Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Cisco: BBA

LNS: per user ACL with AAA

 

 

Cisco bba RSS feed   Index | Next | Previous | View Threaded


gk at pop-interactive

Dec 27, 2004, 5:02 AM

Post #1 of 3 (1335 views)
Permalink
LNS: per user ACL with AAA

Hello,

I'll play around with certain RADIUS based user restrictions and
wonder why some Cisco-AVPair's (like "lcp:interface-config=xxx")
works but others don't. Especially the ACL-Attr "ip:inacl=xxx" seems
not to be recognized from our LNS.

At the moment I'am not sure if this is a LNS (12.3(2)T7) or a RADIUS
(freeRADIUS) problem. Someone out there who get "ip:[in/out]acl" working
or who have some hints?

Thx
--
Gerald


oboehmer at cisco

Dec 27, 2004, 5:23 AM

Post #2 of 3 (1305 views)
Permalink
RE: LNS: per user ACL with AAA [In reply to]

> I'll play around with certain RADIUS based user restrictions and
> wonder why some Cisco-AVPair's (like "lcp:interface-config=xxx")
> works but others don't. Especially the ACL-Attr "ip:inacl=xxx" seems
> not to be recognized from our LNS.
>
> At the moment I'am not sure if this is a LNS (12.3(2)T7) or a RADIUS
> (freeRADIUS) problem. Someone out there who get "ip:[in/out]acl"
> working or who have some hints?

Can you post your AAA profile and/or "debug aaa radius authen" & "debug
aaa per-user"? I didn't try with 12.3(2)T7, but 12.3M happily accepts
and applies per-user ACLs constructed via "ip:inacl" on an LNS.

oli


gk at pop-interactive

Dec 27, 2004, 6:57 AM

Post #3 of 3 (1310 views)
Permalink
Re: LNS: per user ACL with AAA [In reply to]

Oliver Boehmer (oboehmer) wrote:
>>I'll play around with certain RADIUS based user restrictions and
>>wonder why some Cisco-AVPair's (like "lcp:interface-config=xxx")
>>works but others don't. Especially the ACL-Attr "ip:inacl=xxx" seems
>>not to be recognized from our LNS.
>>
>>At the moment I'am not sure if this is a LNS (12.3(2)T7) or a RADIUS
>>(freeRADIUS) problem. Someone out there who get "ip:[in/out]acl"
>>working or who have some hints?
>
>
> Can you post your AAA profile and/or "debug aaa radius authen" & "debug
> aaa per-user"? I didn't try with 12.3(2)T7, but 12.3M happily accepts
> and applies per-user ACLs constructed via "ip:inacl" on an LNS.

Just when reconsidering I found the (my) problem: multiple Cisco-AVPairs
for one user have to be declared via "+=" and not "=". Otherwise only the
first Cisco-AVPair will be sent to the NAS.

Sorry for wasting time but thx for the quick response.

--
Gerald

Cisco bba RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.