Re: (ASCEND) MAX4000 - restricted useraccess

To: ascend-users@max.bungi.com
Subject: Re: (ASCEND) MAX4000 - restricted useraccess
From: Rob Myers <rmyers@unicom.net>
Date: Fri, 11 Sep 1998 07:00:52 -0500 (CDT)
cc: Klaus Hessellund <klaus.hessellund@uni2.dk>
In-Reply-To: <199809110545.WAA09719@max.bungi.com>
Sender: owner-ascend-users@max.bungi.com

We were able to accomplish this by putting a new pool in with private
addressing (i.e. 10.x.x.x/24) on each of our Maxen.  Since these weren't
routable outside our local network and since we are using OSPF it was easy
to do this.

We set up a user name "guest" in RADIUS that would get IPs out of this
pool and then locked down some filters to only allow them to access DNS
and a certain web server.  My example below:

===========

guest    Password = "guest"
        User-Service = Framed-User,
        Framed-Protocol = PPP,
        Framed-Netmask = 255.255.255.255,
        Framed-Compression = Van-Jacobsen-TCP-IP,
        Framed-MTU = 1524,
        Ascend-Idle-Limit = 900,
        Ascend-Assign-IP-Pool = 2,
        Ascend-Data-Filter = "ip in forward dstip 204.252.102.2/32 udp
dstport = 53",
        Ascend-Data-Filter = "ip in forward dstip 204.252.102.3/32 udp
dstport = 53",
        Ascend-Data-Filter = "ip in forward dstip 206.113.113.13/32 udp
dstport = 53",
        Ascend-Data-Filter = "ip in forward dstip 207.183.128.13/32 udp
dstport = 53",
        Ascend-Data-Filter = "ip in forward dstip 206.113.113.141/32 tcp
dstport = 80",
        Ascend-Data-Filter = "ip in forward dstip 206.113.113.141/32 tcp
dstport = 443",
        Ascend-Data-Filter = "ip in forward tcp est",
        Ascend-Data-Filter = "ip in forward icmp",
        Ascend-Data-Filter = "ip in drop tcp",
        Ascend-Data-Filter = "ip in drop udp"

=============

This profile allows us to have a tightly locked guest account that can
only access Ports 80 and 443 of one of our webservers (we use this to sign
up new users, etc.) and to access DNS.  IP Pool #2 as shown above is the
10.x.x.x network we set up in each MAX.

This example should help.

-Rob-



> From: Klaus Hessellund <klaus.hessellund@uni2.dk>
> Date: Thu, 10 Sep 1998 13:23:23 +0200
> Subject: (ASCEND) MAX4000 - restricted useraccess
> 
> Hello,
> 
> How do I create a user which is only able to access one ip-address. 
> 
> Is it possible to set it ip with a radiusprofile ? All other users on the
> MAX4000 is given a dynamic IP-number, and can access everything. But we
> want to make an guest account which can only access one server.



++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

Prev by Date: (ASCEND) NAS port
Next by Date: (ASCEND) NAS port
Prev by thread: (ASCEND) MAX4000 - restricted useraccess
Next by thread: (ASCEND) AAC - Ascend-VRouter-Name attribute
Index(es):
- Main
- Thread