Hello Emily -
It look to me like the user definition is incorrect.
It should look like this:
# User entries must have all check items on the first line (no trailing comma)
# and reply items on the second and subsequent lines with leading whitespace
# Default Dial-Up PPP EMAIL ONLY User System Profile
DEFAULT Auth-Type = System, NAS-Port-Type = Async, Group = email
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
Framed-IP-Netmask = 255.255.255.255,
cisco-avpair = "lcp:interface-config=ip policy route-map email",
Filter-Id = "email.sec",
Port-Limit = 1,
Idle-Timeout = 1200,
Session-Timeout = 28800,
Class = email
If you have any other questions, please send me a copy of your configuration
file (no secrets) together with a trace 4 debug from Radiator showing what is
happening.
regards
Hugh
On Wed, 15 May 2002 03:53, [EMAIL PROTECTED] wrote:
> Hey,
>
> We are trying to setup a filter to work with Radius/Ldap to allow for a
> group that has email as the only service!
> This is what we have put together as of now... we have tried it and it does
> not work!!! :( I have opened 2 tac
> cases with Cisco. Cisco claims that the only possible way to do this is to
> have TACACS and a separate dial
> pool! That would be wasteful of on ips! There has to be a way!! Any
> suggestions???
>
>
> # Default Dial-Up PPP EMAIL ONLY User System Profile
> DEFAULT Auth-Type = System, NAS-Port-Type = Async, Group = email,
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
> Framed-IP-Address = 255.255.255.254,
> Framed-IP-Netmask = 255.255.255.255,
> cisco-avpair = "lcp:interface-config=ip policy route-map email",
> Filter-Id = "email.sec",
> Port-Limit = 1,
> Idle-Timeout = 1200,
> Session-Timeout = 28800,
> Class = email
>
>
>
> On the RAS BOX
>
> ip policy route-map email
> route-map email permit 10
> match ip address 103
>
> access-list 103 permit tcp any any eq 25
> access-list 103 permit udp any any eq 53
> access-list 103 permit tcp any any eq 110
> access-list 103 permit tcp any any eq 113
> access-list 103 deny any any
>
>
> On PM3
>
> 1 permit 0.0.0.0/0 206.40.79.2/32 tcp dst eq 25
> 2 permit 0.0.0.0/0 206.40.79.2/32 udp dst eq 53
> 3 permit 0.0.0.0/0 206.40.79.2/32 tcp dst eq 80
> 4 permit 0.0.0.0/0 206.40.79.2/32 tcp dst eq 110
> 5 permit 0.0.0.0/0 206.40.79.2/32 tcp src eq 113
> 6 permit 0.0.0.0/0 206.40.79.2/32 tcp dst eq 443
> 7 permit 0.0.0.0/0 206.40.79.2/32 icmp
>
> add filter email.sec
> set filter email.sec 1 permit 0.0.0.0/0 0.0.0.0/0 tcp src eq 25 dst eq 25
> estab set filter email.sec 1 permit 0.0.0.0/0 0.0.0.0/0 tcp src eq 53 dst
> eq 53 estab set filter email.sec 1 permit 0.0.0.0/0 0.0.0.0/0 tcp src eq
> 110 dst eq 110 estab
> set filter email.sec 1 permit 0.0.0.0/0 0.0.0.0/0 tcp src eq 113 dst eq 113
> estab
> set filter email.sec 1 deny 0.0.0.0/0 0.0.0.0/0 tcp
> set filter email.sec 1 deny 0.0.0.0/0 0.0.0.0/0 udp
>
>
> Let me know what you think!
>
> Thanks,
> Emily Whitworth
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
