cc/td/doc/product/vpn/vpn3000/4_0
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Configuring an External Server for VPN Concentrator User Authorization
Configuring an External LDAP Server
Configuring an External RADIUS Server

Configuring an External Server for VPN Concentrator User Authorization


The VPN Concentrator supports user authorization on an external LDAP or RADIUS server. Before you configure the VPN Concentrator to use an external server, you must configure the server with the correct VPN Concentrator authorization attributes and, from a subset of these attributes, assign specific permissions to individual users. Follow the instructions given here to configure your external server.

If you are configuring an LDAP server, see "Configuring an External LDAP Server."

If you are configuring a RADIUS server, skip ahead to "Configuring an External RADIUS Server."

Configuring an External LDAP Server


Note   For more information on the LDAP protocol, refer to RFCs 1777, 2251, and 2849.

An LDAP server stores information as entries in a directory. An LDAP schema defines what types of information can be stored in those entries. The schema lists classes and the set of (required and optional) attributes that objects of each class may contain.

To configure your LDAP server to interoperate with the VPN Concentrator, define a VPN Concentrator authorization schema. A VPN Concentrator authorization schema defines the class and attributes of that class that the VPN Concentrator supports. Specifically, it comprises the object class (cVPN3000-User-Authorization) and all its possible attributes that may be used to authorize a VPN Concentrator user (such as access hours, primary DNS, and so on). Each attribute comprises the attribute name, its number (called an object identifier or OID), its type, and its possible values.

Once you have defined the VPN Concentrator authorization schema and loaded it on your server, define the VPN Concentrator attributes and permissions and their respective values for each user who will be authorizing to the server.

In summary, to set up your LDAP server:

The specific steps of these processes vary, depending on which type of LDAP server you are using.

Designing the VPN Concentrator LDAP Schema

Before you actually create your schema, think about how your organization is structured. Your LDAP schema should reflect the logical hierarchy of your organization.

For example, suppose an employee at your company XYZ Corporation is named Joe. Joe works in the Engineering group. Your LDAP hierarchy could have one or many levels. You might decide to set up a shallow, single-level hierarchy in which Joe is considered a member of XYZ corporation. Or, you could set up a multi-level hierarchy in which Joe is considered to be a member of the department Engineering, which is a member of an organizational unit called People, which is itself a member of XYZ Corporation. See Figure A-1 for an example of this multi-level hierarchy.

A multi-level hierarchy has more granularity, but a single level hierarchy is quicker to search.


Figure A-1   A Multi-Level LDAP Hierarchy


Searching the Hierarchy

The VPN Concentrator allows you to tailor the search within the LDAP hierarchy. You configure the following three fields on the VPN Concentrator to define where in the LDAP hierarchy your search begins, its extent, and the type of information it is looking for. Together these fields allow you to limit the search of the hierarchy to the just part of the tree that contain the user permissions.

Figure A-1 shows a possible LDAP hierarchy for XYZ Corporation. Given this hierarchy, you could define your search in different ways. Table A-1 shows two possible search configurations.

In the first example configuration, when Joe establishes his IPSec tunnel with LDAP authorization required, the VPN Concentrator sends a search request to the LDAP server indicating it should search for Joe in the Engineering group. This search will be quick.

In the second example configuration, the VPN Concentrator sends a search request indicating the server should search for Joe within XYZ Corporation. This search will take longer.

Table A-1   Example Search Configurations

#  LDAP Base DN  Search Scope  Naming Attribute  Result 

1

group= Engineering,ou=People,dc=XYZCorporation,dc=com

One Level

cn=Joe

Quicker search

2

dc=XYZCorporation,dc=com

Subtree

cn=Joe

Longer search

Defining the VPN Concentrator LDAP Schema

Once you have decided how to structure your user information in the LDAP hierarchy, define this organization in a schema. To define the schema, begin by defining the object class name. The class name for the VPN Concentrator directory is: cVPN3000-User-Authorization. The class has the object identifier (OID): 1.2.840.113556.1.8000.795.1.1. Every entry or user in the directory is an object of this class.

