[VOPRadius] blocking dialup number

[Erik Tijburg]

Title: Message

How-To: Filter Access Based on the Number Called (Called-Station-ID : Attribute Number 30) Background: VOP Radius can be configured to use the Called-Station-ID as a Check Item. Administrators can use this feature to Deny or Accept Access from users based on the Network Access Server (NAS) Telephone Number that they called. Prerequisite: In order for this to work the NAS needs to send the number within the Called-Station-ID (30) Attribute. You should contact your NAS manufacturer to see if this is possible and how to implement it. You should review the How-To on the Profiles.txt file to make sure that you use the correct syntax ( link to profiles.txt How-To). Implementation: The easiest way to implement the Called-Station-ID has a check item is to use a Radius Profile. You can use multiple numbers, as long as they are separated by commas. Make sure the whole definition appear between QUOTES. If you wish to prevent access, you must include a '!' character in front of the definition. Important: By default, if a user of this profile doesn't have a CallerID or a DNIS attribute included in the Access Request, he will be denied access. If you wish to grant access in those cases, just put a star '*' character at the beginning of the definition (prior to the '!' or any numbers). Important: The value for this attribute can NOT exceed 230 characters and nor can you get around this limitation by creating two instances of the Attribute. If this will be a problem, then please see below for another method of using the Called-Station-ID. Examples: #This one allows access to all except if the Called-Station-ID is "2223333333" or "4445555555" #A '*' is used in front of the string to tell VOP Radius to NOT reject if the Called-Station-ID is not sent Profile = "" Called-Station-ID = "*2223333333, 4445555555" #This one allows denies access if the Called-Station-ID is "1112223333" or "2223334444" #As well if the Called-Station-ID attribute is not sent, then an Access Reject will result Profile = "" Called-Station-ID = "!1112223333, 2223334444" Troubleshooting: The following are some common problems and answers you might run into: "I created the Profile with the Called-Station-ID Attribute to reject a few numbers, but now all my users are getting rejected?" Answer: Verify in the Error Log that the Called-Station-ID Attribute is being received. Unless you specified a * start in the profile string, then any Access Request without the Called-Station-ID Attribute will result in an Access Reject. "I entered the phone numbers to reject in the Profile, but it is not working?" Answer: Be very careful how you are entering the phone numbers. VOP Radius tries to match the value of the Called-Station-ID in the Access Request with that in the Profile. A value of "5554443333" does NOT equal "555-444-3333" ! "I have way too many numbers to enter! There must be a better way?" Answer: Yes there is probably a better way. You might want to use another attribute (e.g. NAS-IP-Address or Source IP). Or if it is absolutely necessary that you base the filtering on the Called-Station-ID Attribute and the value of the line will exceed 230 characters, then you should use our VPRHook.dll feature. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Carr Sent: Thursday, November 18, 2004 1:58 PM To: [EMAIL PROTECTED] Subject: [VOPRadius] blocking dialup number What I am trying to do is keep our customers from dialing our wholesale numbers where we have physical numbers ourselves, so I need to block by DNIS. Guess I could just route based on DNIS to another database and deny all. Might try that if there isnt a more sane way.         Gary     Hello Gary,     I am not sure of what you intend to do, but you may want to look whether the VOP radius CallerID Verification feature fits your needs:   " CallerID File (CallerID.txt)   CallerID verification file used with the CallerID verification options.  The file must contain only one PhoneNumber on each line, and they must begin the line.  Comments can be inserted on a line, by putting a '#' character as the first character of the line.  You can also put command words like "REJECT" or "ACCEPT" or "ACCEPT ALL".   The format of the CallerID file is as follow:   REJECT   List of Phone Numbers (only one per line)   ACCEPT   List Phone Numbers (only one per line)   [ACCEPT ALL]    If the string ACCEPT ALL is present in this file, then any phone numbers not listed would continue through normal authentication procedures, otherwise they would be rejected (if ACCEPT ALL would not be defined). "         Sylvain Savignac, P. Eng.   Development Lead RADIUS Development Unit Vircom Inc.   2055, Peel St, suite 200 Montr�al (Qu�bec) Canada H3A 1V4 Phone: 514-845-1666 ext. 266 Fax: 514-845-6922 www.vircom.com   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Carr Sent: November 18, 2004 2:26 PM To: [EMAIL PROTECTED] Subject: [VOPRadius] blocking dialup number Anyone know of a radius attribute or any other way to deny a specific dialup number to a sub?         Thanks,       Gary