Thursday, July 10, 2014

How to assign ACLs to Cisco VPN user via RADIUS

While setting up per user ACLs in RADIUS for my VPN users I noticed some issues with current on-line documentation. I am using a Cisco ASA 9.2(2) as the VPN concentrator and FreeRADIUS 3.0.2 as the RADIUS server.  In the RADIUS users file you need to add your ACLs in this manner:

testuser1  Cleartext-Password := "testme"
   Cisco-AVPair = "ip:inacl#101=permit ip any 192.168.1.0 255.255.255.0",
   Cisco-AVPair += "ip:inacl#102=deny ip any any",
   Service-Type = Framed-User,
   Framed-Protocol = PPP,
   Framed-IP-Address = 192.168.255.97,
   Framed-IP-Netmask = 255.255.255.0,
   Reply-Message = "This is a test message"


You should notice the use of "ip:inacl" not "ip.inacl" as most current on-line documentation suggests.  Also, make sure you use "+=" for every line other than the first. 

6 comments:

  1. You can configure downloadable access lists on Cisco Secure ACS 5.x as a Named Permissions Object and then assign it to an Authorization Profile which will be chosen in the result section of the Rule in the Access-Service.
    Meanwhile, if you know about how to configure vpn express on cisco router the please do let me know.

    ReplyDelete
  2. Does windows Server (2000 and 2003) has its own RADIUS bolt on Windows IAS? i want to configure ipvanish vpn

    ReplyDelete
  3. This article is an appealing wealth of informative data that is interesting and well-written. Fast VPN

    ReplyDelete
  4. I recently came across your blog and have been reading along. I thought I would leave my first comment. I don't know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often. vpn reviews

    ReplyDelete
  5. compose not all that basic posts that masterfully. Proceed with the pleasant written work
    here vpn

    ReplyDelete
  6. Thanks for the blog loaded with so many information. Stopping by your blog helped me to get what I was looking for. super vpn for windows

    ReplyDelete