did you turn on "aaa author network default radius"? turn on "debug aaa
author"/"debug radius"/"debug ppp nego".
josh
----- Original Message -----
From: "Dave" <dave@hawk-systems.com>
To: <cisco-nas@external.cisco.com>
Sent: Thursday, April 25, 2002 3:09 PM
Subject: sending cisco avpairs via radius to nas, restricting access to
users
> users authenticating against xtradius/postgres database just beautifully.
>
> working on adding some further customization to dialup users, in trying to
limit
> a few users to a specific server or network of servers, we are trying to
send
> inacl configurations. For the life of my I cannot get it to function
where a
> user with these acl's set is appropriately limited.
>
> #From the external auth.pl script after authing user against database
> print "Cisco-AVPair = \"ip:dns-servers=any host 192.168.1.2\"\n";
> print "Cisco-AVPair = \"ip:inacl#1=permit tcp any host 192.168.1.0\"\n";
> print "Cisco-AVPair = \"ip:inacl#2=deny tcp any any\"\n";
> print "Cisco-AVPair = \"ip:inacl#3=permit ip any host 192.168.1.0\"\n";
> print "Cisco-AVPair = \"ip:inacl#4=deny ip any any\"\n";
> print "Cisco-AVPair = \"ip:inacl#5=permit icmp any any\"\n";
>
> the desired end result being a user who can only access web, mail etc...
> services on servers in the 192.168.1.0 class C network.
>
> comments or corrections appreciated.
>
> Dave
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:42 EDT