Chapter 2 Configuring servers 51Nortel VPN Router Security — Servers, Authentication, and Certificates3 Select one of the group authentication options.4 Click OK.Configuring RADIUS dynamic filtersThe Nortel VPN Router offers several methods to control network access forauthenticated users. One such mechanism is the tunnel filter. Tunnel filters areapplied at the group level and control access to network resources as well asmanagement access to the VPN Router. When a user is authenticated, they areassigned to a group. Part of the group profile specifies that you apply a filter.Dynamic filters provides a means of distributing filters for IPsec user tunnels via aRADIUS return attribute. Depending on the configuration of the RADIUS server,these filters can vary by individual user, or apply to an entire class of users.You must enable tunnel filters for the RADIUS dynamic filters to be effective.You can set up and manage policy filters in the RADIUS server that the VPNRouter retrieves. RADIUS returns the Access Control List (ACL) to the VPNRouter. IPsec user tunnels are dynamically filtered based on attributes returnedfrom the authenticating RADIUS server. The returned dynamic filters are thenprepended to the groups filter to which the user is bound.Dynamic filtering has minimal performance impact. Some performancedegradation can occur during user tunnel creation, depending on the number ofrules processed. Passing of traffic can degrade in a way similar to that whichoccurs when you configure a large number of tunnel filters in a user group.You configure all dynamic filters on the remote RADIUS server. Before youconfigure dynamic RADIUS filters, you must first configure the RADIUS server.There are many available RADIUS servers, each with different specifics forconfiguring return attributes. Regardless of how you configure return attributes,they always use the following AV-Pair to define and transmit attribute/value pairs:• Vendor Specific Attribute (VSA)—26• Vendor Code—9 (Cisco)Note: These filters apply only to IPsec user tunnels. They do not applyto branch office tunnels or non-IPsec tunnels.