|
Home > Archive > Radius Server > April 2005 > IAS - policy profile IP Packet Filter issue
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IAS - policy profile IP Packet Filter issue
|
|
| Giulio 2005-04-11, 5:58 pm |
| Hi All,
I've a problem with the configuration of a policy profile
in IAS: it seems to me that the packet filter IP in the
profile of the policy is not applyed.
A user (say 'test') is configured in this way:
- Dial-in tab: Remote Access: "Control Access through
remote access policy"
- NAS: cisco 3700
- IAS policy for this user:
. Grant Remote Access Permission
. profile - IP Deny all traffic except from 192.168.0.7 to
user-IP
. profile - IP Deny all traffic from user to 192.168.0.7
The other profile configurations are set as default.
The user is correctly authenticated and from the event log
I can see that the policy used is the correct one.
I expected I could not ping anything but 192.168.0.7 but,
once authenticated, the test user can ping everything around!
The strange thing is that the same policy in a RRAS server
(without IAS) works in the correct way. It's exactly the
same policy since I imported it from the old server with
the netsh command.
Please help me!!!
| |
| Manjunath Bharadwaj [MSFT] 2005-04-11, 5:58 pm |
| Hello Giulio,
This is happening because the profile element "IP filters" are a Microsoft
vendor specific RADIUS attribute (it is not a RFC standard) and only
Microsoft products (like RRAS) can understand them.
To have your cisco NAS understand the filters, you need to configure IAS
to send cisco vendor specific attributes. Go to profile->Advanced->add and
select "Vendor-Specific" and configure the attributes according to Cisco's
specs.
Hoep this helps.
Thanks, Manju
--
++++++++++++++++++++++++++++++++++++++++
+++++++
This posting is provided "AS IS" with no warranties, and confers no rights
"Giulio" <anonymous@discussions.microsoft.com> wrote in message
news:202a01c53ea4$da029c50$a601280a@phx.gbl...
> Hi All,
> I've a problem with the configuration of a policy profile
> in IAS: it seems to me that the packet filter IP in the
> profile of the policy is not applyed.
>
> A user (say 'test') is configured in this way:
> - Dial-in tab: Remote Access: "Control Access through
> remote access policy"
> - NAS: cisco 3700
> - IAS policy for this user:
> . Grant Remote Access Permission
> . profile - IP Deny all traffic except from 192.168.0.7 to
> user-IP
> . profile - IP Deny all traffic from user to 192.168.0.7
>
> The other profile configurations are set as default.
>
> The user is correctly authenticated and from the event log
> I can see that the policy used is the correct one.
>
> I expected I could not ping anything but 192.168.0.7 but,
> once authenticated, the test user can ping everything around!
>
> The strange thing is that the same policy in a RRAS server
> (without IAS) works in the correct way. It's exactly the
> same policy since I imported it from the old server with
> the netsh command.
>
> Please help me!!!
>
>
| |
| Giulio 2005-04-12, 2:51 am |
| Hello Manju,
Thankyou for your reply.
Indeed I thought it could be some "Vendor-like" issue...
Well, so I'll try to specify a cisco VSA as you said.
thanx for your help!
Giulio
>-----Original Message-----
>Hello Giulio,
>
> This is happening because the profile element "IP
filters" are a Microsoft
>vendor specific RADIUS attribute (it is not a RFC
standard) and only
>Microsoft products (like RRAS) can understand them.
> To have your cisco NAS understand the filters, you need
to configure IAS
>to send cisco vendor specific attributes. Go to
profile->Advanced->add and
>select "Vendor-Specific" and configure the attributes
according to Cisco's
>specs.
>
> Hoep this helps.
> Thanks, Manju
>
>--
> ++++++++++++++++++++++++++++++++++++++++
+++++++
>This posting is provided "AS IS" with no warranties, and
confers no rights
>
>
>"Giulio" <anonymous@discussions.microsoft.com> wrote in
message
>news:202a01c53ea4$da029c50$a601280a@phx.gbl...
around![vbcol=seagreen]
>
>
>.
>
| |
| Giulio 2005-04-12, 6:01 pm |
| for the benefit of everyone out there - since it has been
hard to find any sort of documentation (either from Cisco
and from Microsoft) - here are the things I did:
The Vendor attribute I added was Cisco-AV-Pair
(from the Advanced tab of the policy profile select Add and
then 'Cisco-AV-Pair').
All the fields are grayed except the field for the
Attribute values.
I wanted to set an ACL to limit all ip traffic from
192.168.0.7 to my user and vice-versa, so I set the
following values:
ip:inacl#1=permit ip host 192.168.0.7 any
and then
ip:inacl#2=permit any ip host 192.168.0.7
Another method is to set a Vendor Specific (Radius
standard) attribute (attribute number 26), set for Cisco
(vendor code 9), specifying that this attribute is RFC
conformed and then, clicking on 'Configure attribute', you
should set vendor-assigned attribute number to 1 (which
means AV-Pair) and finally set the value, exactly as before.
In both cases the things seem to work 
>-----Original Message-----
>Hello Giulio,
>
> This is happening because the profile element "IP
filters" are a Microsoft
>vendor specific RADIUS attribute (it is not a RFC
standard) and only
>Microsoft products (like RRAS) can understand them.
> To have your cisco NAS understand the filters, you need
to configure IAS
>to send cisco vendor specific attributes. Go to
profile->Advanced->add and
>select "Vendor-Specific" and configure the attributes
according to Cisco's
>specs.
>
> Hoep this helps.
> Thanks, Manju
>
>--
> ++++++++++++++++++++++++++++++++++++++++
+++++++
>This posting is provided "AS IS" with no warranties, and
confers no rights
>
>
>"Giulio" <anonymous@discussions.microsoft.com> wrote in
message
>news:202a01c53ea4$da029c50$a601280a@phx.gbl...
around![vbcol=seagreen]
>
>
>.
>
|
|
|
|
|