Re: URGENT-Setting up filters

Kate Murphy ( )
Sun, 13 Apr 1997 09:13:58 -0400

Hi all!

Attached is the email I sent to the mailing list. I am running out of ideas
to solve this.
The main problem is that RadiusNT is not source code and can not be altered
and re-compiled - it comes as a big .exe file with pre-defined files.

Any response would be GREATLY APPRECIATED!!!


>>Date: Fri, 11 Apr 1997 08:19:01 -0400
>>From: Kate Murphy <>
>>Subject: Re: Setting up filters
>>We have RadiusNT running as part of a distributed security solution. The
NAS client on the RadiusNT box) is actually the Central RADIUS server that
receives the intitial authentication requests - examines the realm or domain
name of the user login ( and forwards the request to
the RadiusNT box that has the user files for "" and lists the
Central Radius in the client file as the NAS.
>>The Central RADIUS server is a sparc running another version of RADIUS and
has several Ascend 4000's in the client files as NASs.
>>In the RadiusNT boxes that are set up with users from one or more
domain(realm) names, I would like to set up a filter for when a user dials
into the 1-800 rack, he is disconnected (Central Radius receives a NAK which
goes back to the NAS) - but when they dial into a local NAS - through
Central Radius to the appropriate realm RadiusNT box, they receive an "ACK".
>>I think I can put Framed-Filter=some number and define the filter in the
dictionary file. The question is - should I set up two filters (like in
static routing) like
>>Filter 1 as : nopass (source IP address of 800 rack) (destination IP
address of RadiusNT box)
>or "reject" ....
>or "deny" .....
>or "send Access-reject if NAS Identifier = source IP address of 800 rack
>>Filter 2 as: pass ( (destination IP address of RadiusNT box)
>or "accept"...
>or "permit"...
>or "send Access-accept if NAS Identifier =
>>Would this work? I am not sure what the exact syntax should be on the NT
box - any help would be greatly appreciated!