(ASCEND) Filters via RADIUS entries

To: <ascend-users@bungi.com>
Subject: (ASCEND) Filters via RADIUS entries
From: "Will Pierce" <willp@dreamscape.com>
Date: Sun, 18 May 1997 16:11:12 -0400
Reply-To: "Will Pierce" <willp@dreamscape.com>
Sender: owner-ascend-users@max.bungi.com

Howdy folks,

I'm having a heck of a time putting together the correct RADIUS
attribute/value pairs
to successfully filter a particular user.

Here's my setup:
Max 400x running 5.0ap5 (runs great)
Ascend RADIUS (with some heavy mods which are completely unrelated)
Ascend/Livingston RADIUS dictionaries have been merged- no trouble there.

The maxes are loaded with either 12-mod cards or 8-mod cards on T1 lines. 
The Maxen
have a very simple setup, they only bring in the dialup traffic to our LAN,
so the routing
is really simple on the inside of the MAX.

Here's what I'm trying to do:
Specify in RADIUS a filter for a user to allow them only to connect to port
53 (dns) of one
machine on our LAN, with either tcp or udp, and no icmp anywhere.

Here's a sample filter I created which will filter out all ICMP traffic
coming from the dialup
user "willp2".  It's a regular PPP connection, and the netmask is all bits
high, which is
just right, and this filter works just fine. Whenever I've tried to put in
a dstip aa.bb.cc.dd 
or dstip aa.bb.cc.dd/xx, the filter does not work as intended.

Here's the sample ICMP filter.  (Useful if you have a user who sends
pingfloods, I suppose.)

willp2 Password = "UNIX"
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Netmask = 255.255.255.255,
Framed-Routing = None,
Framed-MTU = 1500,
Ascend-Data-Filter = "ip in forward tcp",
Ascend-Data-Filter = "ip in forward udp",
Ascend-Data-Filter = "ip out drop icmp",
Ascend-Data-Filter = "ip out forward"


If anyone has any sample IP filters that work, I'd love to see what the
proper syntax, ordering,
parameters, or whatever it is I'm doing wrong is supposed to be.  The max
manual is pretty
flakey on filters-via-RADIUS user profiles.

Thanks in advance!
-Will

--
Will Pierce
System Administrator
Dreamscape Online, LLC.
willp@dreamscape.com


++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.shore.net/~dreaming/ascend-faq>
or		<ftp://ftp.shore.net/members/dreaming/ascend-faq.txt>

Prev by Date: Re: (ASCEND) 5.0Apx problems...
Next by Date: (ASCEND) 5.0Apx problems...
Prev by thread: Re: (ASCEND) 5.0Apx problems...
Next by thread: (ASCEND) Max upgradabiity
Index(es):
- Main
- Thread