(RADIATOR) Re: Remote access ACL control with Radius

Thu Nov 1 14:06:35 CST 2001

Yep,

You'll have to use the cisco-avpair (you should be able to find the exact
syntax to use in Radiator - I'm sure Hugh can help you with that). The
syntax for the cisco is as follows (we're using the AS5350, and this works
like a champ):
ip:dns-servers=20.1.20.21 20.1.20.23
ip:inacl#1=permit ip 5.5.0.0 0.0.255.255 host 20.1.20.21
ip:inacl#2=permit ip 5.5.0.0 0.0.255.255 host 20.1.20.23
ip:inacl#3=permit icmp any any
ip:inacl#4=permit ip 5.5.0.0 0.0.255.255 host 20.1.20.30
ip:inacl#5=permit ip 5.5.0.0 0.0.255.255 host 20.1.20.201
ip:inacl#6=permit ip 5.5.0.0 0.0.255.255 host 20.1.20.203
ip:inacl#7=permit tcp 5.5.0.0 0.0.255.255 host 1.1.8.5 eq 1352

The first line take care of DNS assignment for the client, the following
lines gives the permit statement on the ACL.
Your lines should look something like:
ip:inacl#1=permit tcp any host 202.79.68.100 eq pop3
ip:inacl#2=permit tcp any host 202.79.68.100 eq smtp

The deny is implicit, as usual with Cisco.

Success!

Rik

                    Hugh Irvine                                                                                       
                    <hugh at open.com.a        To:     Manoj Agrawal <mail at manoj.wlink.com.np>                           
                    u>                      cc:     radiator at open.com.au                                              
                    Sent by:                Subject:     (RADIATOR) Re: Remote access ACL control with Radius         
                    owner-radiator at o                                                                                  
                    pen.com.au                                                                                        

                    11/01/2001 01:33                                                                                  
                    PM                                                                                                

Hello Manoj -

What does a trace 4 debug from Radiator show? Is the reply attribute
actually being sent in the reply correctly? If it is in the reply,
you will then have to check on the Cisco to see what the Cisco is
doing with the reply. You can use the debug command on the Cisco to
see what is really happening.

It may be case that you will have to use a cisco-avpair to return the
filter that you want to apply.

In any case, if this is an issue with the Cisco, you will have to
check with the vendor to see how to implement it.

regards

Hugh

>Hello hugh,
>
>  We are using AS5300 for remote access.
>  In the AS5300 the access list are like this:
>  access-list 100 permit tcp any host 202.79.68.100 eq pop3
>  access-list 100 permit tcp any host 202.79.68.100 eq smtp
>  access-list 100 deny tcp any any
>  The host 202.79.68.100 is our mail server.
>
>  on the radius server the configuration is like this:
>  ##Default for ETRNMAIL (Email only) users for LOGIN using 15100 (sun
AS5300)
>
>  DEFAULT NAS-IP-Address  = 202.79.68.192, Auth-Type = Check_SYSTEM, Group
=
>  etrnmail, Simultaneous-Use = 1
>       Framed-Protocol = PPP,
>       Framed-MTU = 768,
>       Idle-Timeout = 60,
>       Session-Timeout = 7200,
>       Framed-Compression = Van-Jacobson-TCP-IP,
>       Filter-Id = 100.in,
>       Fall-Through = No
>
>
>  ##Default for PPP users for LOGIN (AS5300)
>
>  DEFAULT NAS-IP-Address = 202.79.68.192, Auth-Type = Check_SYSTEM, Group
=
>  ppp, S
>  imultaneous-Use = 1
>       Framed-Protocol = PPP,
>       Framed-MTU = 768,
>       Idle-Timeout = 600,
>       Framed-Compression = Van-Jacobson-TCP-IP,
>       Fall-Through = No
>  As you can see above there are two entry on radius one is with Filter-id
>  attribute that allows dialup users to check their mails only not
internet
>  access and another is without Filter-id attributes that allows dialup
users
>  to access internet as well as mails.
>
>  In our case, the Filter-id is not working i mean users in group that
have
>  Filter-id attributes can access internet as well. We need them to allow
>  only access their mails.
>
>  On the other hand, the setting without Filter-id group are working fine.
>
>
>  Hoping a productive reply from you.
>
>  Thanks,
>  manoj

--

NB: I am travelling this week, so there may be delays in our
correspondence.

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

DISCLAIMER:
The information contained in this communication is confidential and may be
legally privileged. It is intended solely for the use of the individual or
entity to whom it is addressed and others authorized to receive it. If you
are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or taking any action in reliance of the
contents of this information is strictly prohibited and may be unlawful.
Stork is liable for neither the proper and complete transmission of the
information contained in this communication nor for any delay in its
receipt.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.