Hey! I'm setting up some FreeRADIUS servers as the authentication hosts for a few Lucent/Ascend MAX NAS devices to terminate dialup calls. When I've done this in the past, I assigned IP addresses statically, which made it very easy to build ingress filters specific to each user with the Ascend-Data-Filter parameter in user profiles.
This time around, I'm using dynamic addressing for most users, and I'm hoping to implement proper (RFC 2827) ingress filtering as I have done in the past. So far, it seems that the best I'll be able to do is apply a filter that accepts packets with any source address in the dynamic pool. While this is better than nothing, it unfortunately means that my dialup users will be able to spoof any other dialup IP address in the pool. Is there a better option? Ideally, I would want a filter that drops packets from the remote session with any IP address other than the one assigned to the user. Has anyone else fought a similar battle? Mark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
