[cisco-nas] Problem with per user accesslist via radius

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Wed Oct 1 05:31:45 EDT 2003 

Eric,

there is no absolute maximum for the number of per-user ACL lines apart from the maximum Radius profile size of 4096 bytes (which hasn't been enforced by us. In IOS' radius client, the length of a radius profile is limited by the huge buffer size).

You might want to check "debug aaa per-user" and "debug aaa authorization" to see what's going on. 

	oli

----Original Message----
From: eric at tal.de [mailto:eric at tal.de]
Sent: Dienstag, 30. September 2003 16:03
To: cisco-nas at puck.nether.net
Subject: [cisco-nas] Problem with per user accesslist via radius

> Hello cisco-nas,
> 
>   I have following problem when i try to set more than 46
>   entrys for per user filter then only 46 rules are set.
> 
>   we are using a 7206 to termiate a l2tp tunnel with dsl lines.
> 
> Cisco Internetwork Operating System Software
> IOS (tm) 7200 Software (C7200-JO3S-M), Version 12.2(16)B, EARLY
> DEPLOYMENT RELEASE SOFTWARE (fc1) TAC Support:
> http://www.cisco.com/tac Copyright (c) 1986-2003 by cisco Systems,
> Inc. Compiled Mon 12-May-03 20:22 by leccese
> Image text-base: 0x60008954, data-base: 0x61FBE000
> 
> ROM: System Bootstrap, Version 12.0(19990210:195103) [12.0XE 105],
> DEVELOPMENT SOFTWARE BOOTLDR: 7200 Software (C7200-BOOT-M), Version
> 12.0(2)XE2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) 
> 
> cisco 7206VXR (NPE300) processor (revision B) with 229376K/65536K
> bytes of memory. Processor board ID 16069708
> R7000 CPU at 262Mhz, Implementation 39, Rev 1.0, 256KB L2, 2048KB L3
> Cache 6 slot VXR midplane, Version 2.0
> 
> We use a Cistron-radius version 1.6-stable
> 
> asample config for a user is:
> 
> test#xyz.de Auth-Type = Local, Password = "test"
>     Service-Type = Framed-User,
>     Cisco-AVPair = "ip:dns-servers=81.92.1.1 81.92.1.2",
>     Cisco-AVPair = "ip:inacl#1=deny tcp 0.0.0.0 255.255.255.255
>     x.x.x.x 0.0.0.0 eq 23", .
>     .
>     .
>     Cisco-AVPair = "ip:inacl#51=deny tcp 0.0.0.0 255.255.255.255
>     x.x.x.x 0.0.0.0 eq 443", .
>     .
>     .
>     Cisco-AVPair = "ip:inacl#179=permit ip any any",
>     Framed-Protocol = PPP,
>     Acct-Interim-Interval = 300,
>     Framed-Route = "x.x.x.x/x x.x.x.x 1",
>     Framed-IP-Address = x.x.x.x,
>     Framed-IP-Netmask = x.x.x.x
> 
> Has anybody any idea whats going worng here or is there a maximum of
> rules per user ? 
> 
> 
> 
> Tanks.
> 
> 
> 
>    Mit freundlichem Gruße,
>    Eric Thiele
>    -----------------------------------------------
>    TAL.DE Klaus Internet Service GmbH eric at tal.de
>    Robertstrasse 6  *   D-42107 Wuppertal, Germany
>    Tel: 0202 / 495-0    *      Fax: 0202 / 495-399
>    -----------------------------------------------
> 
> _______________________________________________
> cisco-nas mailing list
> cisco-nas at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nas

More information about the cisco-nas mailing list