keys or by the OU field of a certificate. If the groups do not match, the client connection is terminated. This feature works only with AAA RADIUS. Local Xauth authentication must still use the Group-Lock attribute. The following is an output example of a RADIUS AV pair for the Use-VPN-Group attribute: With regards Kings On Sat, Apr 9, 2011 at 10:28 PM, Andrey <[email protected]> wrote: > Configure the group with the following parameters: > ....... > Group name: EZGROUP > Group password: ezpass > User: EZUSER - this user should be able to log in to the EZGROUP group only > Password: ipexpert > Use VTI as part of your solution > ....... > > Hi, > today i did this lab and after reading the task, started making it using > local aaa, > but when i got to create username, realized that my solution does not > comply with the task, because using group-lock format of username is > username@group, etc. > Then i decided that it is necessary to configure radius and the av pair > user-vpn-group=EZGROUP. So i did. > But later looked the solution by Tyson Scott on walk through videos vol2 in > which he uses a variant with local aaa and EZUSER@EZGROUP > Hence my question is what solution you think is correct or more correct, > It would be nice if Tyson commented too. > > Best regards, > Andrey > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
