Re: Downloadable ACL for a Cisco PIX

flaquerre · ‎09-30-2003

Hi, I would like to know if you can configure Downloadable ACL with Windows 2000 server's Radius, and if so, if anyone has a link to how to configure the Windows 2000 Radius.

Thank you

Frederick Laquerre

gfullage · ‎09-30-2003

Haven't tried this, and I know very little about the MS Radius server, but the ACL is downloaded just as a Cisco AV pair as seen here:

http://www.cisco.com/warp/public/110/atp52.html#new_per_user

If you can get IAS to send back vendor-specific attribute (attribute 26) value 9/1 then just add the ACL in (as shown in the config):

ip:inacl#=deny tcp any host 10.1.1.1 eq smtp

ip:inacl#=permit ip any any

and it should work. As I said though no guarantees as I haven't tested it. If someone else has gotten this working please feel free to respond.

dro · ‎10-02-2003

This is a little bit of a thread hijack, but it's close enough to the subject matter :)

I tried this out on Cistron radius using both the Cisco attribute 'ip:inacl#' and 'acl=test'.

In both cases, the ACL's showed as being applied to the VPN user in a 'show uauth', but they didn't seem to take affect.

For example, I did a small ACL to block port 80 traffic and allow everything else:

ip:inacl#=deny tcp any any eq 80

ip:inacl#=permit ip any any

uauth showed it as assigned and the ACL matched up with what I configured in radius, but it didn't stop any traffic.

next I created a local ACL with the same data as the one I created in radius, and sent attribute values "acl=acltest". Once again uauth showed it as applied, but I was still able to surf around without it taking affect.

Any ideas? Am I missing something?

Thanks,

-Joshua