Hi,
This is kinda what I have been looking at over the past few weeks, but have been distracted with other things and not really got my head around it.
We have a lot of DSL customers with static IPs & routed blocks... now how could I apply it?
Static IPs I could change their IP to a private 10.100.x.x IP then once paid change it back... scripting that is easy.... but for customers with routed blocks... how could I do that..
Could you not do it with an access list & avpair?
Regards,
Alex
________________________________
From: cisco-bba-bounces@puck.nether.net on behalf of Ian Henderson
Sent: Sun 10/07/2005 06:29
To: Mark Tohill
Cc: cisco-bba@puck.nether.net
Subject: [SPAM] - Re: [cisco-bba] Redirection to WWW determined by AVP - Email found in subject
On Fri, 8 Jul 2005, Mark Tohill wrote:
> Thought that this would be moving towards Policy-Based-Routing, routing
> on source rather than destination. Is this a possibility, or is their a
> smarter way to implement this via RADIUS?
Assign the users you wish to redirect a block of RFC1918 address space
when they login. This address space is policy-routed to your 'playpen'
machine. This is how we do it for customers who are suspended or have to
change their dial number or similar.
access-list 98 remark *** Playpen
access-list 98 permit 10.100.0.0 0.0.255.255
!
route-map PLAYPEN permit 5
match ip address 98
set ip next-hop 10.13.102.1
!
route-map PLAYPEN permit 20
The next hop can either be your web server, or a tunnel towards a router
on the same subnet.
The only drawback to this approach is the customer has to disconnect to
get 'real' Internet access once they're done paying their bill/agreeing to
the T&C's/etc.
Other suggestions include:
- Use a VRF with a different default route. You'd still need the directly
connected web server, or a tunnel to it, or MPLS to get traffic to go
the right direction.
- Investigate Cisco's SSG stuff. I only know Marketing-speak about it, but
apparently it does exactly what you're after. Multiple services are
defined ('Internet', 'Playpen', 'Free Gaming only', etc). RADIUS
authenticates the user when they want to access each service (defined by
IP address or interface) giving access based on business rules. So if I
understand the whole thing correctly, you could put all users by default
in the 'Playpen' service, then only let the signed up customers access
anything else.
- If you already transparently cache users, intercept them here using an
LDAP lookup or similar.
Rgds,
- I.
--
Ian Henderson, CCIE #14721
Senior Network Engineer
iiNet Limited
Chime Communications Pty Ltd
_______________________________________________
cisco-bba mailing list
cisco-bba@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-bba
This is kinda what I have been looking at over the past few weeks, but have been distracted with other things and not really got my head around it.
We have a lot of DSL customers with static IPs & routed blocks... now how could I apply it?
Static IPs I could change their IP to a private 10.100.x.x IP then once paid change it back... scripting that is easy.... but for customers with routed blocks... how could I do that..
Could you not do it with an access list & avpair?
Regards,
Alex
________________________________
From: cisco-bba-bounces@puck.nether.net on behalf of Ian Henderson
Sent: Sun 10/07/2005 06:29
To: Mark Tohill
Cc: cisco-bba@puck.nether.net
Subject: [SPAM] - Re: [cisco-bba] Redirection to WWW determined by AVP - Email found in subject
On Fri, 8 Jul 2005, Mark Tohill wrote:
> Thought that this would be moving towards Policy-Based-Routing, routing
> on source rather than destination. Is this a possibility, or is their a
> smarter way to implement this via RADIUS?
Assign the users you wish to redirect a block of RFC1918 address space
when they login. This address space is policy-routed to your 'playpen'
machine. This is how we do it for customers who are suspended or have to
change their dial number or similar.
access-list 98 remark *** Playpen
access-list 98 permit 10.100.0.0 0.0.255.255
!
route-map PLAYPEN permit 5
match ip address 98
set ip next-hop 10.13.102.1
!
route-map PLAYPEN permit 20
The next hop can either be your web server, or a tunnel towards a router
on the same subnet.
The only drawback to this approach is the customer has to disconnect to
get 'real' Internet access once they're done paying their bill/agreeing to
the T&C's/etc.
Other suggestions include:
- Use a VRF with a different default route. You'd still need the directly
connected web server, or a tunnel to it, or MPLS to get traffic to go
the right direction.
- Investigate Cisco's SSG stuff. I only know Marketing-speak about it, but
apparently it does exactly what you're after. Multiple services are
defined ('Internet', 'Playpen', 'Free Gaming only', etc). RADIUS
authenticates the user when they want to access each service (defined by
IP address or interface) giving access based on business rules. So if I
understand the whole thing correctly, you could put all users by default
in the 'Playpen' service, then only let the signed up customers access
anything else.
- If you already transparently cache users, intercept them here using an
LDAP lookup or similar.
Rgds,
- I.
--
Ian Henderson, CCIE #14721
Senior Network Engineer
iiNet Limited
Chime Communications Pty Ltd
_______________________________________________
cisco-bba mailing list
cisco-bba@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-bba