Hello all,
I have my ASA setup as an EZVPN server, with an externally configured
group-policy on the RADIUS server, like so:
group-policy EZVPN external server-group RADIUS password
cisco
My group setup has the following:
Group renamed to "EZVPN"
Cisco VPN 3000/ASA/PIX v7.x+ RADIUS Attributes
[3076\011] Tunneling-Protocol = WebVPN
& IPSec
[3076\072] IPSec-Split-Tunnel-List =
SPLIT-TUNNEL <-
SPLIT-TUNNEL ACL configured on the ASA
[3076\055] IPSec-Split-Tunneling-Policy = Only tunnel
networks in the list
[3076\217] Address-Pools =
EZVPN <-
EZVPN address pool configured on the ASA
I have a user setup (for pulling down Radius Attributes) as follows:
User Name: EZVPN (same name as the Group)
Password: cisco
And finally my XAUTH User Setup
User Name: ezvpnuser
Password: cisco
setup config for test 1 - under Cisco IOS/PIX 6.x RADIUS
Attributes
[009\001]
cisco-av-pair
*
ipsec:user-vpn-group=EZVPN*
setup config for test 2 - under IETF RADIUS Attributes
[025] Class
*OU=EZVPN;*
My question is related to the setup config I mentioned in the last section
for test 1 and test 2. When I use either config for the XAUTH user I am
still able to successfully establish a VPN connection to the ASA EZVPN
server. The user is assigned the attributes as defined in the group setup
and encrypts traffic only to the split-tunnel networks.
Why and when would I have to use the "[025] Class" config under the IETF
RADIUS Attributes for the user ?
Mark
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
