Hello Emily -
It look to me like the user definition is incorrect. It should look like this: # User entries must have all check items on the first line (no trailing comma) # and reply items on the second and subsequent lines with leading whitespace # Default Dial-Up PPP EMAIL ONLY User System Profile DEFAULT Auth-Type = System, NAS-Port-Type = Async, Group = email Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, cisco-avpair = "lcp:interface-config=ip policy route-map email", Filter-Id = "email.sec", Port-Limit = 1, Idle-Timeout = 1200, Session-Timeout = 28800, Class = email If you have any other questions, please send me a copy of your configuration file (no secrets) together with a trace 4 debug from Radiator showing what is happening. regards Hugh On Wed, 15 May 2002 03:53, [EMAIL PROTECTED] wrote: > Hey, > > We are trying to setup a filter to work with Radius/Ldap to allow for a > group that has email as the only service! > This is what we have put together as of now... we have tried it and it does > not work!!! :( I have opened 2 tac > cases with Cisco. Cisco claims that the only possible way to do this is to > have TACACS and a separate dial > pool! That would be wasteful of on ips! There has to be a way!! Any > suggestions??? > > > # Default Dial-Up PPP EMAIL ONLY User System Profile > DEFAULT Auth-Type = System, NAS-Port-Type = Async, Group = email, > Service-Type = Framed-User, > Framed-Protocol = PPP, > Framed-IP-Address = 255.255.255.254, > Framed-IP-Netmask = 255.255.255.255, > cisco-avpair = "lcp:interface-config=ip policy route-map email", > Filter-Id = "email.sec", > Port-Limit = 1, > Idle-Timeout = 1200, > Session-Timeout = 28800, > Class = email > > > > On the RAS BOX > > ip policy route-map email > route-map email permit 10 > match ip address 103 > > access-list 103 permit tcp any any eq 25 > access-list 103 permit udp any any eq 53 > access-list 103 permit tcp any any eq 110 > access-list 103 permit tcp any any eq 113 > access-list 103 deny any any > > > On PM3 > > 1 permit 0.0.0.0/0 206.40.79.2/32 tcp dst eq 25 > 2 permit 0.0.0.0/0 206.40.79.2/32 udp dst eq 53 > 3 permit 0.0.0.0/0 206.40.79.2/32 tcp dst eq 80 > 4 permit 0.0.0.0/0 206.40.79.2/32 tcp dst eq 110 > 5 permit 0.0.0.0/0 206.40.79.2/32 tcp src eq 113 > 6 permit 0.0.0.0/0 206.40.79.2/32 tcp dst eq 443 > 7 permit 0.0.0.0/0 206.40.79.2/32 icmp > > add filter email.sec > set filter email.sec 1 permit 0.0.0.0/0 0.0.0.0/0 tcp src eq 25 dst eq 25 > estab set filter email.sec 1 permit 0.0.0.0/0 0.0.0.0/0 tcp src eq 53 dst > eq 53 estab set filter email.sec 1 permit 0.0.0.0/0 0.0.0.0/0 tcp src eq > 110 dst eq 110 estab > set filter email.sec 1 permit 0.0.0.0/0 0.0.0.0/0 tcp src eq 113 dst eq 113 > estab > set filter email.sec 1 deny 0.0.0.0/0 0.0.0.0/0 tcp > set filter email.sec 1 deny 0.0.0.0/0 0.0.0.0/0 udp > > > Let me know what you think! > > Thanks, > Emily Whitworth -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.