(usr-tc) anti-spoofing, per user
Until recently I had been using: enable ip SOURCE_ADDRESS_FILTER set network user default PPP_SOURCE_IP_FILTER enabled to prevent network users from spoofing source addresses. I now have one customer who has the need to have multiple subnets routed to them, which requires me to turn this option off globally. Is there any method of leaving this ON, but turning off PPP_SOURCE_IP_FILTER for a specific user via RADIUS? Thanks! -- Jesse Sipprell Technical Operations Director Evolution Communications, Inc. 800.496.4736 * Finger jss@evcom.net for my PGP Public Key * - To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
On Mon, 6 Dec 1999, Jesse Sipprell wrote:
Until recently I had been using:
enable ip SOURCE_ADDRESS_FILTER set network user default PPP_SOURCE_IP_FILTER enabled
to prevent network users from spoofing source addresses. I now have one customer who has the need to have multiple subnets routed to them, which requires me to turn this option off globally.
Is there any method of leaving this ON, but turning off PPP_SOURCE_IP_FILTER for a specific user via RADIUS?
I don't think so................. You can use "hint assigned" and build dynamic filters for each of your users...........I did this for a time. I *really* wish they would make PPP_SOURCE_IP_FILTER use the netmask information and build the filter off that...................anyone know if this is in the pipeline?
Thanks!
-- Jesse Sipprell Technical Operations Director Evolution Communications, Inc. 800.496.4736
* Finger jss@evcom.net for my PGP Public Key *
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
----------------------------------------------------- Brian Feeny (BF304) signal@shreve.net 318-222-2638 x 109 http://www.shreve.net/~signal Network Administrator ShreveNet Inc. (ASN 11881) - To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
On Mon, 6 Dec 1999, Jesse Sipprell wrote:
Until recently I had been using:
enable ip SOURCE_ADDRESS_FILTER set network user default PPP_SOURCE_IP_FILTER enabled
to prevent network users from spoofing source addresses. I now have one customer who has the need to have multiple subnets routed to them, which requires me to turn this option off globally.
Is there any method of leaving this ON, but turning off PPP_SOURCE_IP_FILTER for a specific user via RADIUS?
You can do it the other way around... leave the filter off, but turn it ON for a user in Radius. If you turn it on for the DEFAULT user, that's got the same effect as turning it on globally. Then you can leave it off for the users that have subnets routed to them, since they have their own entries anyway. I've got the attribute name as USR-IP-SAA-Filter, vendor-specific attribute number 0x9870. Mike Andrews (MA12) * mandrews@dcr.net * http://www.bit0.com/ VP, sysadmin, & network guy, Digital Crescent Inc, Frankfort KY Internet services for Frankfort, Lawrenceburg, Owenton, & Shelbyville "Don't sweat the petty things, and don't pet the sweaty things." - To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
Mike Andrews writes...
I've got the attribute name as USR-IP-SAA-Filter, vendor-specific attribute number 0x9870.
Last time I tried this attribute it didn't work. -- Aaron Nabil - To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
It appears to work here -- we get a lot of packets logged by the ARC from people using RFC1918 addresses and the like on our dialups. And they are getting dropped or else our Ciscos would log/drop them too... Mike Andrews (MA12) * mandrews@dcr.net * http://www.bit0.com/ VP, sysadmin, & network guy, Digital Crescent Inc, Frankfort KY Internet services for Frankfort, Lawrenceburg, Owenton, & Shelbyville "Don't sweat the petty things, and don't pet the sweaty things." On Mon, 6 Dec 1999, Aaron Nabil wrote:
Mike Andrews writes...
I've got the attribute name as USR-IP-SAA-Filter, vendor-specific attribute number 0x9870.
Last time I tried this attribute it didn't work.
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
Mike Andrews writes...
It appears to work here -- we get a lot of packets logged by the ARC from people using RFC1918 addresses and the like on our dialups. And they are getting dropped or else our Ciscos would log/drop them too...
Are you using the attribute or the global switch? It was the attribute that didn't work. -- Aaron Nabil - To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
Attribute. It's off globally. Mike Andrews (MA12) * mandrews@dcr.net * http://www.bit0.com/ VP, sysadmin, & network guy, Digital Crescent Inc, Frankfort KY Internet services for Frankfort, Lawrenceburg, Owenton, & Shelbyville "Don't sweat the petty things, and don't pet the sweaty things." On Wed, 8 Dec 1999, Aaron Nabil wrote:
Mike Andrews writes...
It appears to work here -- we get a lot of packets logged by the ARC from people using RFC1918 addresses and the like on our dialups. And they are getting dropped or else our Ciscos would log/drop them too...
Are you using the attribute or the global switch? It was the attribute that didn't work.
-- Aaron Nabil
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
participants (4)
-
Aaron Nabil -
Brian -
Jesse Sipprell -
Mike Andrews