Configuring radius dynamic filters – Panasonic NN46110-600 User Manual
Page 61
Attention! The text in this document has been recognized automatically. To view the original document, you can use the "Original mode".
Chapter 2 Configuring servers
51
3
Select one of the group authentication options.
4
Click OK.
Configuring RADIUS dynamic filters
The Nortel VPN Router offers several methods to control network access for
authenticated users. One such mechanism is the tunnel filter. Tunnel filters are
applied at the group level and control access to network resources as well as
management access to the VPN Router. When a user is authenticated, they are
assigned to a group. Part of the group profile specifies that you apply a filter.
Dynamic filters provides a means of distributing filters for IPsec user tunnels via a
RADIUS return attribute. Depending on the configuration of the RADIUS server,
these filters can vary by individual user, or apply to an entire class of users.
Note: These filters apply only to IPsec user tunnels. They do not apply
to branch office tunnels or non-IPsec tunnels.
You must enable tunnel filters for the RADIUS dynamic filters to be effective.
You can set up and manage policy filters in the RADIUS server that the VPN
Router retrieves. RADIUS returns the Access Control List (ACL) to the VPN
Router. IPsec user tunnels are dynamically filtered based on attributes returned
from the authenticating RADIUS server. The returned dynamic filters are then
prepended to the groups filter to which the user is bound.
Dynamic filtering has minimal performance impact. Some performance
degradation can occur during user tunnel creation, depending on the number of
rules processed. Passing of traffic can degrade in a way similar to that which
occurs when you configure a large number of tunnel filters in a user group.
You configure all dynamic filters on the remote RADIUS server. Before you
configure dynamic RADIUS filters, you must first configure the RADIUS server.
There are many available RADIUS servers, each with different specifics for
configuring return attributes. Regardless of how you configure return attributes,
they always use the following AV-Pair to define and transmit attribute/value pairs:
•
Vendor Specific Attribute (VSA)—26
•
Vendor Code—9 (Cisco)
Nortel VPN Router Security — Servers, Authentication, and Certificates