Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Cisco>
  3. NAS
Problem with per user accesslist via radius
eric at tal
Sep 30, 2003, 7:02 AM
Post #1 of 2 (588 views)
Permalink
Hello cisco-nas,

I have following problem when i try to set more than 46
entrys for per user filter then only 46 rules are set.

we are using a 7206 to termiate a l2tp tunnel with dsl lines.

Cisco Internetwork Operating System Software
IOS (tm) 7200 Software (C7200-JO3S-M), Version 12.2(16)B, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Mon 12-May-03 20:22 by leccese
Image text-base: 0x60008954, data-base: 0x61FBE000

ROM: System Bootstrap, Version 12.0(19990210:195103) [12.0XE 105], DEVELOPMENT SOFTWARE
BOOTLDR: 7200 Software (C7200-BOOT-M), Version 12.0(2)XE2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

cisco 7206VXR (NPE300) processor (revision B) with 229376K/65536K bytes of memory.
Processor board ID 16069708
R7000 CPU at 262Mhz, Implementation 39, Rev 1.0, 256KB L2, 2048KB L3 Cache
6 slot VXR midplane, Version 2.0

We use a Cistron-radius version 1.6-stable

asample config for a user is:

test#xyz.de Auth-Type = Local, Password = "test"
Service-Type = Framed-User,
Cisco-AVPair = "ip:dns-servers=81.92.1.1 81.92.1.2",
Cisco-AVPair = "ip:inacl#1=deny tcp 0.0.0.0 255.255.255.255 x.x.x.x 0.0.0.0 eq 23",
.
.
.
Cisco-AVPair = "ip:inacl#51=deny tcp 0.0.0.0 255.255.255.255 x.x.x.x 0.0.0.0 eq 443",
.
.
.
Cisco-AVPair = "ip:inacl#179=permit ip any any",
Framed-Protocol = PPP,
Acct-Interim-Interval = 300,
Framed-Route = "x.x.x.x/x x.x.x.x 1",
Framed-IP-Address = x.x.x.x,
Framed-IP-Netmask = x.x.x.x

Has anybody any idea whats going worng here or is there a maximum of rules per user ?



Tanks.



Mit freundlichem Gruße,
Eric Thiele
-----------------------------------------------
TAL.DE Klaus Internet Service GmbH eric@tal.de
Robertstrasse 6 * D-42107 Wuppertal, Germany
Tel: 0202 / 495-0 * Fax: 0202 / 495-399
-----------------------------------------------
RE: Problem with per user accesslist via radius [ In reply to ]
oboehmer at cisco
Oct 1, 2003, 2:31 AM
Post #2 of 2 (568 views)
Permalink
Eric,

there is no absolute maximum for the number of per-user ACL lines apart from the maximum Radius profile size of 4096 bytes (which hasn't been enforced by us. In IOS' radius client, the length of a radius profile is limited by the huge buffer size).

You might want to check "debug aaa per-user" and "debug aaa authorization" to see what's going on.

oli

----Original Message----
From: eric@tal.de [mailto:eric@tal.de]
Sent: Dienstag, 30. September 2003 16:03
To: cisco-nas@puck.nether.net
Subject: [cisco-nas] Problem with per user accesslist via radius

> Hello cisco-nas,
>
> I have following problem when i try to set more than 46
> entrys for per user filter then only 46 rules are set.
>
> we are using a 7206 to termiate a l2tp tunnel with dsl lines.
>
> Cisco Internetwork Operating System Software
> IOS (tm) 7200 Software (C7200-JO3S-M), Version 12.2(16)B, EARLY
> DEPLOYMENT RELEASE SOFTWARE (fc1) TAC Support:
> http://www.cisco.com/tac Copyright (c) 1986-2003 by cisco Systems,
> Inc. Compiled Mon 12-May-03 20:22 by leccese
> Image text-base: 0x60008954, data-base: 0x61FBE000
>
> ROM: System Bootstrap, Version 12.0(19990210:195103) [12.0XE 105],
> DEVELOPMENT SOFTWARE BOOTLDR: 7200 Software (C7200-BOOT-M), Version
> 12.0(2)XE2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
>
> cisco 7206VXR (NPE300) processor (revision B) with 229376K/65536K
> bytes of memory. Processor board ID 16069708
> R7000 CPU at 262Mhz, Implementation 39, Rev 1.0, 256KB L2, 2048KB L3
> Cache 6 slot VXR midplane, Version 2.0
>
> We use a Cistron-radius version 1.6-stable
>
> asample config for a user is:
>
> test#xyz.de Auth-Type = Local, Password = "test"
> Service-Type = Framed-User,
> Cisco-AVPair = "ip:dns-servers=81.92.1.1 81.92.1.2",
> Cisco-AVPair = "ip:inacl#1=deny tcp 0.0.0.0 255.255.255.255
> x.x.x.x 0.0.0.0 eq 23", .
> .
> .
> Cisco-AVPair = "ip:inacl#51=deny tcp 0.0.0.0 255.255.255.255
> x.x.x.x 0.0.0.0 eq 443", .
> .
> .
> Cisco-AVPair = "ip:inacl#179=permit ip any any",
> Framed-Protocol = PPP,
> Acct-Interim-Interval = 300,
> Framed-Route = "x.x.x.x/x x.x.x.x 1",
> Framed-IP-Address = x.x.x.x,
> Framed-IP-Netmask = x.x.x.x
>
> Has anybody any idea whats going worng here or is there a maximum of
> rules per user ?
>
>
>
> Tanks.
>
>
>
> Mit freundlichem Gruße,
> Eric Thiele
> -----------------------------------------------
> TAL.DE Klaus Internet Service GmbH eric@tal.de
> Robertstrasse 6 * D-42107 Wuppertal, Germany
> Tel: 0202 / 495-0 * Fax: 0202 / 495-399
> -----------------------------------------------
>
> _______________________________________________
> cisco-nas mailing list
> cisco-nas@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nas

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal