How to configure Easy VPN Server + downloadable ACL

josedunet · ‎06-10-2011

Hi all

I'm am wanting to know how to configure Easy VPN server with downloadable ACLs on a cisco router 2811.

Indeed, I would like to set up a remote access vpn that uses radius for authentication of VPN clients. The radius server is connected to an Active Directory server that contains the login / password. I would like to on the basis of the user who connects to the VPN, the ACL that define the services or servers to which this user can access is automatically applied on the router and define the rights of the users.

How can I do this?

Thank you in advance.

wzhang · ‎06-13-2011

Hi,

Yes you could do this by using any standard radius server. What you need to do is to:

1. Configure ezvpn using dynamic VTI, so that a virtual access interface is created when the user connects

2. Enable network authorization using radius for ezvpn, this would allow the per-user attributes to be applied to the virtual access interface for the user

3. Configure the radius server for the user profile using cisco avpair (radius attribute type 26, vendor id 9, vendor type 1). The avpair to be used is ipsec:inacl=xxx.

For more details, please see:

http://www.cisco.com/en/US/partner/docs/ios/sec_secure_connectivity/configuration/guide/sec_easy_vpn_srvr_ps10592_TSD_Products_Configuration_Guide_Chapter.html#wp1519508

Hope this helps.

Thanks,

Wen