Just to let folks know:
I finally managed to prove to Engineering that the filters should not be on
the client's RADIUS server - but should be put into our Central RADIUS
server. We can filter 800 calls based on the IP address of the MAXs in the
800 racks (the NAS Identifer). Since we may want to do this for other
customers as well, the most logical placement of the filters is in our
RADIUS - where the initial Authentication request from the NAS is sent, the
domain is examined and the request packet is forwarded to the client's
RADIUS for authenticating a particular user.
FYI: RadiusNT written by IEA - it works very well with their Emerald
database package for ISPs - but as a stand-alone - it hangs when filters are
Another week-end shot with trial and errors. Another crisis averted and solved.
Many thanks for your assistance.
>>Date: Fri, 11 Apr 1997 08:19:01 -0400
>>From: Kate Murphy <email@example.com>
>>Subject: Re: Setting up filters
>>We have RadiusNT running as part of a distributed security solution. The
NAS client on the RadiusNT box) is actually the Central RADIUS server that
receives the intitial authentication requests - examines the realm or domain
name of the user login (firstname.lastname@example.org) and forwards the request to
the RadiusNT box that has the user files for "technogeeks.com" and lists the
Central Radius in the client file as the NAS.
>>The Central RADIUS server is a sparc running another version of RADIUS and
has several Ascend 4000's in the client files as NASs.
>>In the RadiusNT boxes that are set up with users from one or more
domain(realm) names, I would like to set up a filter for when a user dials
into the 1-800 rack, he is disconnected (Central Radius receives a NAK which
goes back to the NAS) - but when they dial into a local NAS - through
Central Radius to the appropriate realm RadiusNT box, they receive an "ACK".
>>I think I can put Framed-Filter=some number and define the filter in the
dictionary file. The question is - should I set up two filters (like in
static routing) like
>>Filter 1 as : nopass (source IP address of 800 rack) (destination IP
address of RadiusNT box)
>or "reject" ....
>or "deny" .....
>or "send Access-reject if NAS Identifier = source IP address of 800 rack
>>Filter 2 as: pass (0.0.0.0) (destination IP address of RadiusNT box)
>or "send Access-accept if NAS Identifier = 0.0.0.0
>>Would this work? I am not sure what the exact syntax should be on the NT
box - any help would be greatly appreciated!