> > Why not have the PMs automatically filter users based on Framed-Address
> > & Framed-Route information received from RADIUS?
>
> To the same end, I've got a little perl program that will generate the
> individual ChoiceNet(tm) filters from the RADIUS 'users' file.
>
> This works great for anybody that you have assigned a Framed-Address and even
> Framed-Route, but there's still the problem of dynamic-IP users.
Hmm.. true. To work around this, while still living in the contraints of
PortMasterland, the job of doling out dynamic addresses could accomplished
by a RADIUS server, also picking the appropriate filter at the time. But
that would require the RADIUS server become stateful, which is a no-no. I
much prefer your solution...
> What I'd really like to see (and this has been an RFE for many months) would
> be for me to be able to make a filter on the portmaster with a 'magic' addres$
> that the portmaster replaces with the assigned-IP when evaluating the filter
> against each user's packets.
That is a great solution. Dynamically addressed users have a stock
(locally stored) 'magic' filter, possibly most static users too, and leave
all special requirements to choicenet.
> The "special address in rule gets replaced by assigned address automagically"
> request has been brought up here time and time again, I'd rather see
> Lucent come out with that before something extraneous like NAT.
I'm suprised nothing has been done about it. RFC 2267, "Network Ingress
Filtering" has a blurb on the subject:
o Implementation of automatic filtering on remote access servers.
In most cases, a user dialing into an access server is an
individual user on a single PC. The ONLY valid source IP address
for packets originating from that PC is the one assigned by the
ISP (whether statically or dynamically assigned). The remote
access server could check every packet on ingress to ensure the
user is not spoofing the source address on the packets which he
is originating. Obviously, provisions also need to be made for
cases where the customer legitimately is attaching a net or
subnet via a remote router, but this could certainly be
implemented as an optional parameter. We have received reports
that some vendors and some ISPs are already starting to
implement this capability.
Curtis
-
To unsubscribe, email 'majordomo@livingston.com' with
'unsubscribe portmaster-users' in the body of the message.
Searchable list archive: <URL:http://www.livingston.com/Tech/archive/>