Try using vsa -"rad-serv-vrf"
on ipsec - make sure you use dynamic fi
On Sat, Oct 30, 2010 at 2:18 AM, Marcin Zgola <MZgola_at_netrixllc.com> wrote:
> I have setup VPN access to PE routers to manage different VRFs, and it
> works
> great. Here is my question.
>
> I have to have one isakmp profile per vrf , and with 3 VRFs is pretty
> straight
> forward, but what about if number of VRF increases can I have VRF
> assignment
> controlled by ACS server.
>
> Part of my config which works:
>
> I need "vrf N-IPT" to be sent from ACS as radius attribute. Lets say I
> would
> have different usernames that will have access to different VRFs. When
> cisco
> vpn client connects, based on the username is entered different VRF access
> wil
> be granted
>
> Any ideas???
>
> crypto isakmp profile N-IPT-VPN
> vrf N-IPT
> self-identity address
> match identity group N-IPT-VPN
> match identity group N-IPT-MGMT
> client authentication list VPN-N-IPT
> isakmp authorization list VPN-N-IPT
> client configuration address initiate
> client configuration address respond
> keepalive 10 retry 3
> local-address Loopback0
>
> Marcin Zgola
> Internetwork Lead
> CCIE #18676
> Netrix, LLC
> http://www.netrixllc.com
> Ph. 847-964-5300
> Fax.: 847-964-5350
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Sat Oct 30 2010 - 23:37:45 ART
This archive was generated by hypermail 2.2.0 : Mon Nov 01 2010 - 06:42:06 ART