(RADIATOR) some Ascend-Data-Filter packets not returing

Andreas Stollar andreas at speakeasy.net
Tue Jan 8 14:20:02 CST 2002 

Hello,

Our dial-up vendor just required that we add several Ascend-Data-Filter 
attributes back to them in order to block port 25 connection to the world 
but allow them to our mail servers. The radius.cfg part looks like this:

                AddToReply Service-Type = 2,\
                Framed-Protocol = PPP,\
                Framed-IP-Address = 255.255.255.254,\
                Framed-IP-Netmask = 255.255.255.255,\
                Acct-Status-Type = Accounting-On,\
                Ascend-Data-Filter = "ip in forward tcp est",\
                Ascend-Data-Filter = "ip in forward dstip 
216.254.0.0/24",\
                Ascend-Data-Filter = "ip in drop tcp dstport = 25",\
                Ascend-Data-Filter = "ip in forward",\
                Idle-Timeout = 900



A radwptest -trace shows that the radius server is reponding with:

Attributes:
	Service-Type = Framed-User
	Framed-Protocol = PPP
	Framed-IP-Address = 255.255.255.254
	Framed-IP-Netmask = 255.255.255.255
	Acct-Status-Type = Accounting-On
	Ascend-Data-Filter = ip in forward tcp est
	Ascend-Data-Filter = ip in forward dstip 216.254.0.0/24
	Ascend-Data-Filter = ip in drop tcp dstport = 25
	Ascend-Data-Filter = ip in forward
	Idle-Timeout = 900


However, the second line (the one that is supposed to let people use our 
mail servers - which are in the 216.254.0.0/24 block) seems to not be 
getting back to the NAS device. The NAS device sees all the other packets. 
This is what they sent me:
Packet: code = Access-Accept, id = 7, length = 134, attributes =
        Service-Type = Framed
        Framed-Protocol = PPP
        Framed-IP-Address = 255.255.255.254
        Framed-IP-Netmask = 255.255.255.255
        Idle-Timeout = 900
        Acct-Status-Type = Accounting-On
        data-filter =
01:01:01:00:00:00:00:00:00:00:00:00:00:00:06:01:00:00:00:00:00:00:00:00
        data-filter =
01:00:01:00:00:00:00:00:00:00:00:00:00:00:06:00:00:00:00:19:00:02:00:00
        data-filter =
01:01:01:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00


They assure me that the second line is not getting back to them. Any ideas 
why this might be happening??



Andreas Stollar
SPEAKEASY.net Sr. System Administrator


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list