This worked fine with us. There are a few pecularities though.
First, check your radius server can send multiple filter id attributes.
I don't know about Livingston's 2.0, but Merit's 2.4.23basic has a bug
which prevents it from sending multiple Filter-Id's. One line patch
is to change Filter-Id description in the attribute table. In radiusd.c
file Filter's id entry in table PRUN_RULE liv_attr[] should look like
{ 11, 1, -1 }, /* Filter-Id NB: non-standard */
"-1" means "any number of attributes of this type".
Next, remember cisco's filters are all numeric, and seperate filters
must be applied for incoming and outgoing directions. So you will need
to define 2 access lists in cisco, for example 198 for outgoing and
199 for incoming traffic.
Next, define a user to be filtered in users file and put 2 Filter-Id's
for him:
Filter-Id = "199.in"
Filter-Id = "198"
There was (is?) a bug in IOS, the outgoing filters may be specified
either as 198.out or just 198, but the former notation doesn't work
(or at least it didn't work 3 months ago).
This configuration works for cisco/radius filtering.
The final trick is to make it working with portmasters as well. We did
it by adding another filter id, say "restrict" into users file and
defining this filter on portmasters. One important thing! This filter
id must be specified BEFORE the other two in users file, otherwise
cisco's part won't work (it won't install an outgoing filter at all).
So you end up with
Filter-Id = "restrict"
Filter-Id = "199.in"
Filter-Id = "198"
in users file, "restrict.in" and "restrict.out" filters on portmasters
and "198" and "199" access lists on cisco.
PS. We also had Telebit's Micablazer on our network and it worked from
the same radius server with filters (the trick was to define an interface
with appropriate name on the micablazer and apply micablazer's
filters on it; I leave as an exercize to readers to find out what would
be the interface's name :-)
>
>
> We use Livingston radius 2.0 with Livingston boxes and Cisco 2501
> router for non-dialup sessions using Cisco vty-async interfaces.
>
> The problem is: I failed to apply network ip filter stored in Cisco router's
> memory to a user authenticated by radius.
>
> Cisco docs are not clear enough for me and I suspect the problem is
> very stupid, something like wrong syntax or so.
>
> I would really appreciate if anybody sent me good pointers to RTFMs about
> Cisco radius implementation or working configuration examples.
>
> Thank you very much in advance.
>
>
> Sincerely yours,
>
> Ilia Zubkov,
> the REDLINE network director
>
>
-- Igor V. Semenyuk Internet: iga@sovam.com SOVAM Teleport Phone: +7 095 258 4170 Moscow, Russia Fax: +7 095 258 4133