hello,
Hello,I want to create a remote VPN with a router IOS (Version 15.2(4)M2)
and I want to use a downloadable ACL from radius.the username of the client
is testremote.to do that, I have do the following config in the router:
/******************************************************************************************************aaa
authentication login RADIUS-VPN group radiusaaa authentication enable
default group ACS enableaaa authorization network default group radius aaa
authorization network RADIUS-VPN group radius radius-server attribute 6
on-for-login-authradius-server attribute 8 include-in-access-reqradius-server
attribute 25 access-request includeradius-server vsa send
accountingradius-server
vsa send authenticationinterface Virtual-Template3 type tunnel description
Remote-access ip unnumbered GigabitEthernet0/0 ip virtual-reassembly in tunnel
mode ipsec ipv4 tunnel protection ipsec profile
Remote_VPN_IPSEC_3DES_SHA-HMACcrypto isakmp profile VPN-remote match
identity group gr-remote client authentication list RADIUS-VPN isakmp
authorization list RADIUS-VPN client configuration address respond
virtual-template
3
******************************************************************************************************/1/
I created a group : gr-remote in RADIUS and a username gr-remote with cisco
like a password2/ I created a dynamic access list in Acs : acl_remote_vpn
and I associate it to the group gr-remote in ACS3/ From the user's ACS
configuration, I configure in [009\001] cisco-av-pair , ip:aclin#1=permit
ip any host x.x.x.x ANd it works good.The problem is I don't want to put
manually the config ( ip:inacl ) for each user !!So, I want to use a
downloadable ACL: acl_remote_vpn.
In radius, I create a downloadable acl : acl_remote_vpn
In the group gr-remote menu, I put in "Filter-Id filer":acl_remote_vpn
And I select From the group menu "downladable acl"
but it doesn't work and I have these log
:Feb 14 21:19:56.524: AAA/ATTR: invalid attribute prefix: "ACS"
You will found in follow the output of debug:VPN-2#show debugging General
OS: AAA Authentication debugging is on AAA Authorization debugging is on
Feb 14 21:19:54.440: AAA/BIND(000003B2): Bind i/f Feb 14 21:19:54.468:
AAA/AUTHOR (0x3B2): Pick method list 'RADIUS-VPN'Feb 14 21:19:54.468:
RADIUS/ENCODE(000003B2):Orig. component type = VPN IPSECFeb 14
21:19:54.468: RADIUS(000003B2): Config NAS IP: z.z.z.zFeb 14 21:19:54.468:
RADIUS(000003B2): Config NAS IPv6: ::Feb 14 21:19:54.468:
RADIUS/ENCODE(000003B2): acct_session_id: 935Feb 14 21:19:54.468:
RADIUS(000003B2): sendingFeb 14 21:19:54.468: RADIUS(000003B2): Sending a
IPv4 Radius PacketFeb 14 21:19:54.468: RADIUS(000003B2): Send
Access-Request to y.y.y.y:1645 id 1645/57,len 106Feb 14 21:19:54.468:
RADIUS: authenticator 1A A9 77 3E 30 5A 22 2D - 61 5B B8 C0 97 A7 AF 53Feb
14 21:19:54.468: RADIUS: User-Name [1] 12 "gr-remote"Feb 14
21:19:54.468: RADIUS: User-Password [2] 18 *Feb 14 21:19:54.468:
RADIUS: Calling-Station-Id [31] 16 "x.x.x.x"Feb 14 21:19:54.468: RADIUS:
NAS-Port-Type [61] 6 Virtual [5]Feb 14
21:19:54.468: RADIUS: NAS-Port [5] 6 2
Feb 14 21:19:54.468: RADIUS: NAS-Port-Id
[87] 16 "x.x.x.x"Feb 14 21:19:54.468: RADIUS: Service-Type [image:
Devil] 6 Outbound [5]Feb 14 21:19:54.468: RADIUS:
NAS-IP-Address [4] 6 z.z.z.z Feb 14 21:19:54.468:
RADIUS(000003B2): Started 5 sec timeoutFeb 14 21:19:54.476: RADIUS:
Received from id 1645/57 y.y.y.y:1645, Access-Accept, len 282Feb 14
21:19:54.476: RADIUS: authenticator FA 7B 0A D1 A8 5E 52 2B - 74 9A FB 22
B1 30 CB 9FFeb 14 21:19:54.476: RADIUS: Vendor, Cisco [26] 28 Feb
14 21:19:54.476: RADIUS: Cisco AVpair [1] 22
"ipsec:addr-pool=TEST"Feb 14 21:19:54.476: RADIUS: Vendor, Cisco [26]
45 Feb 14 21:19:54.476: RADIUS: Cisco AVpair [1] 39
"ipsec:inacl=gr-remote_splitTunnelAcl"Feb 14 21:19:54.476: RADIUS: Vendor,
