Table of Contents
Configuring an External Server for VPN Concentrator User Authorization
Configuring an External LDAP Server
Configuring an External RADIUS Server
Configuring an External Server for VPN Concentrator User Authorization
The VPN Concentrator supports user authorization on an external LDAP or RADIUS server. Before you configure the VPN Concentrator to use an external server, you must configure the server with the correct VPN Concentrator authorization attributes and, from a subset of these attributes, assign specific permissions to individual users. Follow the instructions given here to configure your external server.
If you are configuring an LDAP server, see "Configuring an External LDAP Server."
If you are configuring a RADIUS server, skip ahead to "Configuring an External RADIUS Server."
Configuring an External LDAP Server
 |
Note For more information on the LDAP protocol, refer to RFCs 1777, 2251, and 2849. |
An LDAP server stores information as entries in a directory. An LDAP schema defines what types of information can be stored in those entries. The schema lists classes and the set of (required and optional) attributes that objects of each class may contain.
To configure your LDAP server to interoperate with the VPN Concentrator, define a VPN Concentrator authorization schema. A VPN Concentrator authorization schema defines the class and attributes of that class that the VPN Concentrator supports. Specifically, it comprises the object class (cVPN3000-User-Authorization) and all its possible attributes that may be used to authorize a VPN Concentrator user (such as access hours, primary DNS, and so on). Each attribute comprises the attribute name, its number (called an object identifier or OID), its type, and its possible values.
Once you have defined the VPN Concentrator authorization schema and loaded it on your server, define the VPN Concentrator attributes and permissions and their respective values for each user who will be authorizing to the server.
In summary, to set up your LDAP server:
- Design your VPN Concentrator LDAP authorization schema based on the hierarchal set-up of your organization
- Define the VPN Concentrator authorization schema
- Load the schema on the LDAP server
- Define each user's permissions on the LDAP server
The specific steps of these processes vary, depending on which type of LDAP server you are using.
Designing the VPN Concentrator LDAP Schema
Before you actually create your schema, think about how your organization is structured. Your LDAP schema should reflect the logical hierarchy of your organization.
For example, suppose an employee at your company XYZ Corporation is named Joe. Joe works in the Engineering group. Your LDAP hierarchy could have one or many levels. You might decide to set up a shallow, single-level hierarchy in which Joe is considered a member of XYZ corporation. Or, you could set up a multi-level hierarchy in which Joe is considered to be a member of the department Engineering, which is a member of an organizational unit called People, which is itself a member of XYZ Corporation. See Figure A-1 for an example of this multi-level hierarchy.
A multi-level hierarchy has more granularity, but a single level hierarchy is quicker to search.
Figure A-1 A Multi-Level LDAP Hierarchy
Searching the Hierarchy
The VPN Concentrator allows you to tailor the search within the LDAP hierarchy. You configure the following three fields on the VPN Concentrator to define where in the LDAP hierarchy your search begins, its extent, and the type of information it is looking for. Together these fields allow you to limit the search of the hierarchy to the just part of the tree that contain the user permissions.
- LDAP Base DN = This field defines where in the LDAP hierarchy the server should begin searching for user information when it receives an authorization request from the VPN Concentrator.
- Search Scope = This field defines the extent of the search in the LDAP hierarchy.The search proceeds this many levels in the hierarchy below the LDAP Base DN. You can choose to have the server search only the level immediately below, or it can search the entire subtree. A single level search is quicker, but a subtree search is more extensive.
- Naming Attribute(s) = This field defines the Relative Distinguished Name (RDN) that uniquely identifies an entry in the LDAP server. Common naming attributes are: cn (Common Name) and ui (user identification).
Figure A-1 shows a possible LDAP hierarchy for XYZ Corporation. Given this hierarchy, you could define your search in different ways. Table A-1 shows two possible search configurations.
In the first example configuration, when Joe establishes his IPSec tunnel with LDAP authorization required, the VPN Concentrator sends a search request to the LDAP server indicating it should search for Joe in the Engineering group. This search will be quick.
In the second example configuration, the VPN Concentrator sends a search request indicating the server should search for Joe within XYZ Corporation. This search will take longer.
Table A-1 Example Search Configurations
| # |
LDAP Base DN |
Search Scope |
Naming Attribute |
Result |
|
1
|
group= Engineering,ou=People,dc=XYZCorporation,dc=com
|
One Level
|
cn=Joe
|
Quicker search
|
|
2
|
dc=XYZCorporation,dc=com
|
Subtree
|
cn=Joe
|
Longer search
|
|
Defining the VPN Concentrator LDAP Schema
Once you have decided how to structure your user information in the LDAP hierarchy, define this organization in a schema. To define the schema, begin by defining the object class name. The class name for the VPN Concentrator directory is: cVPN3000-User-Authorization. The class has the object identifier (OID): 1.2.840.113556.1.8000.795.1.1. Every entry or user in the directory is an object of this class.
Some LDAP servers (for example, the Microsoft Active Directory LDAP server) do not allow you to reuse the class OID, once you have defined it. Use the next incremental OID. For example, if you incorrectly defined the class name as "cVPN3000-Usr-Authrizaton" with OID "1.2.840.113556.1.8000.795.1.1," you can enter the correct class name "cVPN3000-User-Authorization" with the next OID, for example: 1.2.840.113556.1.8000.795.1.2.
For the Microsoft Active Directory LDAP server, define the schema in text form in a file using the LDAP Data Interchange Format (LDIF). This file has an extension of .ldif, for example: schema.ldif. Other LDAP servers use graphical user interfaces or script files to define the object class and its attributes.
All schema attributes that the VPN Concentrator supports begin with the letters "cVPN3000"; for example: cVPN3000-Access-Hours. For a complete list of attributes, see Table A-2.
All strings are case-sensitive.
Table A-2 VPN Concentrator Supported LDAP Authorization Schema Attributes
| Attribute Name OID (Object Identifier) |
Syntax/
Type |
Single or Multi-
Valued |
Possible Values |
|
cVPN3000-Access-Hours
1.2.840.113556.8000.795.2.1
|
String
|
Single
|
An octet string
|
|
cVPN3000-Simultaneous-Logins
1.2.840.113556.8000.795.2.2
|
Integer
|
Single
|
An integer
|
|
cVPN3000-Primary-DNS
1.2.840.113556.8000.795.2.3
|
String
|
Single
|
An IP address
|
|
cVPN3000-Secondary-DNS
1.2.840.113556.8000.795.2.4
|
String
|
Single
|
An IP address
|
|
cVPN3000-Primary-WINS
1.2.840.113556.8000.795.2.5
|
String
|
Single
|
An IP address
|
|
cVPN3000-Secondary-WINS
1.2.840.113556.8000.795.2.6
|
String
|
Single
|
An IP address
|
|
cVPN3000-SEP-Card-Assignment
1.2.840.113556.8000.795.2.7
|
Integer
|
Single
|
1 = SEP1
2 = SEP2
3 = SEP3
4 = SEP4
15 = Any SEP
|
|
cVPN3000-Tunneling-Protocols
1.2.840.113556.8000.795.2.8
|
Integer
|
Single
|
1 = PPTP
2 = L2TP
3 = PPTP and L2TP
4 = IPSec
5 = PPTP and IPSec
6 = L2TP and IPSec
7 = PPTP-L2TP-IPSec
8 = L2TP/IPSec
9 = PPTP and L2TP/IPSec
10 = L2TP and L2TP/IPSec
11 = PPTP-L2TP-L2TP/IPSec
|
|
cVPN3000-IPSec-Sec-Association
1.2.840.113556.8000.795.2.9
|
String
|
Single
|
An octet string
|
|
cVPN3000-IPSec-Authentication
1.2.840.113556.8000.795.2.10
|
Integer
|
Single
|
0 = None
1 = RADIUS
3 = NT Domain
4 = SDI
5 = Internal
6 = RADIUS with Expiry
7 = Kerberos/Active Directory
|
|
cVPN3000-IPSec-Banner1
1.2.840.113556.8000.795.2.11
|
String
|
Single
|
An octet string
|
|
cVPN3000-IPSec-Allow-Passwd-Store
1.2.840.113556.8000.795.2.12
|
Boolean
|
Single
|
TRUE = Allow
FALSE = Disallow
|
|
cVPN3000-Use-Client-Address
1.2.840.113556.8000.795.2.13
|
Boolean
|
Single
|
TRUE = Allow
FALSE = Disallow
|
|
cVPN3000-PPTP-Encryption
1.2.840.113556.8000.795.2.14
|
Integer
|
Single
|
2 = 40 bits
3 = 40-Encryption-Req
4 = 128 bits
5 = 128-Encryption-Req
6 = 40 or 128
7 = 40 or 128 Encryption-Req
10 = 40 Stateless-Req
11 = Enc/Stateless-Req
12 = 128 Stateless-Req
13 = 128 Enc/Stateless-req
14 = 40/128-Stateless-Req
15 = 40/128-Enc/Stateless-Req
|
|
cVPN3000-L2TP-Encryption
1.2.840.113556.8000.795.2.15
|
Integer
|
Single
|
2 = 40 bit
3 = 40-Encryption-Req
4 = 128 bits
5 = 128-Encr-Req
6 = 40 or 128
7 = 40 or 128-Encr-Req
10 = 40-Stateless-Req
11 = Encr/Stateless-Req
12 = 128-Stateless-Req
13 = 128-EncrStateless-Req
14 = 40/128-Stateless-Req
15 = 40/128-Encr/Stateless-Req
|
|
cVPN3000-IPSec-Split-Tunnel-List
1.2.840.113556.8000.795.2.16
|
String
|
Single
|
An octet string
|
|
cVPN3000-IPSec-Default-Domain
1.2.840.113556.8000.795.2.17
|
String
|
Single
|
An octet string
|
|
cVPN3000-IPSec-Split-DNS-Names
1.2.840.113556.8000.795.2.18
|
String
|
Single
|
An octet string
|
|
cVPN3000-IPSec-Tunnel-Type
1.2.840.113556.8000.795.2.19
|
Integer
|
Single
|
1 = LAN-to-LAN
2 = Remote access
|
|
cVPN3000-IPSec-Mode-Config
1.2.840.113556.8000.795.2.20
|
Boolean
|
Single
|
TRUE = On
FALSE = Off
|
|
cVPN3000-IPSec-User-Group-Lock
1.2.840.113556.8000.795.2.21
|
Boolean
|
Single
|
TRUE = On
FALSE = Off
|
|
cVPN3000-IPSec-Over-UDP
1.2.840.113556.8000.795.2.22
|
Boolean
|
Single
|
TRUE = On
FALSE = Off
|
|
cVPN3000-IPSec-Over-UDP-Port
1.2.840.113556.8000.795.2.23
|
Integer
|
Single
|
An integer
|
|
cVPN3000-IPSec-Banner2
1.2.840.113556.8000.795.2.24
|
String
|
Single
|
An octet string
|
|
cVPN3000-PPTP-MPPC-Compression
1.2.840.113556.8000.795.2.25
|
Integer
|
Single
|
1 = ON
2 = OFF
|
|
cVPN3000-L2TP-MPPC-Compression
1.2.840.113556.8000.795.2.26
|
Integer
|
Single
|
0 = ON
1 = OFF
|
|
cVPN3000-IPSec-IP-Compression
1.2.840.113556.8000.795.2.27
|
Integer
|
Single
|
0 = None
1 = LZS
|
|
cVPN3000-IPSec-IKE-Peer-ID-Check
1.2.840.113556.8000.795.2.28
|
Integer
|
Single
|
1 = Required
2 = If supported by certificate
3 = Do not check
|
|
cVPN3000-IKE-Keep-Alives
1.2.840.113556.8000.795.2.29
|
Boolean
|
Single
|
TRUE = On
FALSE = Off
|
|
cVPN3000-IPSec-Auth-On-Rekey
1.2.840.113556.8000.795.2.30
|
Boolean
|
Single
|
TRUE = On
FALSE = Off
|
|
cVPN3000-Required-Client- Firewall-Vendor-Code
1.2.840.113556.8000.795.2.31
|
Integer
|
Single
|
An integer
|
|
cVPN3000-Required-Client-Firewall-Product-Code
1.2.840.113556.8000.795.2.32
|
Integer
|
Single
|
An integer
|
|
cVPN3000-Required-Client-Firewall-Description
1.2.840.113556.8000.795.2.33
|
String
|
Single
|
An octet string
|
|
cVPN3000-Require-HW-Client-Auth
1.2.840.113556.8000.795.2.34
|
Boolean
|
Single
|
TRUE = On
FALSE = Off
|
|
cVPN3000-Require-Individual-User-Auth
1.2.840.113556.8000.795.2.35
|
Integer
|
Single
|
An integer
|
|
cVPN3000-Authenticated-User-Idle-Timeout
1.2.840.113556.8000.795.2.36
|
Integer
|
Single
|
An integer
|
|
cVPN3000-Cisco-IP-Phone-Bypass
1.2.840.113556.8000.795.2.37
|
Integer
|
Single
|
2 = Enabled
3 = Disabled
|
|
cVPN3000-IPSec-Split-Tunneling-Policy
1.2.840.113556.8000.795.2.38
|
Integer
|
Single
|
0 = Tunnel everything
1 = Only tunnel networks in list
2 = Policy Pushed CPP
4 = Policy from server
|
|
cVPN3000-IPSec-Required-Client-Firewall-Capability
1.2.840.113556.8000.795.2.39
|
Integer
|
Single
|
0 = None
1 = Policy defined by remote FW AYT
2 = Policy pushed CPP
4 = Policy from server
|
|
cVPN3000-IPSec-Client-Firewall-Filter-Name
1.2.840.113556.8000.795.2.40
|
String
|
Single
|
An octet
|
|
cVPN3000-IPSec-Client-Firewall-Filter-Optional
1.2.840.113556.8000.795.2.41
|
Integer
|
Single
|
0 = Required
1 = Optional
|
|
cVPN3000-IPSec-Backup-Servers
1.2.840.113556.8000.795.2.42
|
String
|
Single
|
1 = Use Client-Configured list
2 = Disabled and clear client list
3 = Use Backup Server list
|
|
cVPN3000-IPSec-Backup-Server-List
1.2.840.113556.8000.795.2.43
|
String
|
Single
|
An octet string
|
|
cVPN3000-Client-Intercept-DHCP-Configure-Msg
1.2.840.113556.8000.795.2.44
|
Boolean
|
Single
|
TRUE = Yes
FALSE = No
|
|
cVPN3000-MS-Client-Subnet-Mask
1.2.840.113556.8000.795.2.45
|
String
|
Single
|
An IP address
|
|
cVPN3000-Allow-Network-Extension-Mode
1.2.840.113556.8000.795.2.46
|
Boolean
|
Single
|
TRUE = Yes
FALSE = No
|
|
cVPN3000-Strip-Realm
1.2.840.113556.8000.795.2.47
|
Boolean
|
Single
|
TRUE = On
FALSE = Off
|
|
cVPN3000-Cisco-AV-Pair
1.2.840.113556.8000.795.2.48
|
String
|
Multiple
|
An octet string in the following format:
[Prefix] [Action] [Protocol] [Source] [Source Wildcard Mask] [Destination] [Destination Wildcard Mask] [Established] [Log] [Operator] [Port]
For more information, see "Cisco -AV-Pair Attribute Syntax.".
|
|
cVPN3000-User-Auth-Server-Name
1.2.840.113556.8000.795.2.49
|
String
|
Single
|
An octet string
|
|
cVPN3000-User-Auth-Server-Port
1.2.840.113556.8000.795.2.50
|
Integer
|
Single
|
An integer
|
|
cVPN3000-User-Auth-Server-Secret
1.2.840.113556.8000.795.2.51
|
String
|
Single
|
An octet string
|
|
cVPN3000-Confidence-Interval
1.2.840.113556.8000.795.2.52
|
Integer
|
Single
|
An integer
|
|
cVPN3000-Cisco-LEAP-Bypass
1.2.840.113556.8000.795.2.53
|
Integer
|
Single
|
An integer
|
|
cVPN3000-DHCP-Network-Scope
1.2.840.113556.8000.795.2.57
|
String
|
Single
|
IP address
|
|
Cisco -AV-Pair Attribute Syntax
The syntax of each Cisco-AV-Pair rule is as follows:
[Prefix] [Action] [Protocol] [Source] [Source Wildcard Mask] [Destination] [Destination Wildcard Mask] [Established] [Log] [Operator] [Port]:
| Field |
Description |
|
Prefix
|
An unique identifier for the AV pair. For example: ip:inacl#1=. This field only appears when the filter has been sent as an AV pair.
|
|
Action
|
Action to perform if rule matches: deny, permit.
|
|
Protocol
|
Number or name of an IP protocol. Either an integer in the range 0-255 or one of the following keywords: icmp, igmp, ip, tcp, udp.
|
|
Source
|
Network or host from which the packet is sent, specified as an IP address, a hostname, or the keyword "any". If specified as an IP address, the source wildcard mask must follow.
|
|
Source Wildcard Mask
|
The wildcard mask to be applied to the source address.
|
|
Destination
|
Network or host to which the packet is sent, specified as an IP address, a hostname, or the keyword "any". If specified as an IP address, the source wildcard mask must follow.
|
|
Destination Wildcard Mask
|
The wildcard mask to be applied to the destination address.
|
|
Log
|
Generates a FILTER log message. You must use this keyword to generate events of severity level 9.
|
|
Operator
|
Logic operators: greater than, less than, equal to, not equal to.
|
|
Port
|
The number of a TCP or UDP port: in the range 0-65535.
|
For example:
ip:inacl#1=deny ip 10.155.10.0 0.0.0.255 10.159.2.0 0.0.0.255 log
ip:inacl#2=permit TCP any host 10.160.0.1 eq 80 log
The following chart lists the tokens for the Cisco-AV-Pair attribute:
Table 0-3 VPN Concentrator-Supported Tokens
| Token |
Syntax Field |
Description |
|
ip:inacl#Num=
|
N/A (Identifier)
|
(Where Num is a unique integer.) Starts all AV pair access control lists.
|
|
deny
|
Action
|
Denies action. (Default.)
|
|
permit
|
Action
|
Allows action.
|
|
icmp
|
Protocol
|
Internet Control Message Protocol (ICMP)
|
|
1
|
Protocol
|
Internet Control Message Protocol (ICMP)
|
|
IP
|
Protocol
|
Internet Protocol (IP)
|
|
0
|
Protocol
|
Internet Protocol (IP)
|
|
TCP
|
Protocol
|
Transmission Control Protocol (TCP)
|
|
6
|
Protocol
|
Transmission Control Protocol (TCP)
|
|
UDP
|
Protocol
|
User Datagram Protocol (UDP)
|
|
17
|
Protocol
|
User Datagram Protocol (UDP)
|
|
any
|
Hostname
|
Rule applies to any host.
|
|
host
|
Hostname
|
Any alpha-numeric string that denotes a hostname.
|
|
log
|
Log
|
When the event is hit, a filter log message appears. (Same as permit and log or deny and log.)
|
|
lt
|
Operator
|
Less than value
|
|
gt
|
Operator
|
Greater than value
|
|
eq
|
Operator
|
Equal to value
|
|
neq
|
Operator
|
Not equal to value
|
|
range
|
Operator
|
Inclusive range. Should be followed by two values.
|
|
Example VPN Concentrator Authorization Schema
This section provides a sample of an LDAP schema. This schema supports the VPN Concentrator class and attributes. It is specific to the Microsoft Active Directory LDAP server. Use it as a model, in conjunction with Table A-2, to define your own schema for your own LDAP server.
|
Note For more information on LDIF, refer to RFC-2849. |
Schema 3k_schema.ldif
dn: CN=cVPN3000-Access-Hours,CN=Schema,CN=Configuration,OU=People,DC=XYZCorporation,DC=com
adminDisplayName: cVPN3000-Access-Hours
attributeID: 1.2.840.113556.1.8000.795.2.1
cn: cVPN3000-Access-Hours
lDAPDisplayName: cVPN3000-Access-Hours
CN=cVPN3000-Access-Hours,CN=Schema,CN=Configuration,OU=People,DC=XYZCorporation,DC=com
CN=Attribute-Schema,CN=Schema,CN=Configuration,OU=People,DC=XYZCorporation,DC=com
objectClass: attributeSchema
name: cVPN3000-Access-Hours
showInAdvancedViewOnly: TRUE
.... (define subsequent VPN Concentrator authorization attributes here)
dn: CN=cVPN3000-Primary-DNS,CN=Schema,CN=Configuration,OU=People,DC=XYZCorporation,DC=com
adminDisplayName: cVPN3000-Primary-DNS
attributeID: 1.2.840.113556.1.8000.795.2.3
lDAPDisplayName: cVPN3000-Primary-DNS
CN=cVPN3000-Primary-DNS,CN=Schema,CN=Configuration,OU=People,DC=XYZCorporation,DC=com
CN=Attribute-Schema,CN=Schema,CN=Configuration,OU=People,DC=XYZCorporation,DC=com
objectClass: attributeSchema
name: cVPN3000-Primary-DNS
showInAdvancedViewOnly: TRUE
