RE: sending cisco avpairs via radius to nas, restricting access to users

From: Dave (dave@hawk-systems.com)
Date: Fri Apr 26 2002 - 09:21:13 EDT


the dilema being this particular case we do not have direct access to the
AS5300. we are purchasing ports on a remote access server, and have to rely on
the sending of Cisco-Avpairs to accomplish the same restrictions we have in the
general templates on our privately owned boxes.

Perhaps I should approach this in a more lame fashion...

using Radius to send Cisco AVpairs back to the NAS... what is the correct
format to accomplish the following.

- Assuming the NAS is 10.0.1.1 and modems are distributed IP's from the 10.0.2.0
block
- assuming all the target resources (as specified below) are located on a remote
network in the internet cloud

1) Have dialup user utilize 192.168.1.6 and 192.168.1.7 as their DNS servers
        currently using;
        print "Cisco-AVPair = \"ip:dns-servers=192.168.1.6 192.168.1.7\"\n";

2) Restrict a dialup user to accessing resources on a particular server
        currently using;
        print "Cisco-AVPair = \"ip:inacl#1=permit tcp any host 192.168.1.10\"\n";
        print "Cisco-AVPair = \"ip:inacl#2=deny tcp any any\"\n";
        print "Cisco-AVPair = \"ip:inacl#3=permit ip any host 192.168.1.10\"\n";
        print "Cisco-AVPair = \"ip:inacl#4=deny ip any any\"\n";

3) Restrict a dialup user to accessing resources on servers in a class C
        currently using;
        print "Cisco-AVPair = \"ip:inacl#1=permit tcp any host 192.168.1.0
255.255.255.0\"\n";
        print "Cisco-AVPair = \"ip:inacl#2=deny tcp any any\"\n";
        print "Cisco-AVPair = \"ip:inacl#3=permit ip any host 192.168.1.0
255.255.255.0\"\n";
        print "Cisco-AVPair = \"ip:inacl#4=deny ip any any\"\n";

4) Allow dialup user to ping anywhere on the internet
        currently using;
        print "Cisco-AVPair = \"ip:inacl#5=permit icmp any any\"\n";

here is a stab in the dark...
5) Allow dialup user to access only 2 SMTP servers on specified networks
        currently using;
        print "Cisco-AVPair = \"ip:inacl#3=permit tcp any 192.168.1.10 eq smtp\"\n";
        print "Cisco-AVPair = \"ip:inacl#4=permit tcp any 192.168.1.12 eq smtp\"\n";
        print "Cisco-AVPair = \"ip:inacl#5=permit tcp any any eq smtp\"\n";

>From: Josh Duffek [mailto:jduffek@cisco.com]
>
>did you turn on "aaa author network default radius"? turn on "debug aaa
>author"/"debug radius"/"debug ppp nego".
>
<clipped>



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:11:55 EDT