[cisco-nas] Radius Per-User Access Lists
gk at ax.tc
gk at ax.tc
Sat Feb 12 20:03:03 EST 2005
On Saturday 12 February 2005 19:01, Stephen Malenshek wrote:
> I need assistance in converting the following rad-reply in radius
> to a per-user access-list that can be applied from the rad-reply.
> The strange thing is that some users that have DNS already
> specified on the client machine do not accept the new DNS entries
> passed to it, but simply keep operating with what they already
> have.
This is a normal behavior. Only when the client allowes dynamic DNS
server configuration the DNS-reply-values from the NAS will be
used. If you configure static DNS on the client then the
DNS-reply-values will be ignored. The same with IP adresses...
> The thing is, when we do account suspensions, we for all
> port 80 & 443 traffic to 208.189.209.7 and all DNS entries to
> 208.189.209.15 which has DNS already configured to where no
> matter what address they enter, it will always resolve back to
> 208.189.209.7.
Sorry, but I don't get your point here. Looks like you're trying to
redirect all traffic to some fixed servers but it is not clear to
me.
> My thoughts were to apply an access-list to the user on connect
> using cisco-avpairs, but simply stated, I do not know enough
> about access-lists to do the job. If someone would assist me in
> this, or point me in the direction with some examples of this it
> would be greatly appreciated.
Generally you can create per-user ACL's on Cisco NAS's with the
following user attributes (only as an example - not very useful):
Cisco-AVPair = "ip:inacl#1=permit icmp any any",
Cisco-AVPair += "ip:inacl#2=permit udp any any eq 53",
Cisco-AVPair += "ip:inacl#3=deny ip any any log"
Maybe that helps a little bit.
--
Gerald
()
/\ ASCII RIBBON AGAINST HTML MAILS
More information about the cisco-nas
mailing list