.... (define subsequent VPN Concentrator authorization attributes here)
dn: CN=cVPN3000-Confidence-Interval,CN=Schema,CN=Configuration,OU=People,DC=XYZCorporation,DC=com
adminDisplayName: cVPN3000-Confidence-Interval
attributeID: 1.2.840.113556.1.8000.795.2.52
cn: cVPN3000-Confidence-Interval
lDAPDisplayName: cVPN3000-Confidence-Interval
CN=cVPN3000-Confidence-Interval,CN=Schema,CN=Configuration,OU=People,DC=XYZCorporation,DC=com
dn: CN=cVPN3000-User-Authorization,CN=Schema,CN=Configuration,OU=People,DC=XYZCorporation,DC=com
adminDisplayName: cVPN3000-User-Authorization
adminDescription: Cisco Class Schema
cn: cVPN3000-User-Authorization
CN=cVPN3000-User-Authorization,CN=Schema,CN=Configuration,OU=People,DC=XYZCorporation,DC=com
defaultSecurityDescriptor:
D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
governsID: 1.2.840.113556.1.8000.795.1.1
lDAPDisplayName: cVPN3000-User-Authorization
mayContain: cVPN3000-Access-Hours
mayContain: cVPN3000-Simultaneous-Logins
mayContain: cVPN3000-Primary-DNS
mayContain: cVPN3000-Confidence-Interval
mayContain: cVPN3000-Cisco-LEAP-Bypass
CN=cVPN3000-User-Authorization,CN=Schema,CN=Configuration,OU=People,DC=XYZCorporation,DC=com
CN=Class-Schema,CN=Schema,CN=Configuration,OU=People,DC=XYZCorporation,DC=com
possSuperiors: organizationalUnit
name: cVPN3000-User-Authorization
showInAdvancedViewOnly: TRUE
Loading the Schema in the LDAP Server
|
Note The directions in this section are specific to the Microsoft Active Directory LDAP server. If you have a different type of server, refer to your server documentation for information on loading a schema. |
To load the schema on the LDAP server, enter the following command from the directory where the schema file resides: ldifde -i -f Schema Name. For example: ldifde -i -f 3k_schema.ldif
Defining User Permissions
|
Note The directions in this section are specific to the Microsoft Active Directory LDAP server. If you have a different type of server, refer to your server documentation for information on defining and loading user attributes. |
For each user authorizing to your LDAP server, define a user file. A user file defines all the VPN Concentrator attributes and values associated with a particular user. Each user is an object of the class cVPN3000-User-Authorization. To define the user file, use any text editor. The file must have the extension .ldif. (For an example user file, see "ann_smith.ldif.")
To load the user file on the LDAP server, enter the following command on the directory where your version of the ldap_user.ldif file resides: ldifde -i -f ldap_user.ldif. For example: ldifde -i -f ann_smith.ldif
Once you have created and loaded both the schema and the user file, your LDAP server is ready to process VPN Concentrator authorization requests.
Example User File
This section provides a sample of a user file for the user Ann Smith.
ann_smith.ldif
dn: cn=ann_smith,OU=People,DC=XYZCorporation,DC=com
changetype: add
cn: ann_smith
CVPN3000-Access-Hours: Corporate_time
cVPN3000-Simultaneous-Logins: 2
cVPN3000-IPSec-Over-UDP: TRUE
CVPN3000-IPSec-Over-UDP-Port: 12125
cVPN3000-IPSec-Banner1: Welcome to the XYZ Corporation!!!
cVPN3000-IPSec-Banner2: Unauthorized access is prohibited!!!!!
cVPN3000-Primary-DNS: 10.10.4.5
CVPN3000-Secondary-DNS: 10.11.12.7
CVPN3000-Primary-WINS: 10.20.1.44
CVPN3000-SEP-Card-Assignment: 1
CVPN3000-IPSec-Tunnel-Type: 2
CVPN3000-Tunneling-Protocols: 7
cVPN3000-Confidence-Interval: 300
cVPN3000-IPSec-Allow-Passwd-Store: TRUE
objectClass: cVPN3000-User-Authorization
Configuring an External RADIUS Server
Follow the steps below to set up the RADIUS server to inter operate with the VPN Concentrator.
