still trying to wrap my head around correct syntax for sending attribute pairs
back to Cisco AS5300's from our radius server.
Lets assume the NAS is ip 10.0.0.1 and delivers addresses from 10.0.1/23 block
dynamically for dialup users. These pairs will be sent back to the NAS to be
applied to the dialup user to filter the dialup connection to the internet.
1) The following should restrict the dialup user to servers and resources in the
192.168.1/23 block;
Cisco-AVPair = "ip:dns-servers=192.168.1.1"
Cisco-AVPair = "ip:inacl#0=permit tcp any 192.168.1.0 0.0.0.255"
Cisco-AVPair = "ip:inacl#1=deny tcp any any"
Cisco-AVPair = "ip:inacl#2=permit ip any 192.168.1.0 0.0.0.255"
Cisco-AVPair = "ip:inacl#3=permit icmp any any"
Cisco-AVPair = "ip:inacl#4=deny ip any any"
2) The following should restrict the dialup user to access any resources on the
internet, but only access SMTP services in the 192.168.1/23 block or at IP
address 192.168.2.5;
Cisco-AVPair = "ip:dns-servers=192.168.1.1"
Cisco-AVPair = "ip:inacl#0=permit tcp any 192.168.1.0 0.0.0.255 eq 25"
Cisco-AVPair = "ip:inacl#1=permit tcp any 192.168.2.5 0.0.0.0 eq 25"
Cisco-AVPair = "ip:inacl#2=deny tcp any any eq 25"
# is this permit implied?
Cisco-AVPair = "ip:inacl#3=permit tcp any any"
Cisco-AVPair = "ip:inacl#4=permit ip any 192.168.1.0 0.0.0.255"
Cisco-AVPair = "ip:inacl#5=permit icmp any any"
Cisco-AVPair = "ip:inacl#6=deny ip any any"
Can anyone give this a sanity check and or tell me if I am making improper
assumptions somewhere?
Thanks
Dave
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:11:59 EDT