On Mon, 26 Jul 1999, Ben-Nes Michael wrote:

> the standard Livingston radius have "Filter-Id" does cisco 2511 accept
> it ?

The Cisco's do accept Filter-Id to choose ACL's but personally I prefer to
use per-user ACL's as the AS5300's I maintain for a client have many
different uses/users. The per-user ACL's also allow you to modify ACL's on
the fly in the radius server. One realm uses an applications LDAP
based security configuration to allow very restricted PPP connections
to that application, which I do using the per-user ACL's.

Something like the following works well for me: 

AddToReply \
cisco-avpair="ip:inacl#3=permit tcp any x.x.x.x eq abcd",\
cisco-avpair="ip:inacl#4=deny icmp any any administratively-prohibited",\
cisco-avpair="ip:inacl#5=deny ip any any"

Trap: AddToReply isn't cumulative, you can use it only once.

You may need to add the following IOS configuration:
radius-server vsa send

  / James Pickering                            /
 / Email: [EMAIL PROTECTED]               /

Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Reply via email to