Step 1 Load the VPN Concentrator attributes into the RADIUS server. The method you use to load the attributes depends on which type of RADIUS server you are using:
- If you are using Cisco ACS: the server already has these attributes integrated. You can skip this step.
- If you are using a FUNK RADIUS server: Cisco supplies a dictionary file that contains all the VPN Concentrator attributes. Obtain this dictionary file,
cisco3k.dct, from Software Center on CCO or from the VPN Concentrator CD-ROM. Load the dictionary file on your server.
- For other vendors' RADIUS servers (for example, Microsoft Internet Authentication Service): you must manually define each VPN Concentrator attribute. To define an attribute, use the attribute name or number, type, value, and vendor code (3076). For a list of VPN Concentrator RADIUS authorization attributes and values, see
Step 2 Set up the users or groups with the permissions and attributes to send during IPSec tunnel establishment. The permissions or attributes might include access hours, primary DNS, banner, and so on.
VPN Concentrator RADIUS Authorization Attributes
Table A-4 lists all the possible VPN Concentrator supported attributes that can be used for user authorization.
Table A-4 VPN Concentrator Supported RADIUS Attributes and Values
| Attribute Name |
Attribute
Type |
Attribute Number |
Attribute Values |
|
cVPN3000-Access-Hours
|
String
|
1
|
An octet string
|
|
cVPN3000-Simultaneous-Logins
|
Integer
|
2
|
An integer
|
|
cVPN3000-Primary-DNS
|
String
|
5
|
An IP address
|
|
cVPN3000-Secondary-DNS
|
String
|
6
|
An IP address
|
|
cVPN3000-Primary-WINS
|
String
|
7
|
An IP address
|
|
cVPN3000-Secondary-WINS
|
String
|
8
|
An IP address
|
|
cVPN3000-SEP-Card-Assignment
|
Integer
|
9
|
1 = SEP1
2 = SEP2
3 = SEP3
4 = SEP4
15 = Any SEP
|
|
cVPN3000-Tunneling-Protocols
|
Integer
|
11
|
1 = PPTP
2 = L2TP
3 = PPTP and L2TP
4 = IPSec
5 = PPTP and IPSec
6 = L2TP and IPSec
7 = PPTP-L2TP-IPSec
8 = L2TP/IPSec
9 = PPTP and L2TP/IPSec
10 = L2TP and L2TP/IPSec
11 = PPTP-L2TP-L2TP/IPSec
|
|
cVPN3000-IPSec-Sec-Association
|
String
|
12
|
An octet string
|
|
cVPN3000-IPSec-Authentication
|
Integer
|
13
|
0 = None
1 = RADIUS
3 = NT Domain
4 = SDI
5 = Internal
6 = RADIUS with Expiry
7 = Kerberos/Active Directory
|
|
cVPN3000-IPSec-Banner1
|
String
|
15
|
An octet string
|
|
cVPN3000-IPSec-Allow-Passwd-Store
|
Boolean
|
16
|
TRUE = Allow
FALSE = Disallow
|
|
cVPN3000-Use-Client-Address
|
Boolean
|
17
|
TRUE = Allow
FALSE = Disallow
|
|
cVPN3000-PPTP-Encryption
|
Integer
|
20
|
2 = 40 bits
3 = 40-Encryption-Req
4 = 128 bits
5 = 128-Encryption-Req
6 = 40 or 128
7 = 40 or 128 Encryption-Req
10 = 40 Stateless-Req
11 = Enc/Stateless-Req
12 = 128 Stateless-Req
13 = 128 Enc/Stateless-req
14 = 40/128-Stateless-Req
15 = 40/128-Enc/Stateless-Req
|
|
cVPN3000-L2TP-Encryption
|
Integer
|
21
|
2 = 40 bit
3 = 40-Encryption-Req
4 = 128 bits
5 = 128-Encr-Req
