[cisco-nas] Radius Per-User Access Lists

Stephen Malenshek stephen at valuelinx.net
Sat Feb 12 12:51:57 EST 2005


I need assistance in converting the following rad-reply in radius to a
per-user access-list that can be applied from the rad-reply.  The strange
thing is that some users that have DNS already specified on the client
machine do not accept the new DNS entries passed to it, but simply keep
operating with what they already have.  The thing is, when we do account
suspensions, we for all port 80 & 443 traffic to 208.189.209.7 and all DNS
entries to 208.189.209.15 which has DNS already configured to where no
matter what address they enter, it will always resolve back to
208.189.209.7.

My thoughts were to apply an access-list to the user on connect using
cisco-avpairs, but simply stated, I do not know enough about access-lists to
do the job.  If someone would assist me in this, or point me in the
direction with some examples of this it would be greatly appreciated.

Ascend-Client-Primary-DNS = 208.189.209.15, \
Ascend-Client-Secondary-DNS = 208.189.209.15, \
Ascend-Client-Assign-DNS = DNS-Assign-Yes, \
Ascend-Data-Filter = "ip in forward tcp est", \
Ascend-Data-Filter = "ip in drop tcp dstport = 25", \
Ascend-Data-Filter = "ip in drop tcp dstport = 110", \
Ascend-Data-Filter = "ip out forward tcp est", \
Ascend-Data-Filter = "ip out drop tcp dstport = 25", \
Ascend-Data-Filter = "ip in forward dstip 208.189.209.15/32 udp dstport =
53", \
Ascend-Data-Filter = "ip in forward dstip 208.189.209.7/32 tcp dstport =
80", \
Ascend-Data-Filter = "ip in forward dstip 208.189.209.7/32 tcp dstport =
443", \
Ascend-Data-Filter = "ip in drop",Ascend-Data-Filter = "ip out forward"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 3582 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/cisco-nas/attachments/20050212/98deffae/winmail.bin


More information about the cisco-nas mailing list