[nsp] Filter-Id for AS5300

'Dennis Peng' dpeng at cisco.com
Thu Jul 31 00:07:45 EDT 2003 

Mark Tinka [mtinka at africaonline.co.ug] wrote:
> Dennis Peng wrote:
> > When you use the Filter-Id attribute, you can reference a numbered or
> > named ACL that is preconfigured on the AS5300. So if you had
> > something trivial like:  
> > 
> > access-list 101 deny icmp any any
> > access-list 101 permit ip any any
> > 
> > Then in the RADIUS profile, you would do something like:
> > 
> > 	Filter-Id = "101"
> > 
> > By default, we will apply the ACL on the outbound side. To explicitly
> > state which direction you want it applied, you can use the .in or
> > .out suffix, ie:  
> > 
> > 	Filter-Id = "101.in"
> > 
> > If you don't want to pre-configure the ACL on the AS5300 and want it
> > specified in the RADIUS profile, you can't use the Filter-Id
> > attribute. Instead, you'll need to use Cisco-AVPair and the inacl
> > attribute, like this;   
> > 
> > 	Cisco-AVPair = "ip:inacl#1=deny icmp any any"
> > 	Cisco-AVPair = "ip:inacl#2=permit ip any any"
> > 
> > We do also support the Ascend-Data-Filter attribute for download
> > ACL's from the RADIUS server. You'll need to specify the
> > "non-standard" keyword in the radius-server host configuration line.  
> > 
> > Dennis
> 
> Many thanks for your response Dennis.
> 
> Actually, I was fiddling around yesterday afternoon and managed to setup a
> named extended IP access list called emailonly. Of course, we already have
> the value 'emailonly' in the Framed-Filter-Id attribute on our RADIUS box.
> It seemed to work as soon as I configured the access list.
> 
> What I didn't understand, are two things; please kindly indulge me:
> 
> 1. How come the named access list doesn't show up in the AS5300's running
> configuration, but will show up under the 'show access-lists' command?

If you configured an named IP ACL called "emailonly", that should be
shown in the running config. There would be something wrong if it
doesn't show. Can you send the log which depicts what you are
describing?

> 2. I would have thought that Cisco access lists always require association
> with 'something' e.g. 'match ip address' when using route maps, or
> 'access-class' when securing an access terminal, or even 'ip access-group'
> when associating an access list to an interface. But, this named access list
> isn't 'associated' to anything, per se. How come RADIUS references it?

The router will translate Filter-Id="emailonly" into "ip access-group
emailonly out" and apply that configuration to the interface the user
is connected to. That's how the per-user ACL is applied.

Does that answer you question?

Dennis

> All help appreciated.
> 
> Regards,
> 
> Mark Tinka - CCNA
> Network Engineer, Africa Online Uganda
> 
>

More information about the cisco-nsp mailing list