RE: [plug] [OT] Radius: Mail only, Game only, etc.

Thu, 12 Jul 2001 03:11:25 -0700 

Orly,

This is only possible if your NAS supports it? BTW, do you know where I can
find more resources regarding this topic? Thanks.

-----Original Message-----
From: Orlando Andico [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, July 12, 2001 12:05 PM
To: [EMAIL PROTECTED]
Subject: Re: [plug] [OT] Radius: Mail only, Game only, etc.


On Thu, 12 Jul 2001 [EMAIL PROTECTED] wrote:
..
> Hi,
>
> Is it possible to limit the capabilities of dial-in clients (or anyone
> authenticated via RADIUS) to just e-mail only, game only, etc. How is it
> done?

On Cisco, you can send a VSA avpair which implements a dynamic ACL
limiting them to certain ports and IP address ranges. The syntax is like
this:

cisco-avpair = "ip:inacl#5=permit ip any 202.47.132.0 0.0.0.255"
cisco-avpair = "ip:inacl#99=deny ip any any"

in the case above, only access to 202.47.132.0/24 is allowed (obviously).
You can also limit per-port, in line with usual Cisco ACL configuration.
For Ascend hardware:

Ascend-Data-Filter = "ip in forward dstip 202.47.132.0/24"

(does the same thing as for Cisco).

bahala ka na how you will insert these special VSA's into your Radius
Authentication-Reply packet. BTW the Cisco avpair dynamic ACL works well
only on 12.0.x IOS and above. Plus, every ACL you add will (obviously) eat
into router memory and CPU. At least dynamic.. goes away after the PPP
connection is gone.


-- 
Orlando Andico <[EMAIL PROTECTED]>
Mosaic Communications, Inc.

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GE d(-) s: a-25 C++++ UBLSI++++$ P+++ L+++>++++ E- W++ N(+)
o K? w O-- M- !V PS(++) PE- Y PGP-- t(+)@ 5(+) X++@ R(+) tv@
b++ DI++ G e++@ h--(*) r% y+
------END GEEK CODE BLOCK------

_
Philippine Linux Users Group. Web site and archives at
http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]

To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]

To subscribe to the Linux Newbies' List: send "subscribe" in the body to 
[EMAIL PROTECTED]

Reply via email to