Trying to pass restrictions/attributes to dialup users... am running into a
problem with a specific restriction, think I am not understanding something.
The following works... allows the user to use any resources, but only a single
SMTP server. DNS defaults to what is set on the NAS
--- Cisco-AVPair = "ip:inacl#1=permit tcp any 206.47.131.0 0.0.0.255 eq smtp" Cisco-AVPair = "ip:inacl#2=deny tcp any any eq smtp" Cisco-AVPair = "ip:inacl#3=permit ip any any" Cisco-AVPair = "ip:inacl#4=permit icmp any any" --- Since that was working without incident, the NAS, RADIUS, and client were all sending and receiving the pairs correctly, now to implement a more restrictive set.we now want to use for this user two specific DNS servers which differ from the default NAS servers. We also want to restrict this users access to just the .12 server and the resources contained on it(assuming that if .12 is working and others are not, we can enter any IP's the user will actually need). This however fails with no access to .12 or anywhere else... am I missing something or misconstrued the syntax for the AVpairs? --- Cisco-AVPair = "ip:dns-servers=206.47.131.6 206.47.131.7" Cisco-AVPair = "ip:inacl#1=permit tcp any 206.47.131.12" Cisco-AVPair = "ip:inacl#2=deny tcp any any" Cisco-AVPair = "ip:inacl#3=permit ip any 206.47.131.12" Cisco-AVPair = "ip:inacl#4=deny ip any any" Cisco-AVPair = "ip:inacl#5=permit icmp any any" --- Insight would be appreciated as we would like to have all this sort of thing passed back to the NAS from the RADIUS database to eliminate excessive editing/maintenance of multiple NAS configs.
Dave
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:25 EDT