[cisco-bba] LNS: per user ACL with AAA
gk at pop-interactive.de
Mon Dec 27 08:57:41 EST 2004
Oliver Boehmer (oboehmer) wrote:
>>I'll play around with certain RADIUS based user restrictions and
>>wonder why some Cisco-AVPair's (like "lcp:interface-config=xxx")
>>works but others don't. Especially the ACL-Attr "ip:inacl=xxx" seems
>>not to be recognized from our LNS.
>>At the moment I'am not sure if this is a LNS (12.3(2)T7) or a RADIUS
>>(freeRADIUS) problem. Someone out there who get "ip:[in/out]acl"
>>working or who have some hints?
> Can you post your AAA profile and/or "debug aaa radius authen" & "debug
> aaa per-user"? I didn't try with 12.3(2)T7, but 12.3M happily accepts
> and applies per-user ACLs constructed via "ip:inacl" on an LNS.
Just when reconsidering I found the (my) problem: multiple Cisco-AVPairs
for one user have to be declared via "+=" and not "=". Otherwise only the
first Cisco-AVPair will be sent to the NAS.
Sorry for wasting time but thx for the quick response.
More information about the cisco-bba