The VPN Concentrator allows you to define remote access user filters on an external RADIUS server, such as Cisco Secure ACS, rather than on the VPN Concentrator. Using an external RADIUS server allows centralized filter management and greater scaleability. Also, configuring filters in this way allows you to assign filters to a particular tunnel group or a particular user.
These filters are called dynamic filters because they remain in place only for the duration of the session to which they apply. When a user authenticates via RADIUS, the VPN Concentrator downloads the filter associated with the user and applies it for the duration of the connection. When the connection finishes, the filter drops.
You configure this feature on the RADIUS server, not on the VPN Concentrator. (The filters you configure on the VPN Concentrator are static.) For guidelines on configuring your external RADIUS server to inter operate with the VPN Concentrator, see Configuring Dynamic Filters on a RADIUS Server.
You can configure a dynamic filter on either a user or a group. If both user dynamic filters and group dynamic filters apply to a single connection, the user filters take precedence. If both dynamic filters and static filters apply to the same connection, the dynamic filters take precedence. The order of precedence is:
1. A dynamic user filter
2. A dynamic group filter
3. A static user filter
4. A static group filter
Tip If you encounter problems using this feature, debug by tracking the FILTERDBG event class. Track events with severity level 6 if you are concerned about filter syntax errors; the error log shows how the VPN Concentrator parses the filter. To view the actual filtering, track events with severity level nine; in this case, be sure to define the filter using the keyword "log."
This screen displays the dynamic filters currently in use governing remote access sessions on the VPN Concentrator.
Figure 13-1 Monitoring | Dynamic Filters Screen
Dynamic Filters
This list shows the unique dynamic filters currently in use on the VPN Concentrator. Select a filter to view its associated rules in the text box below.
An unique identifier for the AV pair. For example: ip:inacl#1=. This field only appears when the filter has been sent as an AV pair.
Action
Action to perform if rule matches: deny, permit.
Protocol
Number or name of an IP protocol. Either an integer in the range 0-255 or one of the following keywords: icmp, igmp, ip, tcp, udp.
Source
Network or host from which the packet is sent, specified as an IP address, a hostname, or the keyword "any". If specified as an IP address, the source wildcard mask must follow.
Source Wildcard Mask
The wildcard mask to be applied to the source address.
Destination
Network or host to which the packet is sent, specified as an IP address, a hostname, or the keyword "any". If specified as an IP address, the source wildcard mask must follow.
Destination Wildcard Mask
The wildcard mask to be applied to the destination address.
Log
Generates a FILTER log message. You must use this keyword to generate events of severity level 9.
Operator
Logic operators: greater than, less than, equal to, not equal to.
Port
The number of a TCP or UDP port: in the range 0-65535.
Configuring Dynamic Filters on a RADIUS Server
You can configure dynamic filters on any RADIUS server by using the Cisco vendor-specific RADIUS attribute (26/9/1) AV-Pair to define and transmit attribute/value pairs. In configuring the feature, refer to Table 13-1 for a list of tokens the VPN Concentrator supports.
For more information, see the documentation for your particular server.
Table 13-1 VPN Concentrator-Supported Tokens.
Token
Syntax Field
Description
ip:inacl#Num=
N/A (Identifier)
(Where Num is a unique integer.) Starts all AV pair access control lists.
deny
Action
Denies action. (Default.)
permit
Action
Allows action.
icmp
Protocol
Internet Control Message Protocol (ICMP)
1
Protocol
Internet Control Message Protocol (ICMP)
IP
Protocol
Internet Protocol (IP)
0
Protocol
Internet Protocol (IP)
TCP
Protocol
Transmission Control Protocol (TCP)
6
Protocol
Transmission Control Protocol (TCP)
UDP
Protocol
User Datagram Protocol (UDP)
17
Protocol
User Datagram Protocol (UDP)
any
Hostname
Rule applies to any host.
host
Hostname
Any alpha-numeric string that denotes a hostname.
log
Log
When the event is hit, a filter log message appears. (Same as permit and log or deny and log.)
lt
Operator
Less than value
gt
Operator
Greater than value
eq
Operator
Equal to value
neq
Operator
Not equal to value
range
Operator
Inclusive range. Should be followed by two values.
Cisco Secure ACS
To configure dynamic filters in Cisco Secure ACS, use either of the following screens:
The Cisco IOS/PIX RADIUS Attributes screen
The Downloadable PIX ACLs screen
Cisco IOS/PIX RADIUS Attributes Screen
On the Cisco IOS/PIX RADIUS Attributes screen, enter the filter in the cisco-av-pair text box. Include the Access List Number. (See Figure 13-2.) For example:
ip:inacl#1=permit ip 90.153.0.0 0.0.255.255 host 100.158.9.1
ip:inacl#2=permit ip 90.154.0.0 0.0.255.255 100.158.10.0 0.0.0.255
ip:inacl#3=permit 0 any host 100.159.1.22
ip:inacl#4=deny ip 90.155.10.0 0.0.0.255 100.159.2.0 0.0.0.255 log
ip:inacl#4=permit TCP any host 100.160.0.1 eq 80 log
ip:inacl#5=permit TCP any host 100.160.0.2 eq 23 log
ip:inacl#6=permit TCP any host 100.160.0.3 range 20 30
ip:inacl#7=permit 6 any host HOSTNAME1
ip:inacl#8=permit UDP any host HOSTNAME2 neq 53
ip:inacl#9=deny 17 any host HOSTNAME3 lt 137 log
ip:inacl#10=deny 17 any host HOSTNAME4 gt 138
ip:inacl#11=deny ICMP any 100.161.0.0 0.0.255.255 log