GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: Questions on ACS 3.2 [7:96486] posted 01/30/2005
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


ACS gives you a more finite level of access for the user.  

Per user/group:
The following VPN 3000 RADIUS options can be passed via ACS:
[026/3076/001] CVPN3000-Access-Hours 
[026/3076/002] CVPN3000-Simultaneous-Logins 
[026/3076/005] CVPN3000-Primary-DNS 
[026/3076/006] CVPN3000-Secondary-DNS 
[026/3076/007] CVPN3000-Primary-WINS 
[026/3076/008] CVPN3000-Secondary-WINS 
[026/3076/009] CVPN3000-SEP-Card-Assignment 
[026/3076/011] CVPN3000-Tunneling-Protocols 
[026/3076/012] CVPN3000-IPSec-Sec-Association 
[026/3076/013] CVPN3000-IPSec-Authentication 
[026/3076/015] CVPN3000-IPSec-Banner1 
[026/3076/016] CVPN3000-IPSec-Allow-Passwd-Store 
[026/3076/017] CVPN3000-Use-Client-Address 
[026/3076/020] CVPN3000-PPTP-Encryption 
[026/3076/021] CVPN3000-L2TP-Encryption 
[026/3076/027] CVPN3000-IPSec-Split-Tunnel-List 
[026/3076/028] CVPN3000-IPSec-Default-Domain 
[026/3076/029] CVPN3000-IPSec-Split-DNS-Names 
[026/3076/030] CVPN3000-IPSec-Tunnel-Type 
[026/3076/031] CVPN3000-IPSec-Mode-Config 
[026/3076/033] CVPN3000-IPSec-User-Group-Lock 
[026/3076/034] CVPN3000-IPSec-Over-UDP 
[026/3076/035] CVPN3000-IPSec-Over-UDP-Port 
[026/3076/036] CVPN3000-IPSec-Banner2 
[026/3076/037] CVPN3000-PPTP-MPPC-Compression 
[026/3076/038] CVPN3000-L2TP-MPPC-Compression 
[026/3076/039] CVPN3000-IPSec-IP-Compression 
[026/3076/040] CVPN3000-IPSec-IKE-Peer-ID-Check 
[026/3076/041] CVPN3000-IKE-Keep-Alives 
[026/3076/042] CVPN3000-IPSec-Auth-On-Rekey 
[026/3076/045] CVPN3000-Required-Client-Firewall-Vendor-Code 
[026/3076/046] CVPN3000-Required-Client-Firewall-Product-Code 
[026/3076/047] CVPN3000-Required-Client-Firewall-Description 
[026/3076/048] CVPN3000-Require-HW-Client-Auth 
[026/3076/049] CVPN3000-Require-Individual-User-Auth 
[026/3076/050] CVPN3000-Authenticated-User-Idle-Timeout 
[026/3076/051] CVPN3000-Cisco-IP-Phone-Bypass 
[026/3076/055] CVPN3000-IPSec-Split-Tunneling-Policy 
[026/3076/056] CVPN3000-IPSec-Required-Client-Firewall-Capability 
[026/3076/057] CVPN3000-IPSec-Client-Firewall-Filter-Name 
[026/3076/058] CVPN3000-IPSec-Client-Firewall-Filter-Optional 
[026/3076/059] CVPN3000-IPSec-Backup-Servers 
[026/3076/060] CVPN3000-IPSec-Backup-Server-List 
[026/3076/061] CVPN3000-DHCP-Network-Scope 
[026/3076/062] CVPN3000-MS-Client-Intercept-DHCP-Configure-Message 
[026/3076/063] CVPN3000-MS-Client-Subnet-Mask 
[026/3076/064] CVPN3000-Allow-Network-Extension-Mode 
[026/3076/065] CVPN3000-Authorization-Type 
[026/3076/066] CVPN3000-Authorization-Required 
[026/3076/067] CVPN3000-DN-Field 
[026/3076/068] CVPN3000-Confidence-Interval 
[026/3076/069] CVPN3000-WebVPN-Content-Filter-Parameters 
[026/3076/070] CVPN3000-WebVPN-Enable-Functions 
[026/3076/074] CVPN3000-WebVPN-Exchange-Server-Address 
[026/3076/075] CVPN3000-Cisco-LEAP-Bypass 
[026/3076/077] CVPN3000-Client-Type-Version-Limiting 
[026/3076/078] CVPN3000-WebVPN-Exchange-Server-NETBIOS-Name 
[026/3076/079] CVPN3000-WebVPN-Port-Forwarding-Name 
[026/3076/135] CVPN3000-Strip-Realm

And the following not specific to VPN3000:
Per-user TACACS+/RADIUS Attributes 
User-Level Shared Network Access Restrictions 
User-Level Network Access Restrictions 
User-Level Downloadable ACLs 
Default Time-of-Day / Day-of-Week Specification 
Group-Level Shared Network Access Restrictions 
Group-Level Network Access Restrictions 
Group-Level Downloadable ACLs 
Group-Level Password Aging 
Network Access Filtering 
Max Sessions 
Usage Quotas 
Distributed System Settings 
Remote Logging 
CiscoSecure ACS Database Replication 
RDBMS Synchronization 
IP Pools 
Network Device Groups 
Voice-over-IP (VoIP) Group Settings 
Voice-over-IP (VoIP) Accounting Configuration 
ODBC Logging

 


 



Joseph Brunner wrote:
> 
> I think Radius is a security risk...
> 
> can the ACS, do at least CHAP V2, or EAP  to the AD server ?
> 
> I was testing the other day, and I ruled out Radius from 3030
> to AD server, because it only works with pap (clear text).
> 3030 direct to ad server is better with kerberos, why bother
> with
> acs, anyone ?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=96573&t=96486
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html