09-30-2003 12:38 PM - edited 03-10-2019 07:30 AM
Hi, I would like to know if you can configure Downloadable ACL with Windows 2000 server's Radius, and if so, if anyone has a link to how to configure the Windows 2000 Radius.
Thank you
Frederick Laquerre
09-30-2003 04:56 PM
Haven't tried this, and I know very little about the MS Radius server, but the ACL is downloaded just as a Cisco AV pair as seen here:
http://www.cisco.com/warp/public/110/atp52.html#new_per_user
If you can get IAS to send back vendor-specific attribute (attribute 26) value 9/1 then just add the ACL in (as shown in the config):
ip:inacl#=deny tcp any host 10.1.1.1 eq smtp
ip:inacl#=permit ip any any
and it should work. As I said though no guarantees as I haven't tested it. If someone else has gotten this working please feel free to respond.
10-02-2003 06:18 AM
This is a little bit of a thread hijack, but it's close enough to the subject matter :)
I tried this out on Cistron radius using both the Cisco attribute 'ip:inacl#' and 'acl=test'.
In both cases, the ACL's showed as being applied to the VPN user in a 'show uauth', but they didn't seem to take affect.
For example, I did a small ACL to block port 80 traffic and allow everything else:
ip:inacl#=deny tcp any any eq 80
ip:inacl#=permit ip any any
uauth showed it as assigned and the ACL matched up with what I configured in radius, but it didn't stop any traffic.
next I created a local ACL with the same data as the one I created in radius, and sent attribute values "acl=acltest". Once again uauth showed it as applied, but I was still able to surf around without it taking affect.
Any ideas? Am I missing something?
Thanks,
-Joshua
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide