is there a way to use IP address range as an attribute as opposed to pool name?

Hi Kermin,
Unfortunately the VPN 3000 does not have a concept of a named address pool as is available on the 
other platforms. 

No there is no option to push ip range instead of pool name. 

My bad, I should have told you yesterday itself.

Regards,
~JG

Hi,

currently I am using the dictionary RADIUS-Cisco and am using Cisco-av-pair to set a privilege level 15 in my network authrorization profile. can this be applied to any Radius client. i mean any vendor? we have juniper, APC UPS, netscreen... or should i select different dictionary for different vendors? please , let me know at your ealiest.

Thanks,

Kerim

Here is the APC VSA that needs to be added,

=====================================
[User Defined Vendor]
 
Name=APC Devices
IETF Code=318
 
VSA 1=APC-Service-Type
 
[APC-Service-Type]
Type=INTEGER
Profile=OUT
Enums=APC-Auth-Type
 
[APC-Auth-Type]
1=Admin
2=Device
3=ReadOnly 



Regards     
~JG

Do rate helpful posts

am assuming, the VSA for APC-Auth-Type to be 2 and Profiel=BOTH and Type=Enumeration. the other thing, in case of Juniper what attribute should I pick and what should be the value for this attribute if i want to give admin privilege (level 15).

thanks,

Kerim

Hi Kerim,

Attribute Value Pairs for Juniper. 

VALUE NS-Admin-Privilege       ROOT         1

VALUE NS-Admin-Privilege       READ_WRITE   2

VALUE NS-Admin-Privilege       VSYS_ADMIN   3

VALUE NS-Admin-Privilege       READ_ONLY    4

VALUE NS-Admin-Privilege       VSYS_READ_ONLY   5


Regards,
~JG

Thanks JG,

I couldn't get the APC VSA working for me. Attached is the screen shoot of APC authorization profile. the poblem I am facing is, it just tries authenticating twice against RSA. as you know RSA is one time authentication and fails. don't know why tries authenticating twice? am i missing something.

Hi,

Add APC UPS
System Administration > Configuration > Dictionaries > Protocols > 

RADIUS > RADIUS VSA, click Create, Enter the Name: APC 
Vendor ID: 318
click Submit

Go to System Adminis .... 

Add APC UPS
System Administration > Configuration > Dictionaries > Protocols > 

RADIUS > RADIUS VSA, 
click Create
Enter the Name: APC 
Vendor ID: 318
click Submit

Go to System Administration > Configuration > Dictionaries > 

Protocols > RADIUS > RADIUS VSA > APC (or from the Vendor Specific Dictionary Page, check the box 
next to APC and click Show Vendor Attributes), click Create and enter the following values

Attribute: APC-Service-Type
Vendor Attribute ID: 1
Direction: BOTH
Multiple Allowed: True
Attribute Type: Unsigned Integer 32
click Submit

Go to Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles, 
click Create under the General tab enter a Name for the Profile APC_UPS_RADIUS_AUTH

Then under the RADIUS Attributes tab, Select RADIUS-APC from the Dictionary Type drop down list
Select RADIUS Attribute as APC-Service-Type enter the Attribute Value as Static with value 1
(to get Admin user privilege) click Add^ to Manually Enter the Attribute click Submit.

Hope that helps!

Regards,
~JG


Do rate helpful posts 

I already have 8 attributes for juniper:

Allowed-Commands  ID-2

Allowed_Configuration ID-4

             .

             .

             .

the list goes on and i checked on Juniper web site too. I couldn't find NS-Admin-Privilege and if is something i have to create what is its ID , am assuming it is of type Enumeration, please let me know.

                   I made the changes as suggested but, for some reason it tries to authenticate against RSA twice. and when i use internal account on ACS, it just works fine. please , check attached finle.

Thanks,

Kerim

Kerim,

Can you show me the setting on the identity sequence? If we have RSA listed first then it will go to that database.

Regards,

~JG

Hi JG,

that is correct the identity sequence is such that it checks for RSA first then moves to internal database. that is not the problem. the problem is it tries to authenticate twice for APC devices only. once i put in the username and RSA token, it atuhenticates fine and almost immediatley, reauthenticates without prompting me and ofcourse fails. when i use local account. I don't have problem. this is just for APC devices.

Thanks,

Kerim

Hi Kerim,

Have to tried it from different PC and Browser?

Regards.

~JG