[c-nsp] VPN RADIUS SERVER
Gerald Krause
gk at ax.tc
Wed Aug 24 04:52:21 EDT 2005
Am Montag, 22. August 2005 15:46 schrieb Gangasagar Amula:
> Hi All,
>
> I have created VPNs but failing to restrict the traffic via VPN....
>
> The below access-list specifies the services that I have to deny...
> For that I have to specify the acl_ID in the authentication server (We
> are using Windows 2003 as a RADIUS SERVER)
>
> access-list 120 deny tcp any any eq ftp
> access-list 120 permit ip any any
>
>
> Can anyone help me out in finding/matching these acl_id in the RADIUS
> Server...(Windows 2003)
I have no clue about RADIUS on Win but in general you have two options:
a) configure the ACL on the NAS and let the RADIUS return only the propper
ACL-List-Number
b) configure the ACL completely within the RADIUS, e.g.:
cisco-avpair += "ip:inacl#1=tcp any any eq ftp"
cisco-avpair += "ip:inacl#2=permit ip any any"
Both methods require AFAIK that your NAS use AAA for profile/interface
configuration.
-Gerald
More information about the cisco-nsp
mailing list