Some LDAP servers (for example, the Microsoft Active Directory LDAP server) do not allow you to reuse the class OID, once you have defined it. Use the next incremental OID. For example, if you incorrectly defined the class name as "cVPN3000-Usr-Authrizaton" with OID "1.2.840.113556.1.8000.795.1.1," you can enter the correct class name "cVPN3000-User-Authorization" with the next OID, for example: 1.2.840.113556.1.8000.795.1.2.

For the Microsoft Active Directory LDAP server, define the schema in text form in a file using the LDAP Data Interchange Format (LDIF). This file has an extension of .ldif, for example: schema.ldif. Other LDAP servers use graphical user interfaces or script files to define the object class and its attributes.

All schema attributes that the VPN Concentrator supports begin with the letters "cVPN3000"; for example: cVPN3000-Access-Hours. For a complete list of attributes, see Table A-2.

All strings are case-sensitive.

Table A-2   VPN Concentrator Supported LDAP Authorization Schema Attributes

Attribute Name OID (Object Identifier)  Syntax/
Type
 
Single or Multi-
Valued
 
Possible Values 

cVPN3000-Access-Hours

1.2.840.113556.8000.795.2.1

String

Single

An octet string

cVPN3000-Simultaneous-Logins

1.2.840.113556.8000.795.2.2

Integer

Single

An integer

cVPN3000-Primary-DNS

1.2.840.113556.8000.795.2.3

String

Single

An IP address

cVPN3000-Secondary-DNS

1.2.840.113556.8000.795.2.4

String

Single

An IP address

cVPN3000-Primary-WINS

1.2.840.113556.8000.795.2.5

String

Single

An IP address

cVPN3000-Secondary-WINS

1.2.840.113556.8000.795.2.6

String

Single

An IP address

cVPN3000-SEP-Card-Assignment

1.2.840.113556.8000.795.2.7

Integer

Single

1 = SEP1

2 = SEP2

3 = SEP3

4 = SEP4

15 = Any SEP

cVPN3000-Tunneling-Protocols

1.2.840.113556.8000.795.2.8

Integer

Single

1 = PPTP

2 = L2TP

3 = PPTP and L2TP

4 = IPSec

5 = PPTP and IPSec

6 = L2TP and IPSec

7 = PPTP-L2TP-IPSec

8 = L2TP/IPSec

9 = PPTP and L2TP/IPSec

10 = L2TP and L2TP/IPSec

11 = PPTP-L2TP-L2TP/IPSec

cVPN3000-IPSec-Sec-Association

1.2.840.113556.8000.795.2.9

String

Single

An octet string

cVPN3000-IPSec-Authentication

1.2.840.113556.8000.795.2.10

Integer

Single

0 = None

1 = RADIUS

3 = NT Domain

4 = SDI

5 = Internal

6 = RADIUS with Expiry

7 = Kerberos/Active Directory

cVPN3000-IPSec-Banner1

1.2.840.113556.8000.795.2.11

String

Single

An octet string

cVPN3000-IPSec-Allow-Passwd-Store

1.2.840.113556.8000.795.2.12

Boolean

Single

TRUE = Allow

FALSE = Disallow

cVPN3000-Use-Client-Address

1.2.840.113556.8000.795.2.13

Boolean

Single

TRUE = Allow

FALSE = Disallow

cVPN3000-PPTP-Encryption

1.2.840.113556.8000.795.2.14

Integer

Single

2 = 40 bits

3 = 40-Encryption-Req

4 = 128 bits

5 = 128-Encryption-Req

6 = 40 or 128

7 = 40 or 128 Encryption-Req

10 = 40 Stateless-Req

11 = Enc/Stateless-Req

12 = 128 Stateless-Req

13 = 128 Enc/Stateless-req

14 = 40/128-Stateless-Req

15 = 40/128-Enc/Stateless-Req

cVPN3000-L2TP-Encryption

1.2.840.113556.8000.795.2.15

Integer

Single

2 = 40 bit

3 = 40-Encryption-Req

4 = 128 bits

5 = 128-Encr-Req

6 = 40 or 128

7 = 40 or 128-Encr-Req

10 = 40-Stateless-Req

11 = Encr/Stateless-Req

12 = 128-Stateless-Req

13 = 128-EncrStateless-Req

14 = 40/128-Stateless-Req

15 = 40/128-Encr/Stateless-Req

cVPN3000-IPSec-Split-Tunnel-List

1.2.840.113556.8000.795.2.16

String

Single

An octet string

cVPN3000-IPSec-Default-Domain

1.2.840.113556.8000.795.2.17

String

Single

An octet string

cVPN3000-IPSec-Split-DNS-Names

1.2.840.113556.8000.795.2.18

String

Single

An octet string

cVPN3000-IPSec-Tunnel-Type

1.2.840.113556.8000.795.2.19

Integer

Single

1 = LAN-to-LAN

2 = Remote access

cVPN3000-IPSec-Mode-Config

1.2.840.113556.8000.795.2.20

Boolean

Single

TRUE = On

FALSE = Off

cVPN3000-IPSec-User-Group-Lock

1.2.840.113556.8000.795.2.21

Boolean

Single

TRUE = On

FALSE = Off

cVPN3000-IPSec-Over-UDP

1.2.840.113556.8000.795.2.22

Boolean

Single

TRUE = On

FALSE = Off

cVPN3000-IPSec-Over-UDP-Port

1.2.840.113556.8000.795.2.23

Integer

Single

An integer

cVPN3000-IPSec-Banner2

1.2.840.113556.8000.795.2.24

String

Single

An octet string

cVPN3000-PPTP-MPPC-Compression

1.2.840.113556.8000.795.2.25

Integer

Single

1 = ON

2 = OFF

cVPN3000-L2TP-MPPC-Compression

1.2.840.113556.8000.795.2.26

Integer

Single

0 = ON

1 = OFF

cVPN3000-IPSec-IP-Compression

1.2.840.113556.8000.795.2.27

Integer

Single

0 = None

1 = LZS

cVPN3000-IPSec-IKE-Peer-ID-Check

1.2.840.113556.8000.795.2.28

Integer

Single

1 = Required

2 = If supported by certificate

3 = Do not check

cVPN3000-IKE-Keep-Alives

1.2.840.113556.8000.795.2.29

Boolean

Single

TRUE = On

FALSE = Off

cVPN3000-IPSec-Auth-On-Rekey

1.2.840.113556.8000.795.2.30

Boolean

Single

TRUE = On

FALSE = Off

cVPN3000-Required-Client- Firewall-Vendor-Code

1.2.840.113556.8000.795.2.31

Integer

Single

An integer

cVPN3000-Required-Client-Firewall-Product-Code

1.2.840.113556.8000.795.2.32

Integer

Single

An integer

cVPN3000-Required-Client-Firewall-Description

1.2.840.113556.8000.795.2.33

String

Single

An octet string

cVPN3000-Require-HW-Client-Auth

1.2.840.113556.8000.795.2.34

Boolean

Single

TRUE = On

FALSE = Off

cVPN3000-Require-Individual-User-Auth

1.2.840.113556.8000.795.2.35

Integer

Single

An integer

cVPN3000-Authenticated-User-Idle-Timeout

1.2.840.113556.8000.795.2.36

Integer

Single

An integer

cVPN3000-Cisco-IP-Phone-Bypass

1.2.840.113556.8000.795.2.37

Integer

Single

2 = Enabled

3 = Disabled

cVPN3000-IPSec-Split-Tunneling-Policy

1.2.840.113556.8000.795.2.38

Integer

Single

0 = Tunnel everything

1 = Only tunnel networks in list

2 = Policy Pushed CPP

4 = Policy from server

cVPN3000-IPSec-Required-Client-Firewall-Capability

1.2.840.113556.8000.795.2.39

Integer

Single

0 = None

1 = Policy defined by remote FW AYT

