Well that's just the point that i consider that we not meet requirements only because in the task it is told - user EZUSER, and with group-lock we must confiure EZUSER@EZGROUP, i.e. in a config at check will be not: username EZUSER password ipexpert but: username EZUSER@EZGROUP password ipexpert
if that meet requirements? Simply i wish to understand better what liberties we presume on real a lab.. Best regards, Andrey On Sun, Apr 10, 2011 at 8:26 PM, Tyson Scott <[email protected]> wrote: > As long as you meet the requirements. That is what matters. > > Regards, > > Tyson Scott > CCIE # 13513 (R&S, Security, SP) > Managing Partner/Technical Instructor - IPexpert Inc. > [email protected] > > > ----- Reply message ----- > From: "Kingsley Charles" <[email protected]> > Date: Sun, Apr 10, 2011 1:43 am > > Subject: [OSL | CCIE_Security] Vol 2 Lab 18 task 4.2 EZVPN > To: "Andrey" <[email protected]> > Cc: "[email protected]" <[email protected] > > > > > > If you use group-lock, radius is not mandatory. > > Snippet from > > http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_easy_vpn_srvr_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1517104 > > > Group-Lock > > If you are using preshared keys (no certificates or other RSA signature > authentication mechanisms) with RADIUS or local AAA, you can continue to > use > the Group-Lock attribute. If you are using preshared keys (no certificates > or other RSA signature authentication mechanisms) with RADIUS only, you can > either continue to use the Group-Lock attribute or you can use the new > User-VPN-Group <#wp1517094> attribute. > > > User-VPN-Group > > The User-VPN-Group attribute is a replacement for the > Group-Lock< > http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_easy_vpn_srvr_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1517104 > >attribute. > > It allows support for both preshared key and RSA signature > authentication mechanisms such as certificates. > > If you need to check that the group a user is attempting to connect to is > indeed the group the user belongs to, use the User-VPN-Group attribute. The > administrator sets this attribute to a string, which is the group that the > user belongs to. The group the user belongs to is matched against the VPN > group as defined by group name (ID_KEY_ID) for preshared keys or by the OU > field of a certificate. If the groups do not match, the client connection > is > terminated. > > This feature works only with AAA RADIUS. Local Xauth authentication must > still use the Group-Lock attribute. > > The following is an output example of a RADIUS AV pair for the > Use-VPN-Group > attribute: > > With regards > Kings > > On Sat, Apr 9, 2011 at 10:28 PM, Andrey <[email protected]> wrote: > > > Configure the group with the following parameters: > > ....... > > Group name: EZGROUP > > Group password: ezpass > > User: EZUSER - this user should be able to log in to the EZGROUP group > only > > Password: ipexpert > > Use VTI as part of your solution > > ....... > > > > Hi, > > today i did this lab and after reading the task, started making it using > > local aaa, > > but when i got to create username, realized that my solution does not > > comply with the task, because using group-lock format of username is > > username@group, etc. > > Then i decided that it is necessary to configure radius and the av pair > > user-vpn-group=EZGROUP. So i did. > > But later looked the solution by Tyson Scott on walk through videos vol2 > in > > which he uses a variant with local aaa and EZUSER@EZGROUP > > Hence my question is what solution you think is correct or more correct, > > It would be nice if Tyson commented too. > > > > Best regards, > > Andrey > > > > _______________________________________________ > > For more information regarding industry leading CCIE Lab training, please > > visit www.ipexpert.com > > > > > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
