07-04-2012 09:26 AM
Hi,
We have been assigning VPN attributes on ASAs via RADIUS and can get them to work fine using the Vendor specific attribute numbers as listed in the link.
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ref_extserver.html#wp1661512
My question is if anyones knows if you can set the VPN-filter ACL value using these attributes? I can see their is one for IPv6-VPN-Filter (219) but that doesn’t work, and I did try Access-List-Inbound (86), and Access-List-Outbound (87) incase but they aren’t the ones.
So I am left wondering whether Cisco missed it out of the documentation by mistake or it isn’t possible. I cant see why it wouldn’t be possible if you can set all other types of VPN attributes.
Thanks
Solved! Go to Solution.
07-05-2012 07:24 AM
Yes, they are [011] Filter-Id where you specify the name of the vpn-filter ACL configured on the ASA.
Or alternatively you can use either Cisco AV-Pairs or DACL.
Cisco AV-Pairs:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_extserver.html#wp1763743
DACL:
07-05-2012 07:24 AM
Yes, they are [011] Filter-Id where you specify the name of the vpn-filter ACL configured on the ASA.
Or alternatively you can use either Cisco AV-Pairs or DACL.
Cisco AV-Pairs:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_extserver.html#wp1763743
DACL:
07-05-2012 08:32 AM
Thanks for the update, unfortunaltely we cant use DACLs since using Windows RADIUS server.
I have already tried the [011] Filter-Id and it blocked all traffic. The VPN intiailized but it failed the Xauth authentication becasue it couldnt contact the RADIUS server. I tried making the filer ACL as a permit any and it was the same. I think I forgot to mention that we are using IPSEC VPN client not L2L tunnel. When I read into the [011] Filter-Id more it says it "This applies only to full tunnel IPsec and SSL VPN clients", which after testing read as meaning it wont work with IPsec VPN client, ontl a L2L tunnel.
The Cisco AV-Pairs attribute also seems to suggest the same thing. I will give it a go and see what happens. Have you used this to apply a vpn-filter ACL to a IPSEC VPN account and got it to work?
07-05-2012 08:39 AM
Full tunnel means it does not apply to clientless vpn, not Lan-to-Lan tunnel.
It should work with IPsec VPN Client. It is strange that it even blocks the Xauth because the attribute should be applied after authentication, not before, and to confirm, it does not allow it too even after you configure permit IP any. Strange...
07-08-2012 06:23 AM
I tried it using the AV-Pairs and it worked fine, so went back to trying to use the [011] Filter-Id. Miraculously that also works fine now. I am not sure why it wasnt working before, as I am using the same ACL, so I guess it must be somehting on the RADIUS server. I can see your point that it should only be applied after authentication, so shouldnt stop authentication. Anyway its working now, thanks for all your help.
07-08-2012 06:26 AM
Great that it's working now. Thanks for the update.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide