Mailing List Archive

Sorry for the repost, I sent the initial in HTML, which I know is a nono..

I need assistance in converting the following rad-reply in radius to a
per-user access-list that can be applied from the rad-reply. The strange
thing is that some users that have DNS already specified on the client
machine do not accept the new DNS entries passed to it, but simply keep
operating with what they already have. The thing is, when we do account
suspensions, we for all port 80 & 443 traffic to 208.189.209.7 and all DNS
entries to 208.189.209.15 which has DNS already configured to where no
matter what address they enter, it will always resolve back to
208.189.209.7.

My thoughts were to apply an access-list to the user on connect using
cisco-avpairs, but simply stated, I do not know enough about access-lists to
do the job. If someone would assist me in this, or point me in the
direction with some examples of this it would be greatly appreciated.

Ascend-Client-Primary-DNS = 208.189.209.15, \
Ascend-Client-Secondary-DNS = 208.189.209.15, \
Ascend-Client-Assign-DNS = DNS-Assign-Yes, \
Ascend-Data-Filter = "ip in forward tcp est", \
Ascend-Data-Filter = "ip in drop tcp dstport = 25", \
Ascend-Data-Filter = "ip in drop tcp dstport = 110", \
Ascend-Data-Filter = "ip out forward tcp est", \
Ascend-Data-Filter = "ip out drop tcp dstport = 25", \
Ascend-Data-Filter = "ip in forward dstip 208.189.209.15/32 udp dstport =
53", \
Ascend-Data-Filter = "ip in forward dstip 208.189.209.7/32 tcp dstport =
80", \
Ascend-Data-Filter = "ip in forward dstip 208.189.209.7/32 tcp dstport =
443", \
Ascend-Data-Filter = "ip in drop",Ascend-Data-Filter = "ip out forward"

On Saturday 12 February 2005 19:01, Stephen Malenshek wrote:
> I need assistance in converting the following rad-reply in radius
> to a per-user access-list that can be applied from the rad-reply.
> The strange thing is that some users that have DNS already
> specified on the client machine do not accept the new DNS entries
> passed to it, but simply keep operating with what they already
> have.

This is a normal behavior. Only when the client allowes dynamic DNS
server configuration the DNS-reply-values from the NAS will be
used. If you configure static DNS on the client then the
DNS-reply-values will be ignored. The same with IP adresses...

> The thing is, when we do account suspensions, we for all
> port 80 & 443 traffic to 208.189.209.7 and all DNS entries to
> 208.189.209.15 which has DNS already configured to where no
> matter what address they enter, it will always resolve back to
> 208.189.209.7.

Sorry, but I don't get your point here. Looks like you're trying to
redirect all traffic to some fixed servers but it is not clear to
me.

> My thoughts were to apply an access-list to the user on connect
> using cisco-avpairs, but simply stated, I do not know enough
> about access-lists to do the job. If someone would assist me in
> this, or point me in the direction with some examples of this it
> would be greatly appreciated.

Generally you can create per-user ACL's on Cisco NAS's with the
following user attributes (only as an example - not very useful):

Cisco-AVPair = "ip:inacl#1=permit icmp any any",
Cisco-AVPair += "ip:inacl#2=permit udp any any eq 53",
Cisco-AVPair += "ip:inacl#3=deny ip any any log"

Maybe that helps a little bit.


--
Gerald

()
/\ ASCII RIBBON AGAINST HTML MAILS