Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Cisco>
  3. NAS
per-user ACL
achatz at forthnet
Aug 19, 2003, 5:31 AM
Post #1 of 5 (1470 views)
Permalink
Is there a way i can change the per-user acl after it has been applied on an interface?

I tried to remove the "Virtual-Access6#49414551" from Vi6, but that wasn't possible.

Virtual-Access6 is up, line protocol is up
Outgoing access list is not set
Inbound access list is Virtual-Access6#49414551, default is 120

--
***********************************
Chatzithomaoglou Anastasios
Network Design & Operations Center
FORTHnet S.A.
<achatz@forthnet.gr>
***********************************
RE: per-user ACL [ In reply to ]
oboehmer at cisco
Aug 19, 2003, 5:41 AM
Post #2 of 5 (1456 views)
Permalink
> Is there a way i can change the per-user acl after it has been
> applied on an interface?

You might actually be able to change the ACL itself using the CLI, but
this is undocumented, and behaviour might vary in different IOS
releases..
You can't change the vaccess config while the user is connected..

> I tried to remove the "Virtual-Access6#49414551" from Vi6, but that
> wasn't possible.

How? "no ip access-list extended Virtual-Access6#49414551"? this might
actually work..

What are your trying to achieve?

oli
Re: per-user ACL [ In reply to ]
achatz at forthnet
Aug 19, 2003, 5:48 AM
Post #3 of 5 (1450 views)
Permalink
I'm just trying to find the appropriate acl for a vpn customer.

I want to avoid changing the acl through our aaa system (radius/ldap) until i come to a
final acl config. So it would be nice if i could change the acl while the customer is
connected.


Oliver Boehmer (oboehmer) wrote:

>>Is there a way i can change the per-user acl after it has been
>>applied on an interface?
>
>
> You might actually be able to change the ACL itself using the CLI, but
> this is undocumented, and behaviour might vary in different IOS
> releases..
> You can't change the vaccess config while the user is connected..
>
>
>>I tried to remove the "Virtual-Access6#49414551" from Vi6, but that
>>wasn't possible.
>
>
> How? "no ip access-list extended Virtual-Access6#49414551"? this might
> actually work..
>
> What are your trying to achieve?
>
> oli
>

--
***********************************
Chatzithomaoglou Anastasios
Network Design & Operations Center
FORTHnet S.A.
<achatz@forthnet.gr>
***********************************
RE: per-user ACL [ In reply to ]
oboehmer at cisco
Aug 19, 2003, 5:56 AM
Post #4 of 5 (1456 views)
Permalink
Hi,

> I'm just trying to find the appropriate acl for a vpn customer.
>
> I want to avoid changing the acl through our aaa system (radius/ldap)
> until i come to a final acl config. So it would be nice if i could
> change the acl while the customer is connected.

Hmm, trial and error :-)

Well, in that case I would create a named ACL on the box and reference
it on the customer's vaccess using Cisco-avpair =
"lcp:interface-config=ip access-group testacl in". Then you can work on
this ACL, and when you're done, code this ACL as per-user ACL in the
customer's profile.

oli

>
> Oliver Boehmer (oboehmer) wrote:
>
> > > Is there a way i can change the per-user acl after it has been
> > > applied on an interface?
> >
> >
> > You might actually be able to change the ACL itself using the CLI,
> > but this is undocumented, and behaviour might vary in different IOS
> > releases.. You can't change the vaccess config while the user is
> > connected..
> >
> >
> > > I tried to remove the "Virtual-Access6#49414551" from Vi6, but
> > > that wasn't possible.
> >
> >
> > How? "no ip access-list extended Virtual-Access6#49414551"? this
> > might actually work..
> >
> > What are your trying to achieve?
> >
> > oli
Re: per-user ACL [ In reply to ]
achatz at forthnet
Aug 19, 2003, 6:04 AM
Post #5 of 5 (1455 views)
Permalink
Oliver Boehmer (oboehmer) wrote:

> Hi,
>
>
>>I'm just trying to find the appropriate acl for a vpn customer.
>>
>>I want to avoid changing the acl through our aaa system (radius/ldap)
>>until i come to a final acl config. So it would be nice if i could
>>change the acl while the customer is connected.
>
>
> Hmm, trial and error :-)
>
> Well, in that case I would create a named ACL on the box and reference
> it on the customer's vaccess using Cisco-avpair =
> "lcp:interface-config=ip access-group testacl in". Then you can work on
> this ACL, and when you're done, code this ACL as per-user ACL in the
> customer's profile.
>
> oli
>

That worked fine...

Thx oli ;-)


>
>>Oliver Boehmer (oboehmer) wrote:
>>
>>
>>>>Is there a way i can change the per-user acl after it has been
>>>>applied on an interface?
>>>
>>>
>>>You might actually be able to change the ACL itself using the CLI,
>>>but this is undocumented, and behaviour might vary in different IOS
>>>releases.. You can't change the vaccess config while the user is
>>>connected..
>>>
>>>
>>>
>>>>I tried to remove the "Virtual-Access6#49414551" from Vi6, but
>>>>that wasn't possible.
>>>
>>>
>>>How? "no ip access-list extended Virtual-Access6#49414551"? this
>>>might actually work..
>>>

Although there was no error message displayed after trying the above, the acl wasn't
actually removed...It was still under the va interface.

>>>What are your trying to achieve?
>>>
>>> oli
>
>

--
***********************************
Chatzithomaoglou Anastasios
Network Design & Operations Center
FORTHnet S.A.
<achatz@forthnet.gr>
***********************************

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal