VPN 3000 Dynamic Filters
The VPN 3000 Concentrator ltes you define remote access user filters on an external RADIUS or LDAP server, rather than on the VPN Concentrator. Using external server allows centralized filter management and greater scaleability. Also configuring filters in this way lets you assign filters to a particular tunnel group or a particular user.Note : You can also set up dynamic filter on an LDAP authorization server by using the Cisco AV-Pair attribute.
These filters are called dynamic filters because they remain in place inly for the duration of the session to which they apply. When the user authenticates via RADIUS or LDAP, the VPN Concentrator download the filter associated with the user and applie it for the duration of the connection. When connection finishes, the filter drop.
You can configure this feature on the RADIUS or LDAP server, not on the VPN Concentrator (the filters you configure on the VPN Concentrator are static).
You can configure a dynamic filter on either a user or a group. If both user dynamic filter and group dynamic filter aapply on a single connection, the user filter take precedence. If both dynamic filter and static filter apply on the same connection, the dynamic filter take precedence. The order of precedence is :
- A dynamic user filter
- A dynamic group filter
- A static user filter
- A static group filter
Part of - VPN 3000 Series Concentrator Reference Volume II : Administration and Monitoring
posted by Hervé SCHLECHT @ 10:06 PM
<< Home