In the lab I would ask the proctor but with study I wanted to show multiple possibilities in answering the question.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: Andrey [mailto:[email protected]] Sent: Sunday, April 10, 2011 12:29 PM To: Tyson Scott Cc: Kingsley Charles; [email protected] Subject: Re: [OSL | CCIE_Security] Vol 2 Lab 18 task 4.2 EZVPN Well that's just the point that i consider that we not meet requirements only because in the task it is told - user EZUSER, and with group-lock we must confiure EZUSER@EZGROUP, i.e. in a config at check will be not: username EZUSER password ipexpert but: username EZUSER@EZGROUP password ipexpert if that meet requirements? Simply i wish to understand better what liberties we presume on real a lab.. Best regards, Andrey On Sun, Apr 10, 2011 at 8:26 PM, Tyson Scott <[email protected]> wrote: As long as you meet the requirements. That is what matters. Regards, Tyson Scott CCIE # 13513 (R&S, Security, SP) Managing Partner/Technical Instructor - IPexpert Inc. [email protected] ----- Reply message ----- From: "Kingsley Charles" <[email protected]> Date: Sun, Apr 10, 2011 1:43 am Subject: [OSL | CCIE_Security] Vol 2 Lab 18 task 4.2 EZVPN To: "Andrey" <[email protected]> Cc: "[email protected]" <[email protected]> If you use group-lock, radius is not mandatory. Snippet from http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/gu ide/sec_easy_vpn_srvr_ps6441_TSD_Products_Configuration_Guide_Chapter.html#w p1517104 Group-Lock If you are using preshared keys (no certificates or other RSA signature authentication mechanisms) with RADIUS or local AAA, you can continue to use the Group-Lock attribute. If you are using preshared keys (no certificates or other RSA signature authentication mechanisms) with RADIUS only, you can either continue to use the Group-Lock attribute or you can use the new User-VPN-Group <#wp1517094> attribute. User-VPN-Group The User-VPN-Group attribute is a replacement for the Group-Lock<http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/confi guration/guide/sec_easy_vpn_srvr_ps6441_TSD_Products_Configuration_Guide_Cha pter.html#wp1517104>attribute. It allows support for both preshared key and RSA signature authentication mechanisms such as certificates. If you need to check that the group a user is attempting to connect to is indeed the group the user belongs to, use the User-VPN-Group attribute. The administrator sets this attribute to a string, which is the group that the user belongs to. The group the user belongs to is matched against the VPN group as defined by group name (ID_KEY_ID) for preshared keys or by the OU field of a certificate. If the groups do not match, the client connection is terminated. This feature works only with AAA RADIUS. Local Xauth authentication must still use the Group-Lock attribute. The following is an output example of a RADIUS AV pair for the Use-VPN-Group attribute: With regards Kings On Sat, Apr 9, 2011 at 10:28 PM, Andrey <[email protected]> wrote: > Configure the group with the following parameters: > ....... > Group name: EZGROUP > Group password: ezpass > User: EZUSER - this user should be able to log in to the EZGROUP group only > Password: ipexpert > Use VTI as part of your solution > ....... > > Hi, > today i did this lab and after reading the task, started making it using > local aaa, > but when i got to create username, realized that my solution does not > comply with the task, because using group-lock format of username is > username@group, etc. > Then i decided that it is necessary to configure radius and the av pair > user-vpn-group=EZGROUP. So i did. > But later looked the solution by Tyson Scott on walk through videos vol2 in > which he uses a variant with local aaa and EZUSER@EZGROUP > Hence my question is what solution you think is correct or more correct, > It would be nice if Tyson commented too. > > Best regards, > Andrey > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
