[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Duplicate Attributes
On Wed, 7 May 2003 gshumway@cityextreme.com wrote:
> Thanks but now you got me worried about the cisco-avpairs.
Good :-)
> I am using them to store acl's. I am getting my radiator
> radius server to get crab them and send them back to the NAS
> which seems to work fine. If i simply add multiple avpairs
> into the one attribute the NAS only gets the last one..
What I'm saying is that multi-valued attributes are not guaranteed
to be returned in any particular order by the LDAP server, but
Cisco ACLs are order-dependant.
Say you have:
cisco-avpair: deny evil-subnet
cisco-avpair: permit friendly-net
(where evil-subnet is a subnet of friendly-net) then they are likely to
be returned in the opposite order, thereby granting access to evil-subnet.
And if you want to add a new ACL, you have to add all of them in one
go (and you'll still have the above problem).
--
Dave Horsfall DTM VK2KFU daveh@ci.com.au Ph: +61 2 9906-7866 Fx: 9906-1556
Corinthian Engineering, Level 1, 401 Pacific Hwy, Artarmon, NSW 2064, Australia