RE: sending cisco avpairs via radius to nas, restricting access to users

From: Dave (dave@hawk-systems.com)
Date: Mon Apr 29 2002 - 09:02:51 EDT

Next message: Kenny Long: "NAT Question"
Previous message: Jonas Stenling: "RE: [nsp] Using Viking Flash ATA disks in C12000?"
In reply to: Dave: "RE: sending cisco avpairs via radius to nas, restricting access to users"
Next in thread: Dave: "RE: sending cisco avpairs via radius to nas, restricting access to users"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

any takers on this?

>the dilema being this particular case we do not have direct access to the
>AS5300. we are purchasing ports on a remote access server, and have to rely on
>the sending of Cisco-Avpairs to accomplish the same restrictions we have in the
>general templates on our privately owned boxes.
>
>Perhaps I should approach this in a more lame fashion...
>
>using Radius to send Cisco AVpairs back to the NAS... what is the correct
>format to accomplish the following.
>
>- Assuming the NAS is 10.0.1.1 and modems are distributed IP's from
>the 10.0.2.0 block
>- assuming all the target resources (as specified below) are located
>on a remote network in the internet cloud (192.168 used as example)
>
>1) Have dialup user utilize 192.168.1.6 and 192.168.1.7 as their DNS servers
> currently using;
> print "Cisco-AVPair = \"ip:dns-servers=192.168.1.6 192.168.1.7\"\n";
>
>2) Restrict a dialup user to accessing resources on a particular server
> in this case the server 192.168.1.10
> currently using;
> print "Cisco-AVPair = \"ip:inacl#1=permit tcp any host 192.168.1.10\"\n";
> print "Cisco-AVPair = \"ip:inacl#2=deny tcp any any\"\n";
> print "Cisco-AVPair = \"ip:inacl#3=permit ip any host 192.168.1.10\"\n";
> print "Cisco-AVPair = \"ip:inacl#4=deny ip any any\"\n";
>
>3) Restrict a dialup user to accessing resources on servers in a class C
> in this case the servers in block 192.168.1.0
> currently using;
> print "Cisco-AVPair = \"ip:inacl#1=permit tcp any host 192.168.1.0
255.255.255.0\"\n";
> print "Cisco-AVPair = \"ip:inacl#2=deny tcp any any\"\n";
> print "Cisco-AVPair = \"ip:inacl#3=permit ip any host 192.168.1.0
255.255.255.0\"\n";
> print "Cisco-AVPair = \"ip:inacl#4=deny ip any any\"\n";
>
>4) Allow dialup user to ping anywhere on the internet
> currently using;
> print "Cisco-AVPair = \"ip:inacl#5=permit icmp any any\"\n";
>
>5) Allow dialup user to access only 2 SMTP servers on specified networks
> In this case SMTP servers on 192.168.1.10 and .12
> currently using;
> print "Cisco-AVPair = \"ip:inacl#3=permit tcp any 192.168.1.10 eq smtp\"\n";
> print "Cisco-AVPair = \"ip:inacl#4=permit tcp any 192.168.1.12 eq smtp\"\n";
> print "Cisco-AVPair = \"ip:inacl#5=permit tcp any any eq smtp\"\n";

finally, are outacl lines required for these restrictions? is there literature
which depicts various acl configurations and their results such as I am listing
here. After reviewing numerous cisco documents on this, including extensive
lists on commands and such, there is little or no real guidance on hour to use
them. Lots of commands and definitions, but no real examples for various
configurations in this regard.

Thanks to any responses...

Dave

Next message: Kenny Long: "NAT Question"
Previous message: Jonas Stenling: "RE: [nsp] Using Viking Flash ATA disks in C12000?"
In reply to: Dave: "RE: sending cisco avpairs via radius to nas, restricting access to users"
Next in thread: Dave: "RE: sending cisco avpairs via radius to nas, restricting access to users"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:11:55 EDT