Not sure how you'd send this via radius attributes (never tried to do that), but if you want to protect your users from getting infected, apply this list outbound to their interface. If you want to prevent them from infecting others (along with doing any MS mapping of drives, or tftp'ing, etc.) then apply it inbound to that same interface. (No, I haven't flipped inbound and outbound; Cisco ACLs are from the POV of the access device.)
access-list 199 deny udp any any eq tftp log access-list 199 deny tcp any any eq 135 log access-list 199 deny udp any any eq 135 log access-list 199 deny tcp any any eq 139 log access-list 199 deny udp any any eq netbios-ss log access-list 199 deny tcp any any eq 445 log access-list 199 deny udp any any eq 445 log access-list 199 deny tcp any any eq 4444 log access-list 199 deny udp any any eq 4444 log (obviously, I'm using access list 199 here....) Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center "A four-year-old will very quickly get over news of the death of Santa if told that it was due to his fully loaded sleigh crashing in the back garden." -- Mil Millington Robert Tarrall <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 08/12/2003 12:18 PM Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject Cisco ACLs, blocking W32.Blaster.Worm Hi all - haven't seen anyone mention this in the archives for the last day or so; I hope I'm not rehashing something that's already been discussed. Our dialup users who have not yet patched their systems with the recent MS security update are now finding that their machines get shut down whenever they connect to the Internet; this makes it somewhat difficult for them to d/l the latest security patch. Fix I've applied locally has been to add the following to our users file: DEFAULT Service-Type == Framed-User Cisco-AVpair += "ip:inacl#5=deny tcp any any eq 4444", Cisco-AVPair += "ip:inacl#10=deny tcp any any eq 135", Cisco-AVPair += "ip:inacl#15=deny udp any any eq 69", Cisco-AVPair += "ip:inacl#98=permit icmp any any", Cisco-AVPair += "ip:inacl#99=permit ip any any", Fall-Through = Yes This probably denies more than is necessary, and I don't have any confirmation yet that it works. If someone more clueful than I in the ways of Cisco ACLs and/or this particular worm can help refine this a bit I'd appreciate it... just whacked it together in an hour based on stuff found on the net so it may be completely wrong. And if not, maybe the above is a useful starting point for other folks in the same boat as us. -Robert Tarrall.- Unix System/Network Admin E.Central/Neighborhood Link - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html