2 = Policy pushed CPP

4 = Policy from server

cVPN3000-IPSec-Client-Firewall-Filter-Name

1.2.840.113556.8000.795.2.40

String

Single

An octet

cVPN3000-IPSec-Client-Firewall-Filter-Optional

1.2.840.113556.8000.795.2.41

Integer

Single

0 = Required

1 = Optional

cVPN3000-IPSec-Backup-Servers

1.2.840.113556.8000.795.2.42

String

Single

1 = Use Client-Configured list

2 = Disabled and clear client list

3 = Use Backup Server list

cVPN3000-IPSec-Backup-Server-List

1.2.840.113556.8000.795.2.43

String

Single

An octet string

cVPN3000-Client-Intercept-DHCP-Configure-Msg

1.2.840.113556.8000.795.2.44

Boolean

Single

TRUE = Yes

FALSE = No

cVPN3000-MS-Client-Subnet-Mask

1.2.840.113556.8000.795.2.45

String

Single

An IP address

cVPN3000-Allow-Network-Extension-Mode

1.2.840.113556.8000.795.2.46

Boolean

Single

TRUE = Yes

FALSE = No

cVPN3000-Strip-Realm

1.2.840.113556.8000.795.2.47

Boolean

Single

TRUE = On

FALSE = Off

cVPN3000-Cisco-AV-Pair

1.2.840.113556.8000.795.2.48

String

Multiple

An octet string in the following format:

[Prefix] [Action] [Protocol] [Source] [Source Wildcard Mask] [Destination] [Destination Wildcard Mask] [Established] [Log] [Operator] [Port]

For more information, see "Cisco -AV-Pair Attribute Syntax.".

cVPN3000-User-Auth-Server-Name

1.2.840.113556.8000.795.2.49

String

Single

An octet string

cVPN3000-User-Auth-Server-Port

1.2.840.113556.8000.795.2.50

Integer

Single

An integer

cVPN3000-User-Auth-Server-Secret

1.2.840.113556.8000.795.2.51

String

Single

An octet string

cVPN3000-Confidence-Interval

1.2.840.113556.8000.795.2.52

Integer

Single

An integer

cVPN3000-Cisco-LEAP-Bypass

1.2.840.113556.8000.795.2.53

Integer

Single

An integer

cVPN3000-DHCP-Network-Scope

1.2.840.113556.8000.795.2.57

String

Single

IP address

Cisco -AV-Pair Attribute Syntax

The syntax of each Cisco-AV-Pair rule is as follows:

[Prefix] [Action] [Protocol] [Source] [Source Wildcard Mask] [Destination] [Destination Wildcard Mask] [Established] [Log] [Operator] [Port]:

Field  Description 

Prefix

An unique identifier for the AV pair. For example: ip:inacl#1=. This field only appears when the filter has been sent as an AV pair.

Action

Action to perform if rule matches: deny, permit.

Protocol

Number or name of an IP protocol. Either an integer in the range 0-255 or one of the following keywords: icmp, igmp, ip, tcp, udp.

Source

Network or host from which the packet is sent, specified as an IP address, a hostname, or the keyword "any". If specified as an IP address, the source wildcard mask must follow.

Source Wildcard Mask

The wildcard mask to be applied to the source address.

Destination

Network or host to which the packet is sent, specified as an IP address, a hostname, or the keyword "any". If specified as an IP address, the source wildcard mask must follow.

Destination Wildcard Mask

The wildcard mask to be applied to the destination address.

