Is this what you guys are looking for ?
R4#show aaa attributes protocol radius
AAA ATTRIBUTE LIST:
Type=1 Name=disc-cause-ext Format=Enum
Protocol:RADIUS
Unknown Type=195 Name=Ascend-Disconnect-Cau Format=Enum
Cisco VSA Type=1 Name=Cisco AVpair Format=String
Type=2 Name=Acct-Status-Type Format=Enum
Protocol:RADIUS
Unknown Type=40 Name=Acct-Status-Type Format=Enum
Type=3 Name=Tunnel-Packets-Lost Format=Ulong
Protocol:RADIUS
Unknown Type=86 Name=Tunnel-Packets-Lost Format=Ulong
Type=4 Name=acl Format=String
Protocol:RADIUS
Unknown Type=11 Name=Filter-Id Format=Binary
Type=5 Name=auth-services Format=Enum
Protocol:RADIUS
Cisco VSA Type=1 Name=Cisco AVpair Format=String
Type=6 Name=azn-tag Format=String
Type=7 Name=addr Format=IPv4 Address
Protocol:RADIUS
Unknown Type=8 Name=Framed-IP-Address Format=IPv4
Addre
Type=8 Name=addrv6 Format=String
Protocol:RADIUS
Cisco VSA Type=1 Name=Cisco AVpair Format=String
Type=9 Name=addr-pool Format=String
Protocol:RADIUS
Unknown Type=100 Name=Framed-IPv6-Pool Format=String
Unknown Type=218 Name=Ascend-IP-Pool Format=Ulong
Type=10 Name=asyncmap Format=Ulong
Protocol:RADIUS
Unknown Type=212 Name=Ascend-Asyncmap Format=Ulong
Type=11 Name=Authentic Format=Enum
Protocol:RADIUS
Unknown Type=45 Name=Acct-Authentic Format=Enum
Type=12 Name=autocmd Format=String
Type=13 Name=autocmd_ipprompt Format=String
Type=14 Name=callback-dialstring Format=String
Protocol:RADIUS
Unknown Type=19 Name=Callback-Number Format=String
Unknown Type=227 Name=Ascend-Dial-Number Format=String
Type=15 Name=callback-line Format=Ulong
Type=16 Name=nocallback-verify Format=Ulong
Type=17 Name=callback-rotary Format=Ulong
Type=18 Name=call-drops Format=Ulong
Type=19 Name=call_type Format=String
Protocol:RADIUS
Cisco VSA Type=19 Name=call_type Format=String
Type=20 Name=call-origin-endpt Format=String
Protocol:RADIUS
Cisco VSA Type=1 Name=Cisco AVpair Format=String
Type=21 Name=call-origin-endpt-type Format=Enum
Protocol:RADIUS
Cisco VSA Type=1 Name=Cisco AVpair Format=String
--More--
FNK
On Wed, May 2, 2012 at 6:39 PM, Mike Rojas <[email protected]> wrote:
> Eugene and all of the ones that have doubts about it:
>
> This is the non partner document (which is the same I posted before to
> Matt)
>
>
> http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949ba.shtml
>
> If you follow the path on the Left, you will get there from the Support
> page without having to be logged in. If you want to check if a document is
> reachable, look it on google, or follow the same path on the left without
> being logged in and check if you can get there.
>
> Mike
>
> ------------------------------
> From: [email protected]
> To: [email protected]
> Date: Wed, 2 May 2012 20:21:14 +0000
> CC: [email protected]
> Subject: Re: [OSL | CCIE_Security] Lab 4A - Configure Cisco VPN Solutions
>
>
> Interesting,
>
> It never occurred to me that I access that page as a partner as my browser
> cached my Cisco CCO credentials.
>
> It raises a legitimate question how can CCIE candidates get access to
> Cisco documentation without a partner status?
>
>
>
> Eugene
>
>
>
> *From:* Matt Manire [mailto:[email protected]]
> *Sent:* 02 May 2012 12:55
> *To:* Eugene Pefti
> *Subject:* RE: [OSL | CCIE_Security] Lab 4A - Configure Cisco VPN
> Solutions
>
>
>
> Thanks Eugene but unfortunately I am not a partner so I can’t access the
> site.
>
>
>
> *Matt Manire*
> *CCSP, CCNP, CCDP, MCSE* *2003 & MCSE 2000*
> *Information Systems Security Manager*
> [email protected]
> *t*: 817.525.1863
> *f*: 817.525.1903
> *m*: 817.271.9165
>
> *First Rate* | 1903 Ascension Boulevard | Arlington, TX 76006|
> www.FirstRate.com <http://www.firstrate.com/>
>
>
>
>
>
> *From:* Eugene Pefti [mailto:[email protected]]
> *Sent:* Wednesday, May 02, 2012 2:53 PM
> *To:* Matt Manire; [email protected]
> *Subject:* RE: [OSL | CCIE_Security] Lab 4A - Configure Cisco VPN
> Solutions
>
>
>
> Take a look at this document, Matt.
>
>
> http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a00800949ba.shtml
>
> I have never found any place in Cisco documentation where they would
> provide a full list of Cisco VSA for IPSec.
>
>
>
> Eugene
>
>
>
> *From:* [email protected] [mailto:
> [email protected]] *On Behalf Of *Matt Manire
> *Sent:* 02 May 2012 08:56
> *To:* [email protected]
> *Subject:* [OSL | CCIE_Security] Lab 4A - Configure Cisco VPN Solutions
>
>
>
> Guys,
>
>
>
> I am trying to work through the practice VPN lab “4.8 Easy VPN with
> External Group Authorization and XAUTH.” In regards to performing external
> authentication, where can I find a list/documentation for the RADIUS
> attributes to add to the [009\001] cisco-av-pair box under Group
> authentication?
>
>
>
> For example, as part of this solution I am supposed to input the
> following values in the [009\001] cisco-av-pair box under Group
> authentication:
>
>
>
> Ipsec:tunnel-type=ESP
>
> Ipsec:key-exchange=ike
>
> Ipsec:inacl=170
>
> Ipsec:save-password=1
>
> Ipsec:addr-pool=EZPOOL2
>
>
>
>
>
> Where can a list of these attributes be found for reference?
>
>
>
> psec:tunnel-type=
>
> Ipsec:key-exchange=
>
> Ipsec:inacl=
>
> Ipsec:save-password=
>
> Ipsec:addr-pool=
>
>
>
>
>
> Thanks,
>
>
>
> *Matt Manire*
> *CCSP, CCNP, CCDP, MCSE* *2003 & MCSE 2000*
> *Information Systems Security Manager*
> [email protected]
> *t*: 817.525.1863
> *f*: 817.525.1903
> *m*: 817.271.9165
>
> *First Rate* | 1903 Ascension Boulevard | Arlington, TX 76006|
> www.FirstRate.com <http://www.firstrate.com/>
>
>
>
>
>
> *From:* [email protected] [mailto:
> [email protected]] *On Behalf Of *Fawad Khan
> *Sent:* Wednesday, May 02, 2012 9:05 AM
> *To:* Kingsley Charles
> *Cc:* [email protected]
> *Subject:* Re: [OSL | CCIE_Security] AnyConnect per group ACLs
>
>
>
> No still on any connect VPN-filter
>
>
>
> On Wednesday, May 2, 2012, Kingsley Charles wrote:
>
> Are you talking about GETVPN?
>
>
> With regards
> Kings
>
> On Wed, May 2, 2012 at 6:18 PM, Fawad Khan <[email protected]> wrote:
>
> There are two ways to handle that situation which You mentioned.
>
>
>
> 1. An outbound acl on the inside/DMz interface. So that inside hosts
> cannot initiate the traffic because of the unnecessary hole created by acl.
>
> 2. This one is not very restrictive but still better than something I.e
> instead of having the acl like you mentioned
>
> Permit tcp vpn ip host 10.20.30.40 23
>
>
>
> Use this acl
>
> Permit tcp VPN ip gt 1023 host 10.20.30.40 23
>
>
>
>
>
> FNK
>
>
>
> On Wednesday, May 2, 2012, Kingsley Charles wrote:
>
> ASA VPN filter is tricky, but one think to remember is that is directional.
>
> permit tcp any host 10.20.30.40 eq 23
>
> Now this ACL will permit outside user to connect to
> 10.20.30.40@23(inbound/post decrypt) and at the same time allow
> 10.20.30.40@23 (outbound/pre-encrypt) to any one outside.
>
>
> Have your tried the "match acl" in GETVPN crypto map? Seems it also bears
> a similar property.
>
>
> We can add an ACL with only "deny" entries and precedes the donwloaded acl
> from KS and those traffic are bypassed. This bypass is for outbound. What
> about inbound? The mirror traffic should also be bypassed,right? Whether
> the same ACE is going to the job. It has not been the case for me.
>
>
>
> With regards
> Kings
>
> On Wed, May 2, 2012 at 1:54 PM, Fawad Khan <[email protected]> wrote:
>
> Not the outside network specifically, by remote I mean ip address from the
> VPN pool (which is from perspective outside of the network but another
> perspective it's "now" part of the network after connecting to VPN.
>
>
>
> On Wednesday, May 2, 2012, Kingsley Charles wrote:
>
> Is 10.X.X.0/24 outside network?
>
> The format for vpn filter is always
>
> access-list name permit <outside IP> <outside port> <inside IP> <inside
> port> irrespective of whatever is the direction of traffic
> (inbound/outbound).
>
> Is this what you said?
>
>
>
> With regards
> Kings
>
> On Wed, May 2, 2012 at 7:21 AM, Fawad Khan <[email protected]> wrote:
>
> Matt,
>
>
>
> As others have said. VPN-Filter will do the job.. however as Eugene
> pointed out, the ACL is tricky...... remember that SOURCE in the ACL is
> always REMOTE (no matter who is initiating the connection). Check this old
> email I wrote couple of months back. it will give you a link as well.
>
>
>
> ===================================
>
>
>
>
>
>
>
> Antonio,
>
>
>
>
>
> I think you have guessed it right, i.e. VPN-Filter under group-policy. I
> usually put something like following in the vpn-filter acl.
>
>
>
> access-list permit vpn-filter-group-1 permit tcp 10.x.x.x 255.255.255.0 gt
> 1023 192.168.x.x 255.255.0.0 eq XYZ.
>
>
>
> where 10.x.x.x is ssl vpn subnet and 192.168.x.x is on the core
> network/dmz/lan and XY is any service.
>
>
>
> the key about vpn-filter ACL is that..... remote addresses (i.e. SSL VPN
> address in your case) would always act as a source, even though there would
> be a chance that inside/core user would access any service on the remote
> address. For example, if you want to enable remote desktop functionatility
> from your core to the ssl users then the vpn-filter acl would like the
> following in addition to regular OUTBOUND ACL on the inside interface.
>
>
>
> access-list permit vpn-filter-group-1 permit tcp 10.x.x.x 255.255.255.0 eq
>
>
>
> --
> FNK
>
> _______________________________________________ For more information
> regarding industry leading CCIE Lab training, please visit
> www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out
> www.PlatinumPlacement.com
>
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
>
> Are you a CCNP or CCIE and looking for a job? Check out
> www.PlatinumPlacement.com
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
