forgot to paste the link
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftvrfaaa.html#wp1049798
On Sat, Oct 30, 2010 at 11:37 PM, Radioactive Frog <pbhatkoti_at_gmail.com>wrote:
> Try using vsa -"rad-serv-vrf"
> on ipsec - make sure you use dynamic fi
>
>
> On Sat, Oct 30, 2010 at 2:18 AM, Marcin Zgola <MZgola_at_netrixllc.com>wrote:
>
>> I have setup VPN access to PE routers to manage different VRFs, and it
>> works
>> great. Here is my question.
>>
>> I have to have one isakmp profile per vrf , and with 3 VRFs is pretty
>> straight
>> forward, but what about if number of VRF increases can I have VRF
>> assignment
>> controlled by ACS server.
>>
>> Part of my config which works:
>>
>> I need "vrf N-IPT" to be sent from ACS as radius attribute. Lets say I
>> would
>> have different usernames that will have access to different VRFs. When
>> cisco
>> vpn client connects, based on the username is entered different VRF access
>> wil
>> be granted
>>
>> Any ideas???
>>
>> crypto isakmp profile N-IPT-VPN
>> vrf N-IPT
>> self-identity address
>> match identity group N-IPT-VPN
>> match identity group N-IPT-MGMT
>> client authentication list VPN-N-IPT
>> isakmp authorization list VPN-N-IPT
>> client configuration address initiate
>> client configuration address respond
>> keepalive 10 retry 3
>> local-address Loopback0
>>
>> Marcin Zgola
>> Internetwork Lead
>> CCIE #18676
>> Netrix, LLC
>> http://www.netrixllc.com
>> Ph. 847-964-5300
>> Fax.: 847-964-5350
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Sun Oct 31 2010 - 00:14:52 ART
This archive was generated by hypermail 2.2.0 : Mon Nov 01 2010 - 06:42:06 ART