|
Home > Archive > Radius Server > January 2004 > VPN with PIX Firewall and MS AAA Server
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
VPN with PIX Firewall and MS AAA Server
|
|
|
| I'm not sure if this is the right newsgroup for this but
here goes. We're trying to setup a vpn using a pix 515e
and authenticating to an AAA server, which is our win2k
server. Users are able to vpn and authenticate against our
AD, however there is no restrictions imposed on their
network activity. On the win2k IAS server, we have
configured RAS policy to limit activity to telnet to one
specific IP address, but it doesn't seem to be applied.
What are we doing wrong? Any help would be gratly
appreciated, as I've beat myself up over this problem for
the last 2 weeks.
TIA
James
| |
| Ashwin Palekar\(MS\) 2004-01-24, 2:02 am |
| Have you configured RAS policy with the cisco AV-Pair attribute (on remote
access policy->Advanced tab) to limit activity?
Do you have more than one remote access policy? If yes, does the IAS event
show the right remote access policy is being used.
--
--
========================================
===================
This posting is provided "AS IS" with no warranties and confers no rights
========================================
===================
"James" <anonymous@discussions.microsoft.com> wrote in message
news:044e01c3cee2$97985720$a001280a@phx.gbl...quote:
> I'm not sure if this is the right newsgroup for this but
> here goes. We're trying to setup a vpn using a pix 515e
> and authenticating to an AAA server, which is our win2k
> server. Users are able to vpn and authenticate against our
> AD, however there is no restrictions imposed on their
> network activity. On the win2k IAS server, we have
> configured RAS policy to limit activity to telnet to one
> specific IP address, but it doesn't seem to be applied.
> What are we doing wrong? Any help would be gratly
> appreciated, as I've beat myself up over this problem for
> the last 2 weeks.
>
>
> TIA
> James
| |
|
| Yes, The ISA event log show the right policy being
applied, however, I'm not sure what I need to configure on
the cisco AV-Pair attribute,specifically the Attribute
values.
quote:
>-----Original Message-----
>Have you configured RAS policy with the cisco AV-Pair
attribute (on remotequote:
>access policy->Advanced tab) to limit activity?
>
>Do you have more than one remote access policy? If yes,
does the IAS eventquote:
>show the right remote access policy is being used.
>
>--
>--
> ========================================
==================
=quote:
>This posting is provided "AS IS" with no warranties and
confers no rightsquote:
> ========================================
==================
=quote:
>
>"James" <anonymous@discussions.microsoft.com> wrote in
messagequote:
>news:044e01c3cee2$97985720$a001280a@phx.gbl...
our[QUOTE][color=darkred]
for[QUOTE][color=darkred]
>
>
>.
>
| |
| Ashwin Palekar\(MS\) 2004-01-24, 2:02 am |
| Cisco AV-pair can be used to specify dynamic ACLs limiting users to certain
ports and IP address ranges. The syntax is like
this:
cisco-avpair = "ip:inacl#5=permit ip any 202.47.132.0 0.0.0.255"
cisco-avpair = "ip:inacl#99=deny ip any any"
The exact syntax for cisco AV-Pair is documented on Cisco's web site.
These are instructions on how to enter a cisco AV-Pair in IAS. Pls make sure
you have the lastest Service Pack.
http://www.microsoft.com/technet/tr...ample_cisco.asp
--
--
========================================
===================
This posting is provided "AS IS" with no warranties and confers no rights
========================================
===================
<anonymous@discussions.microsoft.com> wrote in message
news:075901c3cf0c$36c1bed0$a001280a@phx.gbl...[QUOTE][color=darkred]
> Yes, The ISA event log show the right policy being
> applied, however, I'm not sure what I need to configure on
> the cisco AV-Pair attribute,specifically the Attribute
> values.
>
> attribute (on remote
> does the IAS event
> =
> confers no rights
> =
> message
> our
> for
| |
|
| Thank you, that was the problem
quote:
>-----Original Message-----
>Cisco AV-pair can be used to specify dynamic ACLs
limiting users to certainquote:
>ports and IP address ranges. The syntax is like
>this:
>
>cisco-avpair = "ip:inacl#5=permit ip any 202.47.132.0
0.0.0.255"quote:
>cisco-avpair = "ip:inacl#99=deny ip any any"
>
>The exact syntax for cisco AV-Pair is documented on
Cisco's web site.quote:
>
>These are instructions on how to enter a cisco AV-Pair in
IAS. Pls make surequote:
>you have the lastest Service Pack.
>http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/prodtechnol/windowsserver2003/proddocs/standar
d/sag_ias_vsa_sample_cisco.aspquote:
>
>
>--
>--
> ========================================
==================
=quote:
>This posting is provided "AS IS" with no warranties and
confers no rightsquote:
> ========================================
==================
=quote:
>
><anonymous@discussions.microsoft.com> wrote in message
>news:075901c3cf0c$36c1bed0$a001280a@phx.gbl...
on[QUOTE][color=darkred]
> ========================================
==================
> ========================================
==================
but[QUOTE][color=darkred]
515e[QUOTE][color=darkred]
win2k[QUOTE][color=darkred]
against[QUOTE][color=darkred]
one[QUOTE][color=darkred]
applied.[QUOTE][color=darkred]
>
>
>.
>
|
|
|
|
|