Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Cisco>
  3. NAS
AAA: Filtering assigned IP adresses
Benoit.GRANGE at fr
Mar 23, 2004, 8:57 AM
Post #1 of 2 (416 views)
Permalink
Hello,

we have some NAS (and some LNS) where users receive static IP adresses via RADIUS, like

Framed-IP-Address = 62.210.1.1
Framed-IP-Netmask = 255.255.255.240

but sometimes the RADIUS provisioning fails and we have

Framed-IP-Address = 62.210.1.1
Framed-IP-Netmask = 0.0.0.0 (!!!)

which leads to a virtual-access interface which acts as a default route and receives all trafic.

Is there a way to configure the NAS to refuse adresses assignments of this kind ? I would like to find some fool proof config in the NAS to prevent that kind of problems.

Being able to refuse assignments of adresses outside a range (like having a prefix list filtering BGP announcements) would be very nice.

Thanks in advance,

BenoƮt
RE: AAA: Filtering assigned IP adresses [ In reply to ]
oboehmer at cisco
Mar 24, 2004, 10:46 AM
Post #2 of 2 (415 views)
Permalink
> we have some NAS (and some LNS) where users receive static IP
> adresses via RADIUS, like
>
> Framed-IP-Address = 62.210.1.1
> Framed-IP-Netmask = 255.255.255.240
>
> but sometimes the RADIUS provisioning fails and we have
>
> Framed-IP-Address = 62.210.1.1
> Framed-IP-Netmask = 0.0.0.0 (!!!)
>
> which leads to a virtual-access interface which acts as a default
> route and receives all trafic.
>
> Is there a way to configure the NAS to refuse adresses assignments of
> this kind ? I would like to find some fool proof config in the NAS to
> prevent that kind of problems.

I don't know of any way to filter the *contents* of an attribute in IOS. So far we can only filter complete attributes.

There might even be customers using framed-netmask 0.0.0.0 on purpose, so just filtering out this assignment would possibly break existing configs. not sure...

oli

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal