[cisco-nas] per-user ACL
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Tue Aug 19 15:56:53 EDT 2003
Hi,
> I'm just trying to find the appropriate acl for a vpn customer.
>
> I want to avoid changing the acl through our aaa system (radius/ldap)
> until i come to a final acl config. So it would be nice if i could
> change the acl while the customer is connected.
Hmm, trial and error :-)
Well, in that case I would create a named ACL on the box and reference
it on the customer's vaccess using Cisco-avpair =
"lcp:interface-config=ip access-group testacl in". Then you can work on
this ACL, and when you're done, code this ACL as per-user ACL in the
customer's profile.
oli
>
> Oliver Boehmer (oboehmer) wrote:
>
> > > Is there a way i can change the per-user acl after it has been
> > > applied on an interface?
> >
> >
> > You might actually be able to change the ACL itself using the CLI,
> > but this is undocumented, and behaviour might vary in different IOS
> > releases.. You can't change the vaccess config while the user is
> > connected..
> >
> >
> > > I tried to remove the "Virtual-Access6#49414551" from Vi6, but
> > > that wasn't possible.
> >
> >
> > How? "no ip access-list extended Virtual-Access6#49414551"? this
> > might actually work..
> >
> > What are your trying to achieve?
> >
> > oli
More information about the cisco-nas
mailing list