6 = 40 or 128
7 = 40 or 128-Encr-Req
10 = 40-Stateless-Req
11 = Encr/Stateless-Req
12 = 128-Stateless-Req
13 = 128-EncrStateless-Req
14 = 40/128-Stateless-Req
15 = 40/128-Encr/Stateless-Req
|
|
cVPN3000-IPSec-Split-Tunnel-List
|
String
|
27
|
An octet string
|
|
cVPN3000-IPSec-Default-Domain
|
String
|
28
|
An octet string
|
|
cVPN3000-IPSec-Split-DNS-Names
|
String
|
29
|
An octet string
|
|
cVPN3000-IPSec-Tunnel-Type
|
Integer
|
30
|
1 = LAN-to-LAN
2 = Remote access
|
|
cVPN3000-IPSec-Mode-Config
|
Boolean
|
31
|
TRUE = On
FALSE = Off
|
|
cVPN3000-IPSec-User-Group-Lock
|
Boolean
|
33
|
TRUE = On
FALSE = Off
|
|
cVPN3000-IPSec-Over-UDP
|
Boolean
|
34
|
TRUE = On
FALSE = Off
|
|
cVPN3000-IPSec-Over-UDP-Port
|
Integer
|
35
|
An integer
|
|
cVPN3000-IPSec-Banner2
|
String
|
36
|
An octet string
|
|
cVPN3000-PPTP-MPPC-Compression
|
Integer
|
37
|
1 = ON
2 = OFF
|
|
cVPN3000-L2TP=MPPC-Compression
|
Integer
|
38
|
0 = ON
1 = OFF
|
|
cVPN3000-IPSec-IP-Compression
|
Integer
|
39
|
0 = None
1 = LZS
|
|
cVPN3000-IPSec-IKE-Peer-ID-Check
|
Integer
|
40
|
1 = Required
2 = If supported by certificate
3 = Do not check
|
|
cVPN3000-IKE-Keep-Alives
|
Boolean
|
41
|
TRUE = On
FALSE = Off
|
|
cVPN3000-IPSec-Auth-On-Rekey
|
Boolean
|
42
|
TRUE = On
FALSE = Off
|
|
cVPN3000-Required-Client- Firewall-Vendor-Code
|
Integer
|
45
|
An integer
|
|
cVPN3000-Required-Client-Firewall-Product-Code
|
Integer
|
46
|
An integer
|
|
cVPN3000-Required-Client-Firewall-Description
|
String
|
47
|
An octet string
|
|
cVPN3000-Require-HW-Client-Auth
|
Boolean
|
48
|
TRUE = On
FALSE = Off
|
|
cVPN3000-Required-Individual-User-Auth
|
Integer
|
49
|
An integer
|
|
cVPN3000-Authenticated-User-Idle-Timeout
|
Integer
|
50
|
An integer
|
|
cVPN3000-Cisco-IP-Phone-Bypass
|
Integer
|
51
|
2 = Enabled
3 = Disabled
|
|
cVPN3000-IPSec-Split-Tunneling-Policy
|
Integer
|
55
|
0 = Tunnel everything
1 = Only tunnel networks in list
2 = Policy Pushed CPP
4 = Policy from server
|
|
cVPN3000-IPSec-Required-Client-Firewall-Capability
|
Integer
|
56
|
0 = None
1 = Policy defined by remote FW AYT
2 = Policy pushed CPP
4 = Policy from server
|
|
cVPN3000-IPSec-Client-Firewall-Filter-Name
|
String
|
57
|
An octet
|
|
cVPN3000-IPSec-Client-Firewall-Filter-Optional
|
Integer
|
58
|
0 = Required
1 = Optional
|
|
cVPN3000-IPSec-Backup-Servers
|
String
|
59
|
1 = Use Client-Configured list
2 = Disabled and clear client list
3 = Use Backup Server list
|
|
cVPN3000-IPSec-Backup-Server-List
|
String
|
60
|
An octet string
|
|
cVPN3000-Intercept-DHCP-Configure-Msg
|
Boolean
|
62
|
TRUE = Yes
FALSE = No
|
|
cVPN3000--MS-Client-Subnet-Mask
|
Boolean
|
63
|
An IP address
|
|
cVPN3000-Allow-Network-Extension-Mode
|
Boolean
|
64
|
TRUE = Yes
FALSE = No
|
|
cVPN3000-Strip-Realm
|
Boolean
|
135
|
TRUE = On
FALSE = Off
|
|
cVPN3000-Confidence-Interval
|
Integer
|
68
|
An integer
|
|
cVPN3000-Cisco-LEAP-Bypass
|
Integer
|
75
|
An integer
|
|
