crypto aaa attribute list
To define an authentication, authorization, and accounting (AAA) attribute list of per-user attributes on a local Easy VPN server, use the crypto aaa attribute list command in crypto isakmp group configuration mode. To remove the AAA attribute list, use the no form of this command.
crypto aaa attribute list list-name
no crypto aaa attribute list list-name
Syntax Description
list-name |
Name of the local attribute list. |
Command Default
A local attribute list is not defined.
Command Modes
Crypto isakmp group configuration
Command History
Release |
Modification |
---|---|
12.4(9)T |
This command was introduced. |
Usage Guidelines
![]() Note |
Security threats, as well as the cryptographic technologies to help protect against them, are constantly changing. For more information about the latest Cisco cryptographic recommendations, see the Next Generation Encryption (NGE) white paper. |
There is no limit to the number of lists that can be defined (except for NVRAM storage limits).
Examples
The following example shows that per-user attributes have been defined on a local Easy VPN AAA server:
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login noAAA none
aaa authorization network default local
!
aaa attribute list per-group
attribute type inacl "per-group-acl" service ike protocol ip mandatory
!
aaa session-id common
!
resource policy
!
ip subnet-zero
!
!
ip cef
!
!
username example password 0 example
!
!
crypto isakmp policy 3
encr aes
authentication pre-share
group 14
crypto isakmp xauth timeout 90
!
crypto isakmp client configuration group PerUserAAA
key cisco
pool dpool
crypto aaa attribute list per-group
!
crypto isakmp profile vi
match identity group PerUserAAA
isakmp authorization list default
client configuration address respond
client configuration group PerUserAAA
virtual-template 1
!
!
crypto ipsec transform-set set esp-aes esp-sha-hmac
!
crypto ipsec profile vi
set transform-set set
set isakmp-profile vi
!
!
interface GigabitEthernet0/0
description 'EzVPN Peer'
ip address 192.168.1.1 255.255.255.128
duplex full
speed 100
media-type rj45
no negotiation auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
media-type rj45
no negotiation auto
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile vi
!
ip local pool dpool 10.5.0.1 10.5.0.10
ip classless
!
no ip http server
no ip http secure-server
!
!
ip access-list extended per-group-acl
permit tcp any any
deny icmp any any
logging alarm informational
logging trap debugging
!
control-plane
!
gatekeeper
shutdown
!
line con 0
line aux 0
stopbits 1
line vty 0 4
!
!
end