Hi Brandon, On Wed, Nov 19, 2003 at 04:19:55PM -0500, Brandon Lehmann wrote:
Hi List,
I have read through a lot of the archives concerning IP filtering similar to Ascend-Data-Filter. I would like to refrain from setting up "filters" on the TC. I would rather send the filters down dynamically from the radius server.
I have added the following radius attributes to my sql server for passing the filters down to the user on login.
USR-IP-Input-Filter = "1 AND tcp-dst-port = 25", USR-IP-Input-Filter = "2 REJECT dst-addr != X.X.X.X/24", USR-IP-Input-Filter = "3 PERMIT"
Just some thoughts: 1. Ensure this attribute is something like: USR.attr USR-IP-Input-Filter 36864 string (*, 0) this is "Merit" syntax, but the dezimal value of 36864 is of course important. 2. Each line should look like: USR-IP-Input-Filter = "1 AND tcp-dst-port = 25;", so, don't omit the ^ at the end of each string inside the "..." 3. Have a look at the HARC itself: Do some monitoring with the CLI-command: monitor radius and then "B" for monitor all authentication packets, if the rules apply from RADIUS. One should see all the rules decoded by the HARC. 4. Ensure correct modem-interface settings per CLI-command: set modem_group all filter_access on Hope it helps, Oliver. -- Oliver.Francke@telefonica.de fon. +49-5246-80-1389 mob. +49-171-5597734 I used to have a sig, but I've stopped smoking.