On Fri, 26 May 2000, Matthew Nichols wrote:
> cisco avpairs can be issued multiple tomes from radiator..we are doing it
> here. The only restriction we found is that you can only issue one avpair
> of one type...eg.
>
> AddToReply
> cisco-avpair="ip:addr-pool=setup_pool\ndns-servers=212.117.64.86
> 212.117.67.2\nidletime=89" ,
I've been using per-user dynamic ACLs at a client site for a year or so
just by numbering the ACLs:
AddToReply Service-Type=Framed-User,\
Framed-Protocol=PPP,\
Framed-IP-Netmask=255.255.255.255,\
Framed-Routing=None,Framed-MTU=1500,\
Framed-Compression=Van-Jacobsen-TCP-IP,\
cisco-avpair="ip:inacl#3=permit tcp any x.x.x.x 0.0.0.0 eq 80",\
cisco-avpair="ip:inacl#4=permit tcp any x.x.x.x 0.0.0.0 eq 443",\
cisco-avpair="ip:inacl#5=permit tcp any x.x.x.x 0.0.0.0 eq 10000",\
cisco-avpair="ip:inacl#6=permit udp any x.x.x.x 0.0.0.0 eq domain",\
cisco-avpair="ip:inacl#7=deny icmp any any administratively-prohibited",\
cisco-avpair="ip:inacl#8=deny ip any any",\
Reply-Message=THIS IS A RESTRICTED ACCESS SYSTEM. UNAUTHORISED ACCESS
PROHIBITED.
This might work for you as well. At the time I could only find sketchy
docs on how this worked for TACACS+, and had to make an educated guess for
RADIUS.
--
+--------------------------------------------+
/ James Pickering, Managing Director /
/ Australian Integration Consultants Pty Ltd /
/ Email: [EMAIL PROTECTED] /
+--------------------------------------------+
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
