Re: IAS - policy profile IP Packet Filter issue
- From: "Giulio" <anonymous@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 12 Apr 2005 07:45:54 -0700
for the benefit of everyone out there - since it has been
hard to find any sort of documentation (either from Cisco
and from Microsoft) - here are the things I did:
The Vendor attribute I added was Cisco-AV-Pair
(from the Advanced tab of the policy profile select Add and
then 'Cisco-AV-Pair').
All the fields are grayed except the field for the
Attribute values.
I wanted to set an ACL to limit all ip traffic from
192.168.0.7 to my user and vice-versa, so I set the
following values:
ip:inacl#1=permit ip host 192.168.0.7 any
and then
ip:inacl#2=permit any ip host 192.168.0.7
Another method is to set a Vendor Specific (Radius
standard) attribute (attribute number 26), set for Cisco
(vendor code 9), specifying that this attribute is RFC
conformed and then, clicking on 'Configure attribute', you
should set vendor-assigned attribute number to 1 (which
means AV-Pair) and finally set the value, exactly as before.
In both cases the things seem to work :)
>-----Original Message-----
>Hello Giulio,
>
> This is happening because the profile element "IP
filters" are a Microsoft
>vendor specific RADIUS attribute (it is not a RFC
standard) and only
>Microsoft products (like RRAS) can understand them.
> To have your Cisco NAS understand the filters, you need
to configure IAS
>to send Cisco vendor specific attributes. Go to
profile->Advanced->add and
>select "Vendor-Specific" and configure the attributes
according to Cisco's
>specs.
>
> Hoep this helps.
> Thanks, Manju
>
>--
>+++++++++++++++++++++++++++++++++++++++++++++++
>This posting is provided "AS IS" with no warranties, and
confers no rights
>
>
>"Giulio" <anonymous@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
>news:202a01c53ea4$da029c50$a601280a@xxxxxxxxxx
>> Hi All,
>> I've a problem with the configuration of a policy profile
>> in IAS: it seems to me that the packet filter IP in the
>> profile of the policy is not applyed.
>>
>> A user (say 'test') is configured in this way:
>> - Dial-in tab: Remote Access: "Control Access through
>> remote access policy"
>> - NAS: Cisco 3700
>> - IAS policy for this user:
>> . Grant Remote Access Permission
>> . profile - IP Deny all traffic except from 192.168.0.7 to
>> user-IP
>> . profile - IP Deny all traffic from user to 192.168.0.7
>>
>> The other profile configurations are set as default.
>>
>> The user is correctly authenticated and from the event log
>> I can see that the policy used is the correct one.
>>
>> I expected I could not ping anything but 192.168.0.7 but,
>> once authenticated, the test user can ping everything
around!
>>
>> The strange thing is that the same policy in a RRAS server
>> (without IAS) works in the correct way. It's exactly the
>> same policy since I imported it from the old server with
>> the netsh command.
>>
>> Please help me!!!
>>
>>
>
>
>.
>
.
- References:
- IAS - policy profile IP Packet Filter issue
- From: Giulio
- Re: IAS - policy profile IP Packet Filter issue
- From: Manjunath Bharadwaj [MSFT]
- IAS - policy profile IP Packet Filter issue
- Prev by Date: Re: IAS - policy profile IP Packet Filter issue
- Next by Date: Re: RADIUS _&_ TACAS?
- Previous by thread: Re: IAS - policy profile IP Packet Filter issue
- Next by thread: Re: RADIUS _&_ TACAS?
- Index(es):
Relevant Pages
|