Log

Generates a FILTER log message. You must use this keyword to generate events of severity level 9.

Operator

Logic operators: greater than, less than, equal to, not equal to.

Port

The number of a TCP or UDP port: in the range 0-65535.

For example:

ip:inacl#1=deny ip 10.155.10.0 0.0.0.255 10.159.2.0 0.0.0.255 log 
ip:inacl#2=permit TCP any host 10.160.0.1 eq 80 log 

The following chart lists the tokens for the Cisco-AV-Pair attribute:

Table 0-3   VPN Concentrator-Supported Tokens

Token Syntax Field  Description 

ip:inacl#Num=

N/A (Identifier)

(Where Num is a unique integer.) Starts all AV pair access control lists.

deny

Action

Denies action. (Default.)

permit

Action

Allows action.

icmp

Protocol

Internet Control Message Protocol (ICMP)

1

Protocol

Internet Control Message Protocol (ICMP)

IP

Protocol

Internet Protocol (IP)

0

Protocol

Internet Protocol (IP)

TCP

Protocol

Transmission Control Protocol (TCP)

6

Protocol

Transmission Control Protocol (TCP)

UDP

Protocol

User Datagram Protocol (UDP)

17

Protocol

User Datagram Protocol (UDP)

any

Hostname

Rule applies to any host.

host

Hostname

Any alpha-numeric string that denotes a hostname.

log

Log

When the event is hit, a filter log message appears. (Same as permit and log or deny and log.)

lt

Operator

Less than value

gt

Operator

Greater than value

eq

Operator

Equal to value

neq

Operator

Not equal to value

range

Operator

Inclusive range. Should be followed by two values.

Example VPN Concentrator Authorization Schema

This section provides a sample of an LDAP schema. This schema supports the VPN Concentrator class and attributes. It is specific to the Microsoft Active Directory LDAP server. Use it as a model, in conjunction with Table A-2, to define your own schema for your own LDAP server.


Note   For more information on LDIF, refer to RFC-2849.

Schema 3k_schema.ldif
dn: CN=cVPN3000-Access-Hours,CN=Schema,CN=Configuration,OU=People,DC=XYZCorporation,DC=com 
changetype: add
adminDisplayName: cVPN3000-Access-Hours
attributeID: 1.2.840.113556.1.8000.795.2.1
attributeSyntax: 2.5.5.3
cn: cVPN3000-Access-Hours
instanceType: 4
isSingleValued: TRUE
lDAPDisplayName: cVPN3000-Access-Hours
distinguishedName: 
 CN=cVPN3000-Access-Hours,CN=Schema,CN=Configuration,OU=People,DC=XYZCorporation,DC=com 
objectCategory: 
 CN=Attribute-Schema,CN=Schema,CN=Configuration,OU=People,DC=XYZCorporation,DC=com 
objectClass: attributeSchema
oMSyntax: 27
name: cVPN3000-Access-Hours
showInAdvancedViewOnly: TRUE

.....
.... (define subsequent VPN Concentrator authorization attributes here)
....


dn: CN=cVPN3000-Primary-DNS,CN=Schema,CN=Configuration,OU=People,DC=XYZCorporation,DC=com 
changetype: add
adminDisplayName: cVPN3000-Primary-DNS
attributeID: 1.2.840.113556.1.8000.795.2.3
attributeSyntax: 2.5.5.3
cn: cVPN3000-Primary-DNS
instanceType: 4
isSingleValued: TRUE
lDAPDisplayName: cVPN3000-Primary-DNS
distinguishedName: 
 CN=cVPN3000-Primary-DNS,CN=Schema,CN=Configuration,OU=People,DC=XYZCorporation,DC=com 
objectCategory: 
 CN=Attribute-Schema,CN=Schema,CN=Configuration,OU=People,DC=XYZCorporation,DC=com 
objectClass: attributeSchema
oMSyntax: 27
name: cVPN3000-Primary-DNS
showInAdvancedViewOnly: TRUE

.....
.... (define subsequent VPN Concentrator authorization attributes here)
....

dn: CN=cVPN3000-Confidence-Interval,CN=Schema,CN=Configuration,OU=People,DC=XYZCorporation,DC=com 
changetype: add
adminDisplayName: cVPN3000-Confidence-Interval
attributeID: 1.2.840.113556.1.8000.795.2.52
attributeSyntax: 2.5.5.9
cn: cVPN3000-Confidence-Interval
instanceType: 4
isSingleValued: TRUE
lDAPDisplayName: cVPN3000-Confidence-Interval
distinguishedName: 
 CN=cVPN3000-Confidence-Interval,CN=Schema,CN=Configuration,OU=People,DC=XYZCorporation,DC=com 
objectCategory: 

DN:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: CN=cVPN3000-User-Authorization,CN=Schema,CN=Configuration,OU=People,DC=XYZCorporation,DC=com 
changetype: add
adminDisplayName: cVPN3000-User-Authorization
adminDescription: Cisco Class Schema
cn: cVPN3000-User-Authorization
defaultObjectCategory: 
 CN=cVPN3000-User-Authorization,CN=Schema,CN=Configuration,OU=People,DC=XYZCorporation,DC=com 
defaultSecurityDescriptor: 
 D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
 (A;;RPLCLORC;;;AU)
governsID: 1.2.840.113556.1.8000.795.1.1
instanceType: 4
lDAPDisplayName: cVPN3000-User-Authorization

mustContain: cn
mayContain: cVPN3000-Access-Hours
mayContain: cVPN3000-Simultaneous-Logins
mayContain: cVPN3000-Primary-DNS
...
mayContain: cVPN3000-Confidence-Interval
mayContain: cVPN3000-Cisco-LEAP-Bypass

distinguishedName: 
 CN=cVPN3000-User-Authorization,CN=Schema,CN=Configuration,OU=People,DC=XYZCorporation,DC=com 
objectCategory: 
 CN=Class-Schema,CN=Schema,CN=Configuration,OU=People,DC=XYZCorporation,DC=com
objectClass: classSchema
objectClassCategory: 1
possSuperiors: organizationalUnit
name: cVPN3000-User-Authorization
rDNAttID: cn
showInAdvancedViewOnly: TRUE
subClassOf: top
systemOnly: FALSE

DN:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
systemOnly: FALSE

DN:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

Loading the Schema in the LDAP Server


Note   The directions in this section are specific to the Microsoft Active Directory LDAP server. If you have a different type of server, refer to your server documentation for information on loading a schema.

To load the schema on the LDAP server, enter the following command from the directory where the schema file resides: ldifde -i -f Schema Name. For example: ldifde -i -f 3k_schema.ldif

Defining User Permissions


Note   The directions in this section are specific to the Microsoft Active Directory LDAP server. If you have a different type of server, refer to your server documentation for information on defining and loading user attributes.

For each user authorizing to your LDAP server, define a user file. A user file defines all the VPN Concentrator attributes and values associated with a particular user. Each user is an object of the class cVPN3000-User-Authorization. To define the user file, use any text editor. The file must have the extension .ldif. (For an example user file, see "ann_smith.ldif.")

To load the user file on the LDAP server, enter the following command on the directory where your version of the ldap_user.ldif file resides: ldifde -i -f ldap_user.ldif. For example: ldifde -i -f ann_smith.ldif

Once you have created and loaded both the schema and the user file, your LDAP server is ready to process VPN Concentrator authorization requests.

Example User File

This section provides a sample of a user file for the user Ann Smith.

ann_smith.ldif
dn: cn=ann_smith,OU=People,DC=XYZCorporation,DC=com
changetype: add
cn: ann_smith
CVPN3000-Access-Hours: Corporate_time
cVPN3000-Simultaneous-Logins: 2
cVPN3000-IPSec-Over-UDP: TRUE
CVPN3000-IPSec-Over-UDP-Port: 12125
cVPN3000-IPSec-Banner1: Welcome to the XYZ Corporation!!!
cVPN3000-IPSec-Banner2: Unauthorized access is prohibited!!!!!
cVPN3000-Primary-DNS: 10.10.4.5
CVPN3000-Secondary-DNS: 10.11.12.7
CVPN3000-Primary-WINS: 10.20.1.44
CVPN3000-SEP-Card-Assignment: 1
CVPN3000-IPSec-Tunnel-Type: 2
CVPN3000-Tunneling-Protocols: 7
cVPN3000-Confidence-Interval: 300
cVPN3000-IPSec-Allow-Passwd-Store: TRUE
objectClass: cVPN3000-User-Authorization

Configuring an External RADIUS Server

Follow the steps below to set up the RADIUS server to inter operate with the VPN Concentrator.


Step 1   Load the VPN Concentrator attributes into the RADIUS server. The method you use to load the attributes depends on which type of RADIUS server you are using:

Step 2   Set up the users or groups with the permissions and attributes to send during IPSec tunnel establishment. The permissions or attributes might include access hours, primary DNS, banner, and so on.



VPN Concentrator RADIUS Authorization Attributes

Table A-4 lists all the possible VPN Concentrator supported attributes that can be used for user authorization.

Table A-4   VPN Concentrator Supported RADIUS Attributes and Values

Attribute Name  Attribute
Type
 
Attribute Number  Attribute Values 

cVPN3000-Access-Hours

String

1

An octet string

cVPN3000-Simultaneous-Logins

Integer

2

An integer

cVPN3000-Primary-DNS

String

5

An IP address

cVPN3000-Secondary-DNS

String

6

An IP address

cVPN3000-Primary-WINS

String

7

An IP address

cVPN3000-Secondary-WINS

String

8

An IP address

cVPN3000-SEP-Card-Assignment

Integer

9

1 = SEP1

2 = SEP2

3 = SEP3

4 = SEP4

15 = Any SEP

cVPN3000-Tunneling-Protocols

Integer

11

1 = PPTP

2 = L2TP

3 = PPTP and L2TP

4 = IPSec

5 = PPTP and IPSec

6 = L2TP and IPSec

7 = PPTP-L2TP-IPSec

8 = L2TP/IPSec

9 = PPTP and L2TP/IPSec

10 = L2TP and L2TP/IPSec

11 = PPTP-L2TP-L2TP/IPSec

cVPN3000-IPSec-Sec-Association

String

12

An octet string

cVPN3000-IPSec-Authentication

Integer

13

0 = None

1 = RADIUS

3 = NT Domain

4 = SDI

5 = Internal

6 = RADIUS with Expiry

7 = Kerberos/Active Directory

cVPN3000-IPSec-Banner1

String

15

An octet string

cVPN3000-IPSec-Allow-Passwd-Store

Boolean

16

TRUE = Allow

FALSE = Disallow

cVPN3000-Use-Client-Address

Boolean

17

TRUE = Allow

FALSE = Disallow

cVPN3000-PPTP-Encryption

Integer

20

2 = 40 bits

3 = 40-Encryption-Req

4 = 128 bits

5 = 128-Encryption-Req

6 = 40 or 128

7 = 40 or 128 Encryption-Req

10 = 40 Stateless-Req

11 = Enc/Stateless-Req

12 = 128 Stateless-Req

13 = 128 Enc/Stateless-req

14 = 40/128-Stateless-Req

15 = 40/128-Enc/Stateless-Req

cVPN3000-L2TP-Encryption

Integer

21

2 = 40 bit

3 = 40-Encryption-Req

4 = 128 bits

5 = 128-Encr-Req

6 = 40 or 128

7 = 40 or 128-Encr-Req

10 = 40-Stateless-Req

11 = Encr/Stateless-Req

12 = 128-Stateless-Req

13 = 128-EncrStateless-Req

14 = 40/128-Stateless-Req

15 = 40/128-Encr/Stateless-Req

cVPN3000-IPSec-Split-Tunnel-List

String

27

An octet string

cVPN3000-IPSec-Default-Domain

String

28

An octet string

cVPN3000-IPSec-Split-DNS-Names

String

29

An octet string

cVPN3000-IPSec-Tunnel-Type

Integer

30

1 = LAN-to-LAN

2 = Remote access

cVPN3000-IPSec-Mode-Config

Boolean

31

TRUE = On

FALSE = Off

cVPN3000-IPSec-User-Group-Lock

Boolean

33

TRUE = On

FALSE = Off

cVPN3000-IPSec-Over-UDP

Boolean

34

TRUE = On

FALSE = Off

cVPN3000-IPSec-Over-UDP-Port

Integer

35

An integer

cVPN3000-IPSec-Banner2

String

36

An octet string

cVPN3000-PPTP-MPPC-Compression

Integer

37

1 = ON

2 = OFF

cVPN3000-L2TP=MPPC-Compression

Integer

38

0 = ON

1 = OFF

cVPN3000-IPSec-IP-Compression

Integer

39

0 = None

1 = LZS

cVPN3000-IPSec-IKE-Peer-ID-Check

Integer

40

1 = Required

2 = If supported by certificate

3 = Do not check

cVPN3000-IKE-Keep-Alives

Boolean

41

TRUE = On

FALSE = Off

cVPN3000-IPSec-Auth-On-Rekey

Boolean

42

TRUE = On

FALSE = Off

cVPN3000-Required-Client- Firewall-Vendor-Code

Integer

45

An integer

cVPN3000-Required-Client-Firewall-Product-Code

Integer

46

An integer

cVPN3000-Required-Client-Firewall-Description

String

47

An octet string

cVPN3000-Require-HW-Client-Auth

Boolean

48

TRUE = On

FALSE = Off

cVPN3000-Required-Individual-User-Auth

Integer

49

An integer

cVPN3000-Authenticated-User-Idle-Timeout

Integer

50

An integer

cVPN3000-Cisco-IP-Phone-Bypass

Integer

51

2 = Enabled

3 = Disabled

cVPN3000-IPSec-Split-Tunneling-Policy

Integer

55

0 = Tunnel everything

1 = Only tunnel networks in list

2 = Policy Pushed CPP

4 = Policy from server

cVPN3000-IPSec-Required-Client-Firewall-Capability

Integer

56

0 = None

1 = Policy defined by remote FW AYT

2 = Policy pushed CPP

4 = Policy from server

cVPN3000-IPSec-Client-Firewall-Filter-Name

String

57

An octet

cVPN3000-IPSec-Client-Firewall-Filter-Optional

Integer

58

0 = Required

1 = Optional

cVPN3000-IPSec-Backup-Servers

String

59

1 = Use Client-Configured list

2 = Disabled and clear client list

3 = Use Backup Server list

cVPN3000-IPSec-Backup-Server-List

String

60

An octet string

cVPN3000-Intercept-DHCP-Configure-Msg

Boolean

62

TRUE = Yes

FALSE = No

cVPN3000--MS-Client-Subnet-Mask

Boolean

63

An IP address

cVPN3000-Allow-Network-Extension-Mode

Boolean

64

TRUE = Yes

FALSE = No

cVPN3000-Strip-Realm

Boolean

135

TRUE = On

FALSE = Off

cVPN3000-Confidence-Interval

Integer

68

An integer

cVPN3000-Cisco-LEAP-Bypass

Integer

75

An integer


hometocprevnextglossaryfeedbacksearchhelp
Posted: Tue Jul 29 13:49:01 PDT 2003
All contents are Copyright © 1992--2003 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.