[cisco-nas] per-user ACL
Anastassios Chatzithomaoglou
achatz at forthnet.gr
Tue Aug 19 17:04:15 EDT 2003
Oliver Boehmer (oboehmer) wrote:
> Hi,
>
>
>>I'm just trying to find the appropriate acl for a vpn customer.
>>
>>I want to avoid changing the acl through our aaa system (radius/ldap)
>>until i come to a final acl config. So it would be nice if i could
>>change the acl while the customer is connected.
>
>
> Hmm, trial and error :-)
>
> Well, in that case I would create a named ACL on the box and reference
> it on the customer's vaccess using Cisco-avpair =
> "lcp:interface-config=ip access-group testacl in". Then you can work on
> this ACL, and when you're done, code this ACL as per-user ACL in the
> customer's profile.
>
> oli
>
That worked fine...
Thx oli ;-)
>
>>Oliver Boehmer (oboehmer) wrote:
>>
>>
>>>>Is there a way i can change the per-user acl after it has been
>>>>applied on an interface?
>>>
>>>
>>>You might actually be able to change the ACL itself using the CLI,
>>>but this is undocumented, and behaviour might vary in different IOS
>>>releases.. You can't change the vaccess config while the user is
>>>connected..
>>>
>>>
>>>
>>>>I tried to remove the "Virtual-Access6#49414551" from Vi6, but
>>>>that wasn't possible.
>>>
>>>
>>>How? "no ip access-list extended Virtual-Access6#49414551"? this
>>>might actually work..
>>>
Although there was no error message displayed after trying the above, the acl wasn't
actually removed...It was still under the va interface.
>>>What are your trying to achieve?
>>>
>>> oli
>
>
--
***********************************
Chatzithomaoglou Anastasios
Network Design & Operations Center
FORTHnet S.A.
<achatz at forthnet.gr>
***********************************
More information about the cisco-nas
mailing list