(RADIATOR) Re: Remote access ACL control with Radius

Hugh Irvine hugh at open.com.au
Thu Nov 1 06:33:01 CST 2001


Hello Manoj -

What does a trace 4 debug from Radiator show? Is the reply attribute 
actually being sent in the reply correctly? If it is in the reply, 
you will then have to check on the Cisco to see what the Cisco is 
doing with the reply. You can use the debug command on the Cisco to 
see what is really happening.

It may be case that you will have to use a cisco-avpair to return the 
filter that you want to apply.

In any case, if this is an issue with the Cisco, you will have to 
check with the vendor to see how to implement it.

regards

Hugh


>Hello hugh,
>
>  We are using AS5300 for remote access.
>  In the AS5300 the access list are like this:
>  access-list 100 permit tcp any host 202.79.68.100 eq pop3
>  access-list 100 permit tcp any host 202.79.68.100 eq smtp
>  access-list 100 deny tcp any any
>  The host 202.79.68.100 is our mail server.
>
>  on the radius server the configuration is like this:
>  ##Default for ETRNMAIL (Email only) users for LOGIN using 15100 (sun AS5300)
>
>  DEFAULT NAS-IP-Address  = 202.79.68.192, Auth-Type = Check_SYSTEM, Group =
>  etrnmail, Simultaneous-Use = 1
>       Framed-Protocol = PPP,
>       Framed-MTU = 768,
>       Idle-Timeout = 60,
>       Session-Timeout = 7200,
>       Framed-Compression = Van-Jacobson-TCP-IP,
>       Filter-Id = 100.in,
>       Fall-Through = No
>
>
>  ##Default for PPP users for LOGIN (AS5300)
>
>  DEFAULT NAS-IP-Address = 202.79.68.192, Auth-Type = Check_SYSTEM, Group =
>  ppp, S
>  imultaneous-Use = 1
>       Framed-Protocol = PPP,
>       Framed-MTU = 768,
>       Idle-Timeout = 600,
>       Framed-Compression = Van-Jacobson-TCP-IP,
>       Fall-Through = No
>  As you can see above there are two entry on radius one is with Filter-id
>  attribute that allows dialup users to check their mails only not internet
>  access and another is without Filter-id attributes that allows dialup users
>  to access internet as well as mails.
>
>  In our case, the Filter-id is not working i mean users in group that have
>  Filter-id attributes can access internet as well. We need them to allow
>  only access their mails.
>
>  On the other hand, the setting without Filter-id group are working fine.
>
>
>  Hoping a productive reply from you.
>
>  Thanks,
>  manoj

-- 

NB: I am travelling this week, so there may be delays in our correspondence.

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list