Mailing List Archive

LNS: per user ACL with AAA
Hello,

I'll play around with certain RADIUS based user restrictions and
wonder why some Cisco-AVPair's (like "lcp:interface-config=xxx")
works but others don't. Especially the ACL-Attr "ip:inacl=xxx" seems
not to be recognized from our LNS.

At the moment I'am not sure if this is a LNS (12.3(2)T7) or a RADIUS
(freeRADIUS) problem. Someone out there who get "ip:[in/out]acl" working
or who have some hints?

Thx
--
Gerald
RE: LNS: per user ACL with AAA [ In reply to ]
> I'll play around with certain RADIUS based user restrictions and
> wonder why some Cisco-AVPair's (like "lcp:interface-config=xxx")
> works but others don't. Especially the ACL-Attr "ip:inacl=xxx" seems
> not to be recognized from our LNS.
>
> At the moment I'am not sure if this is a LNS (12.3(2)T7) or a RADIUS
> (freeRADIUS) problem. Someone out there who get "ip:[in/out]acl"
> working or who have some hints?

Can you post your AAA profile and/or "debug aaa radius authen" & "debug
aaa per-user"? I didn't try with 12.3(2)T7, but 12.3M happily accepts
and applies per-user ACLs constructed via "ip:inacl" on an LNS.

oli
Re: LNS: per user ACL with AAA [ In reply to ]
Oliver Boehmer (oboehmer) wrote:
>>I'll play around with certain RADIUS based user restrictions and
>>wonder why some Cisco-AVPair's (like "lcp:interface-config=xxx")
>>works but others don't. Especially the ACL-Attr "ip:inacl=xxx" seems
>>not to be recognized from our LNS.
>>
>>At the moment I'am not sure if this is a LNS (12.3(2)T7) or a RADIUS
>>(freeRADIUS) problem. Someone out there who get "ip:[in/out]acl"
>>working or who have some hints?
>
>
> Can you post your AAA profile and/or "debug aaa radius authen" & "debug
> aaa per-user"? I didn't try with 12.3(2)T7, but 12.3M happily accepts
> and applies per-user ACLs constructed via "ip:inacl" on an LNS.

Just when reconsidering I found the (my) problem: multiple Cisco-AVPairs
for one user have to be declared via "+=" and not "=". Otherwise only the
first Cisco-AVPair will be sent to the NAS.

Sorry for wasting time but thx for the quick response.

--
Gerald