Cisco [26] 30 Feb 14 21:19:54.476: RADIUS: Cisco AVpair [1]
24 "ipsec:key-exchange=ike"Feb 14 21:19:54.476: RADIUS: Vendor, Cisco
[26] 29 Feb 14 21:19:54.476: RADIUS: Cisco AVpair [1] 23
"ipsec:tunnel-type=esp"Feb 14 21:19:54.476: RADIUS: Service-Type
[image:
Devil] 6 Outbound [5]Feb 14 21:19:54.476: RADIUS:
Tunnel-Type [64] 6 01:ESP [9]Feb 14
21:19:54.476: RADIUS: Tunnel-Password [69] 21 01:*Feb 14
21:19:54.476: RADIUS: Vendor, Cisco [26] 71 Feb 14 21:19:54.476:
RADIUS: Cisco AVpair [1] 65
"ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-acl_remote_vpn-511d5324"Feb 14
21:19:54.476: RADIUS: Class [25] 26 Feb 14 21:19:54.476:
RADIUS: 43 41 43 53 3A 30 2F 31 36 31 32 36 62 2F 63 30
[CACS:0/16126b/c0]Feb 14 21:19:54.476: RADIUS: 61 38 35 31 30 39 2F 32
[ a85109/2]Feb 14 21:19:54.476: RADIUS(000003B2): Received from
id 1645/57Feb 14 21:19:54.476: AAA/ATTR: invalid attribute prefix: "ACS"Feb
14 21:19:54.484: AAA/BIND(000003B3): Bind i/f Feb 14 21:19:56.516:
AAA/AUTHEN/LOGIN (000003B3): Pick method list 'RADIUS-VPN' Feb 14
21:19:56.516: RADIUS/ENCODE(000003B3):Orig. component type = VPN IPSECFeb
14 21:19:56.516: RADIUS(000003B3): Config NAS IP: z.z.z.zFeb 14
21:19:56.516: RADIUS(000003B3): Config NAS IPv6: ::Feb 14 21:19:56.516:
RADIUS/ENCODE(000003B3): acct_session_id: 936Feb 14 21:19:56.516:
RADIUS(000003B3): sendingFeb 14 21:19:56.516: RADIUS(000003B3): Sending a
IPv4 Radius PacketFeb 14 21:19:56.516: RADIUS(000003B3): Send
Access-Request to y.y.y.y:1645 id 1645/58,len 106Feb 14 21:19:56.516:
RADIUS: authenticator 06 4F B2 21 38 D2 1D 69 - BC 35 7E E1 36 B0 03 FAFeb
14 21:19:56.516: RADIUS: User-Name [1] 12 "testremote"Feb 14
21:19:56.516: RADIUS: User-Password [2] 18 *Feb 14 21:19:56.516:
RADIUS: Calling-Station-Id [31] 16 "x.x.x.x"Feb 14 21:19:56.516: RADIUS:
NAS-Port-Type [61] 6 Virtual [5]Feb 14
21:19:56.516: RADIUS: NAS-Port [5] 6 2
Feb 14 21:19:56.516: RADIUS: NAS-Port-Id
[87] 16 "x.x.x.x"Feb 14 21:19:56.516: RADIUS: Service-Type [image:
Devil] 6 Login [1]Feb 14 21:19:56.516: RADIUS:
NAS-IP-Address [4] 6 z.z.z.z Feb 14 21:19:56.516:
RADIUS(000003B3): Started 5 sec timeoutFeb 14 21:19:56.524: RADIUS:
Received from id 1645/58 y.y.y.y:1645, Access-Accept, len 321Feb 14
21:19:56.524: RADIUS: authenticator 77 2F F9 A5 91 80 50 26 - 1D FB 35 E0
A3 D2 05 D4Feb 14 21:19:56.524: RADIUS: Vendor, Cisco [26] 28 Feb
14 21:19:56.524: RADIUS: Cisco AVpair [1] 22
"ipsec:addr-pool=TEST"Feb 14 21:19:56.524: RADIUS: Vendor, Cisco [26]
45 Feb 14 21:19:56.524: RADIUS: Cisco AVpair [1] 39
"ipsec:inacl=gr-remote_splitTunnelAcl"Feb 14 21:19:56.524: RADIUS: Vendor,
Cisco [26] 30 Feb 14 21:19:56.524: RADIUS: Cisco AVpair [1]
24 "ipsec:key-exchange=ike"Feb 14 21:19:56.524: RADIUS: Vendor, Cisco
[26] 29 Feb 14 21:19:56.524: RADIUS: Cisco AVpair [1] 23
"ipsec:tunnel-type=esp"Feb 14 21:19:56.524: RADIUS: Service-Type
[image:
Devil] 6 Outbound [5]Feb 14 21:19:56.524: RADIUS:
Tunnel-Type [64] 6 01:ESP [9]Feb 14
21:19:56.524: RADIUS: Tunnel-Password [69] 21 01:*Feb 14
21:19:56.524: RADIUS: Vendor, Cisco [26] 71 Feb 14 21:19:56.524:
RADIUS: Cisco AVpair [1] 65
"ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-Acl_Remote_VPN-511d5324"Feb 14
21:19:56.524: RADIUS: Vendor, Cisco [26] 39 Feb 14 21:19:56.524:
RADIUS: Cisco AVpair [1] 33 "ipsec:user-vpn-group=gr-remote"Feb
14 21:19:56.524: RADIUS: Class [25] 26 Feb 14
21:19:56.524: RADIUS: 43 41 43 53 3A 30 2F 31 36 31 32 36 63 2F 63 30
[CACS:0/16126c/c0]Feb 14 21:19:56.524: RADIUS: 61 38 35 31 30 39 2F 32
[ a85109/2]Feb 14 21:19:56.524: RADIUS(000003B3): Received from
id 1645/58Feb 14 21:19:56.524: AAA/ATTR: invalid attribute prefix: "ACS"Feb
14 21:19:56.528: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Virtual-Access3, changed state to down
thank you very much for your help.Sofiene, CCNP, CCNP Security
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
